[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_0-118-g78cd45
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_0-118-g78cd45a |
Date: |
Sat, 13 Aug 2011 18:39:02 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=78cd45aab99593ad2c8cb2678d8409b2798336e5
The branch, gnutls_3_0_x has been updated
via 78cd45aab99593ad2c8cb2678d8409b2798336e5 (commit)
via 29312015b1677b28df92ee1d6acbbb2863cdacc2 (commit)
via 5f9aa5edc8c4f347fc2f80f97f00df6d945610a3 (commit)
via 760bf0877f5057790d719459f9c7eb863ad19683 (commit)
via 491f4668390b8c4fbca21914baf10625ba8bba6f (commit)
from ad495ec6bcf7332e84f0ac40389489764888a489 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 78cd45aab99593ad2c8cb2678d8409b2798336e5
Merge: ad495ec 2931201
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Aug 13 20:38:55 2011 +0200
Merge branch 'master' into gnutls_3_0_x
commit 29312015b1677b28df92ee1d6acbbb2863cdacc2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Aug 13 18:34:47 2011 +0200
use audit_log
commit 5f9aa5edc8c4f347fc2f80f97f00df6d945610a3
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Aug 13 17:57:13 2011 +0200
removed unneeded defintions.
commit 760bf0877f5057790d719459f9c7eb863ad19683
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Aug 13 17:53:21 2011 +0200
unload_file was modified to accept a pointer.
commit 491f4668390b8c4fbca21914baf10625ba8bba6f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Aug 13 17:52:39 2011 +0200
corrected child process cleanup and added option to specify diffie hellman
parameters file.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 2 +
src/cli.c | 12 ++--
src/crywrap/Makefile.am | 2 +-
src/crywrap/crywrap.c | 150 +++++++++++++++++++----------------------------
src/crywrap/crywrap.h | 15 -----
5 files changed, 69 insertions(+), 112 deletions(-)
diff --git a/NEWS b/NEWS
index e4a2fbe..b1f4fa6 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ See the end for copying conditions.
* Version 3.0.1 (unreleased)
+** crywrap: Added to the distribution
+
** libgnutls: Do not allow second instances of PKCS #11
modules.
diff --git a/src/cli.c b/src/cli.c
index cccdc44..74912a5 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -126,9 +126,9 @@ load_file (const char *file)
}
static void
-unload_file (gnutls_datum_t data)
+unload_file (gnutls_datum_t* data)
{
- free (data.data);
+ free (data->data);
}
#define MAX_CRT 6
@@ -244,7 +244,7 @@ load_keys (void)
gnutls_x509_crt_deinit(crt_list[i]);
}
- unload_file (data);
+ unload_file (&data);
ret = gnutls_privkey_init(&x509_key);
if (ret < 0)
@@ -305,7 +305,7 @@ load_keys (void)
exit (1);
}
- unload_file (data);
+ unload_file (&data);
}
fprintf (stdout, "Processed %d client X.509 certificates...\n",
@@ -342,7 +342,7 @@ load_keys (void)
exit (1);
}
- unload_file (data);
+ unload_file (&data);
ret = gnutls_privkey_init(&pgp_key);
if (ret < 0)
@@ -420,7 +420,7 @@ load_keys (void)
exit (1);
}
- unload_file (data);
+ unload_file (&data);
}
diff --git a/src/crywrap/Makefile.am b/src/crywrap/Makefile.am
index e5bd90d..a3fcc39 100644
--- a/src/crywrap/Makefile.am
+++ b/src/crywrap/Makefile.am
@@ -25,5 +25,5 @@ AM_CPPFLAGS = \
bin_PROGRAMS = crywrap
-crywrap_SOURCES = crywrap.c primes.h #compat.h compat.c
+crywrap_SOURCES = crywrap.c primes.h
crywrap_LDADD = ../../lib/libgnutls.la ../../gl/libgnu.la -lidn
diff --git a/src/crywrap/crywrap.c b/src/crywrap/crywrap.c
index 0295779..be2aff3 100644
--- a/src/crywrap/crywrap.c
+++ b/src/crywrap/crywrap.c
@@ -54,6 +54,7 @@
/* Gnulib portability files. */
#include "progname.h"
#include "argp.h"
+#include <read-file.h>
#include "crywrap.h"
#include "primes.h"
@@ -85,17 +86,37 @@ typedef int (*cry_log_func)(const char *format, ...)
static cry_log_func cry_log = system_log;
static cry_log_func cry_error = system_log_error;
+static void
+tls_audit_log_func (gnutls_session_t session, const char *str)
+{
+ char peer_name[NI_MAXHOST] = "Unknown";
+ gnutls_transport_ptr_t r, s;
+ struct sockaddr_storage faddr;
+ socklen_t socklen = sizeof (struct sockaddr_storage);
+
+ if (session != NULL)
+ {
+ gnutls_transport_get_ptr2(session, &r, &s);
+
+ /* Log the connection */
+ if (getpeername ((int)(long)r, (struct sockaddr *)&faddr, &socklen) != 0)
+ cry_error ("getpeername(): %s", strerror (errno));
+
+ cry_log ("Peer %s: %s", peer_name, str);
+ }
+ else
+ cry_log ("%s", str);
+
+}
+
/** @defgroup globals Global variables.
* @{
*/
-/** Status flag to toggle on SIGCHLD.
- */
-static sig_atomic_t sigchld = 0;
+
/** An array of pids.
* This array holds the PIDs of all of our children, indexed by the
* socket the associated client connected to us.
*/
-static pid_t crywrap_children[_CRYWRAP_MAXCONN + 2];
static pid_t main_pid = -1; /**< Pid of the main process */
static const char *pidfile = _CRYWRAP_PIDFILE; /**< File to log our PID
into. */
@@ -104,6 +125,7 @@ static const char *pidfile = _CRYWRAP_PIDFILE; /**< File to
log our PID
*/
static gnutls_certificate_server_credentials cred;
static gnutls_dh_params dh_params; /**< GNUTLS DH parameters. */
+static gnutls_datum dh_file = { _crywrap_prime_dh_1024,
sizeof(_crywrap_prime_dh_1024) }; /**< Diffie Hellman parameters */
/** Bugreport address.
* Used by the argp suite.
@@ -130,15 +152,16 @@ static const struct argp_option _crywrap_options[] = {
{"key", 'k', "FILE", 0, "Server key", 2},
{"cert", 'c', "FILE", 0, "Server certificate", 2},
{"ca", 'z', "FILE", 0, "CA certificate", 2},
- {"anon", 'a', NULL, 0, "Enable anonymous authentication (don't use a
certificate)", 2},
+ {"anon", 'a', NULL, 0, "Enable anonymous authentication (no certificates)",
2},
{"verify", 'v', "LEVEL", OPTION_ARG_OPTIONAL,
"Verify clients certificate (1: verify if exists, 2: require)", 2},
{NULL, 0, NULL, 0, "Other options:", 3},
+ {"dhparams", 'h', "FILE", 0, "Diffie Hellman (PKCS #3) parameters file", 3},
{"user", 'u', "UID", 0, "User ID to run as", 3},
{"pidfile", 'P', "PATH", 0, "File to log the PID into", 3},
{"priority", 'p', "STRING", 0, "GnuTLS ciphersuite priority string", 3},
{"inetd", 'i', NULL, 0, "Enable inetd mode", 3},
- {"debug", 'D', NULL, 0, "Do not fork", 3},
+ {"debug", 'D', NULL, 0, "Run the server into foreground", 3},
{0, 0, 0, 0, NULL, 0}
};
@@ -155,9 +178,6 @@ static const struct argp _crywrap_argp =
/** @} */
-/* Forward declaration */
-static int _crywrap_dh_params_generate (void);
-
/** @defgroup signal Signal handlers & co.
* @{
*/
@@ -167,21 +187,27 @@ static int _crywrap_dh_params_generate (void);
static void
_crywrap_sigchld_handler (int sig)
{
- sigchld = 1;
+pid_t child;
+unsigned int status;
+
+ while ((child = waitpid (-1, &status, WNOHANG)) > (pid_t) 0)
signal (sig, _crywrap_sigchld_handler);
}
-/** SIGHUP handler.
- * Regenerates DH and RSA paramaters. Takes a bit long...
+/* Helper functions to load a certificate and key
+ * files into memory.
*/
-static void
-_crywrap_sighup_handler (int sig)
+static gnutls_datum_t
+load_file (const char *file)
{
- _crywrap_dh_params_generate ();
+ gnutls_datum_t loaded_file = { NULL, 0 };
+ size_t length;
- gnutls_certificate_set_dh_params (cred, dh_params);
+ loaded_file.data = read_binary_file (file, &length);
+ if (loaded_file.data)
+ loaded_file.size = (unsigned int) length;
- signal (sig, _crywrap_sighup_handler);
+ return loaded_file;
}
/** Generic signal handler.
@@ -366,6 +392,14 @@ _crywrap_config_parse_opt (int key, char *arg, struct
argp_state *state)
else
cfg->pidfile = NULL;
break;
+ case 'h':
+ if (arg && *arg)
+ {
+ dh_file = load_file(arg);
+ if (dh_file.data == NULL)
+ argp_error (state, "error loading Diffie Hellman parameters file:
%s.", arg);
+ }
+ break;
case 'p':
if (arg && *arg)
{
@@ -389,7 +423,6 @@ _crywrap_config_parse_opt (int key, char *arg, struct
argp_state *state)
cfg->inetd = 1;
break;
case 'a':
- if (arg && *arg)
{
const char* pos;
ret = gnutls_priority_init(&cfg->priority,
"NORMAL:+ANON-ECDH:+ANON-DH", &pos);
@@ -482,7 +515,7 @@ _crywrap_config_parse (int argc, char **argv)
*
* @returns The newly created TLS session.
*/
-static gnutls_session
+static gnutls_session_t
_crywrap_tls_session_create (const crywrap_config_t *config)
{
gnutls_session_t session;
@@ -511,39 +544,15 @@ _crywrap_tls_session_create (const crywrap_config_t
*config)
return session;
}
-/** (Re)Initialise Diffie Hellman parameters.
- * @returns Zero.
- */
-static int
-_crywrap_dh_params_generate (void)
-{
- if (gnutls_dh_params_init (&dh_params) < 0)
- {
- cry_error ("%s", "Error in dh parameter initialisation.");
- exit (3);
- }
-
- if (gnutls_dh_params_generate2 (dh_params,
gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)) < 0)
- {
- cry_error ("%s", "Error in prime generation.");
- exit (3);
- }
-
- gnutls_certificate_set_dh_params (cred, dh_params);
-
- return 0;
-}
-
/** Generate initial DH and RSA params.
* Loads the pre-generated DH primes.
*/
static void
_crywrap_tls_init (void)
{
- gnutls_datum dh = { _crywrap_prime_dh_1024, sizeof(_crywrap_prime_dh_1024) };
gnutls_dh_params_init (&dh_params);
- gnutls_dh_params_import_pkcs3 (dh_params, &dh, GNUTLS_X509_FMT_PEM);
+ gnutls_dh_params_import_pkcs3 (dh_params, &dh_file, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_dh_params (cred, dh_params);
}
@@ -796,32 +805,6 @@ _crywrap_setup_pidfile (const crywrap_config_t *config)
pidfile = config->pidfile;
}
-/** Child cleanup routine.
- * Called after a SIGCHLD is received. Walks through #crywrap_children
- * and closes the socket of the one that exited.
- */
-static void
-_crywrap_reap_children (void)
-{
- pid_t child;
- int status, i;
-
- while ((child = waitpid (-1, &status, WNOHANG)) > (pid_t) 0)
- {
- for (i = 0; i < _CRYWRAP_MAXCONN; i++)
- {
- if (!crywrap_children[i])
- continue;
- if (child == crywrap_children[i])
- {
- shutdown (i, SHUT_RDWR);
- close (i);
- crywrap_children[i] = 0;
- }
- }
- }
- sigchld = 0;
-}
/** Handles one client.
* This one connects to the remote server, and proxies every traffic
@@ -837,7 +820,7 @@ static int
_crywrap_do_one (const crywrap_config_t *config, int insock, int outsock)
{
int sock, ret, tls_pending;
- gnutls_session session;
+ gnutls_session_t session;
char buffer[_CRYWRAP_MAXBUF + 2];
fd_set fdset;
unsigned int status = 0;
@@ -863,7 +846,7 @@ _crywrap_do_one (const crywrap_config_t *config, int
insock, int outsock)
gnutls_transport_set_ptr2 (session,
(gnutls_transport_ptr_t)insock,
(gnutls_transport_ptr_t)outsock);
-
+
do
{
ret = gnutls_handshake(session);
@@ -965,7 +948,7 @@ _crywrap_do_one (const crywrap_config_t *config, int
insock, int outsock)
} while (r > 0 && ret > o);
if (r < 0)
- cry_log ("Received corrupted data: %s", gnutls_strerror (r));
+ cry_log ("Received corrupt data: %s", gnutls_strerror (r));
}
}
}
@@ -991,6 +974,8 @@ main (int argc, char **argv, char **envp)
openlog (__CRYWRAP__, LOG_PID, LOG_DAEMON);
+ gnutls_global_set_audit_log_function (tls_audit_log_func);
+
if (gnutls_global_init () < 0)
{
cry_error ("%s", "Global TLS state initialisation failed.");
@@ -1015,14 +1000,12 @@ main (int argc, char **argv, char **envp)
exit (_crywrap_do_one (config, 0, 1));
}
-#if CRYWRAP_OPTION_FORK
if (!config->debug)
if (daemon (0, 0))
{
cry_error ("daemon: %s", strerror (errno));
exit (1);
}
-#endif
cry_log ("%s", "Crywrap starting...");
@@ -1037,28 +1020,21 @@ main (int argc, char **argv, char **envp)
signal (SIGQUIT, _crywrap_sighandler);
signal (SIGSEGV, _crywrap_sighandler);
signal (SIGPIPE, SIG_IGN);
- signal (SIGHUP, _crywrap_sighup_handler);
+ signal (SIGHUP, SIG_IGN);
+ signal (SIGCHLD, _crywrap_sigchld_handler);
cry_log ("%s", "Accepting connections");
- memset (crywrap_children, 0, sizeof (crywrap_children));
- signal (SIGCHLD, _crywrap_sigchld_handler);
for (;;)
{
int csock;
-#if !BHC_OPTION_DEBUG
int child;
-#endif
-
- if (sigchld)
- _crywrap_reap_children ();
csock = accept (server_socket, NULL, NULL);
if (csock < 0)
continue;
-#if !BHC_OPTION_DEBUG
child = fork ();
switch (child)
{
@@ -1069,13 +1045,7 @@ main (int argc, char **argv, char **envp)
cry_error ("%s", "Forking error.");
exit (1);
break;
- default:
- crywrap_children[csock] = child;
- break;
}
-#else
- _crywrap_do_one (config, csock, csock);
-#endif
close(csock);
}
diff --git a/src/crywrap/crywrap.h b/src/crywrap/crywrap.h
index 62b4d7f..e246e27 100644
--- a/src/crywrap/crywrap.h
+++ b/src/crywrap/crywrap.h
@@ -85,22 +85,7 @@ typedef struct
int debug;
} crywrap_config_t;
-/** @defgroup options Options.
- * These are the compile-time options.
- * @{
- */
-/** If this option is set, CryWrap will fork into the background.
- */
-#ifndef CRYWRAP_OPTION_FORK
-#define CRYWRAP_OPTION_FORK 1
-#endif
-
-#if CRYWRAP_OPTION_NOFORK
-#undef CRYWRAP_OPTION_FORK
-#endif
-
/** @} *//* End of the Options group */
#endif /* !_CRYWRAP_H */
-/* arch-tag: ebfe1550-0fec-4c0d-8833-23e48292e75d */
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_0-118-g78cd45a,
Nikos Mavrogiannopoulos <=