[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[myserver-commit] [SCM] GNU MyServer branch, master, updated. v0.9.2-443
|
From: |
Giuseppe Scrivano |
|
Subject: |
[myserver-commit] [SCM] GNU MyServer branch, master, updated. v0.9.2-443-g063ead3 |
|
Date: |
Fri, 15 Apr 2011 23:37:42 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU MyServer".
The branch, master has been updated
via 063ead33c30f1eb2d4babc3dfbe2627946f8100a (commit)
from dc30ec7b59ce804f22a4341348c734ec3ca3fca4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 063ead33c30f1eb2d4babc3dfbe2627946f8100a
Author: Giuseppe Scrivano <address@hidden>
Date: Sat Apr 16 01:37:37 2011 +0200
gnutls: do not use the openssl wrapped APIs <experimental>.
diff --git a/myserver/configure.ac b/myserver/configure.ac
index 1ff3e18..3b63618 100644
--- a/myserver/configure.ac
+++ b/myserver/configure.ac
@@ -209,11 +209,6 @@ fi
AC_CHECK_LIB(gpg-error, gpg_err_init)
AC_CHECK_LIB(gcrypt, gcry_control)
AC_CHECK_LIB(gnutls, main)
-AC_CHECK_LIB(gnutls-openssl, main)
-
-if test x$ac_cv_lib_gnutls_openssl_main != xyes; then
- AC_MSG_ERROR([Cannot find ssl libraries, gnutls is required])
-fi
dnl Looking for zlib
AC_CHECK_LIB(z, uncompress, have_libz=yes)
diff --git a/myserver/include/base/socket/ssl_socket.h
b/myserver/include/base/socket/ssl_socket.h
index 3907c39..138e381 100644
--- a/myserver/include/base/socket/ssl_socket.h
+++ b/myserver/include/base/socket/ssl_socket.h
@@ -38,11 +38,10 @@ class SslSocket : public Socket
{
public:
- int setSSLContext (SSL_CTX*);
+ int setSSLContext (gnutls_certificate_credentials_t, gnutls_priority_t);
int sslAccept ();
int freeSSL ();
- SSL* getSSLConnection ();
virtual int close ();
virtual int shutdown (int how);
@@ -65,14 +64,10 @@ public:
virtual ~SslSocket ();
protected:
- bool externalContext;
- Socket* sock;
- SSL *sslConnection;
- SSL_CTX *sslContext;
- const X509 *clientCert;
-
- /*! This is used only by clients sockets. */
- SSL_METHOD* sslMethod;
+ gnutls_certificate_credentials_t cred;
+ gnutls_session_t session;
+ gnutls_priority_t priority;
+ Socket *sock;
};
diff --git a/myserver/include/base/ssl/ssl.h b/myserver/include/base/ssl/ssl.h
index d70d0a7..86232ac 100644
--- a/myserver/include/base/ssl/ssl.h
+++ b/myserver/include/base/ssl/ssl.h
@@ -35,20 +35,21 @@ public:
int initialize ();
int free ();
- SSL_CTX* getContext (){return context;}
- SSL_METHOD* getMethod (){return method;}
+ gnutls_certificate_credentials_t getCredentials (){return cred;}
+ gnutls_priority_t getPriorityCache (){return priority_cache;}
- string& getCertificateFile (){return certificateFile;}
- string& getPrivateKeyFile (){return privateKeyFile;}
- string& getPassword (){return password;}
+ string &getCertificateFile (){return certificateFile;}
+ string &getPrivateKeyFile (){return privateKeyFile;}
+ string &getPassword (){return password;}
- void setCertificateFile (string& c){certificateFile.assign (c);}
- void setPrivateKeyFile (string& pk){privateKeyFile.assign (pk);}
+ void setCertificateFile (string &c){certificateFile.assign (c);}
+ void setPrivateKeyFile (string &pk){privateKeyFile.assign (pk);}
void setPassword (string& p){password.assign (p);}
private:
- SSL_CTX* context;
- SSL_METHOD* method;
+ gnutls_priority_t priority_cache;
+ gnutls_dh_params_t dh_params;
+ gnutls_certificate_credentials_t cred;
string certificateFile;
string privateKeyFile;
diff --git a/myserver/include/conf/vhost/vhost.h
b/myserver/include/conf/vhost/vhost.h
index 5556ff1..a4748f9 100644
--- a/myserver/include/conf/vhost/vhost.h
+++ b/myserver/include/conf/vhost/vhost.h
@@ -102,7 +102,8 @@ public:
/*! Generate the RSA key for the SSL context. */
void generateRsaKey ();
- SSL_CTX* getSSLContext ();
+ gnutls_certificate_credentials_t getSSLContext (){return
sslContext.getCredentials ();}
+ gnutls_priority_t getSSLPriorityCache (){return sslContext.getPriorityCache
();}
/*! Get the list of hosts allowed.*/
list<StringRegex*>* getHostList ()
diff --git a/myserver/src/base/socket/ssl_socket.cpp
b/myserver/src/base/socket/ssl_socket.cpp
index f7e4e8f..ffaf6b0 100644
--- a/myserver/src/base/socket/ssl_socket.cpp
+++ b/myserver/src/base/socket/ssl_socket.cpp
@@ -37,7 +37,6 @@
# include <arpa/inet.h>
#endif
-
#include <sstream>
using namespace std;
@@ -47,24 +46,16 @@ using namespace std;
*/
SslSocket::SslSocket (Socket* sock) : Socket (sock)
{
+ session = NULL;
this->sock = sock;
this->fd = sock->getHandle ();
- sslConnection = 0;
- sslContext = 0;
- clientCert = 0;
- sslMethod = 0;
- externalContext = false;
}
SslSocket::SslSocket ()
{
+ session = NULL;
this->sock = NULL;
this->fd = -1;
- sslConnection = 0;
- sslContext = 0;
- clientCert = 0;
- sslMethod = 0;
- externalContext = false;
}
SslSocket::~SslSocket ()
@@ -86,9 +77,7 @@ int SslSocket::close ()
*/
int SslSocket::shutdown (int how)
{
- if (sslConnection)
- SSL_shutdown (sslConnection);
-
+ gnutls_bye (session, GNUTLS_SHUT_WR);
return checked::shutdown (fd, how);
}
@@ -103,16 +92,15 @@ int SslSocket::rawSend (const char* buffer, int len, int
flags)
int err;
do
{
- err = SSL_write (sslConnection, buffer + sent, len - sent);
+ err = gnutls_record_send (session, buffer, len);
if (err > 0)
sent += err;
}
- while ((err <= 0
- && SSL_get_error (sslConnection, err) == SSL_ERROR_WANT_WRITE)
+ while (err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN
|| (err > 0 && sent < len));
if (err < 0)
- return -1;
+ return err;
else
return sent;
}
@@ -122,6 +110,8 @@ int SslSocket::rawSend (const char* buffer, int len, int
flags)
*/
int SslSocket::connect (MYSERVER_SOCKADDR* sa, int na)
{
+ int ret;
+
if ( sa == NULL || (sa->ss_family != AF_INET && sa->ss_family != AF_INET6) )
return 1;
if ( (sa->ss_family == AF_INET && na != sizeof (sockaddr_in))
@@ -131,52 +121,42 @@ int SslSocket::connect (MYSERVER_SOCKADDR* sa, int na)
)
return 1;
- sslMethod = SSLv23_client_method ();
- /*! Create the local context. */
- sslContext = SSL_CTX_new (sslMethod);
- if (sslContext == 0)
- return -1;
+ gnutls_init (&session, GNUTLS_CLIENT);
+
+ gnutls_priority_set_direct (session, "PERFORMANCE:+ANON-DH:!ARCFOUR-128",
+ NULL);
+
+ gnutls_certificate_allocate_credentials (&cred);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cred);
/*! Do the TCP connection. */
- if (checked::connect (fd, (sockaddr *) sa, na))
- {
- SSL_CTX_free (sslContext);
- sslContext = 0;
- return -1;
- }
- sslConnection = SSL_new (sslContext);
- if (sslConnection == 0)
- {
- SSL_CTX_free (sslContext);
- sslContext = 0;
- return -1;
- }
+ checked::connect (fd, (sockaddr *) sa, na);
-#ifdef WIN32
- SSL_set_fd (sslConnection, FD_TO_SOCKET (fd));
-#else
- SSL_set_fd (sslConnection, fd);
+#ifndef FD_TO_SOCKET
+# define FD_TO_SOCKET(x) (x)
#endif
- if (SSL_connect (sslConnection) < 0)
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) FD_TO_SOCKET
(fd));
+
+#undef FD_TO_SOCKET
+
+ do
{
- SSL_CTX_free (sslContext);
- sslContext = 0;
- return -1;
+ ret = gnutls_handshake (session);
}
+ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
- externalContext = false;
- return 0;
+ return ret;
}
/*!
Set the SSL context.
*/
-int SslSocket::setSSLContext (SSL_CTX* context)
+int SslSocket::setSSLContext (gnutls_certificate_credentials_t cred,
+ gnutls_priority_t priority)
{
- sslContext = context;
- externalContext = true;
- return 1;
+ this->cred = cred;
+ this->priority = priority;
}
/*!
@@ -184,28 +164,10 @@ int SslSocket::setSSLContext (SSL_CTX* context)
*/
int SslSocket::freeSSL ()
{
- /*! free up the SSL context. */
- if (sslConnection)
- {
- SSL_free (sslConnection);
- sslConnection = 0;
- }
-
- if (sslContext && !externalContext)
- {
- SSL_CTX_free (sslContext);
- sslContext = 0;
- }
- return 1;
-}
-
-
-/*!
- Returns the SSL connection.
- */
-SSL* SslSocket::getSSLConnection ()
-{
- return sslConnection;
+ if (session != NULL)
+ gnutls_deinit (session);
+ session = NULL;
+ return 0;
}
/*!
@@ -214,48 +176,28 @@ SSL* SslSocket::getSSLConnection ()
*/
int SslSocket::sslAccept ()
{
- int sslAccept;
- if (sslContext == 0)
- return -1;
-
- if (sslConnection)
- freeSSL ();
+ int ret;
+ gnutls_init (&session, GNUTLS_SERVER);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cred);
+ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
+ gnutls_session_enable_compatibility_mode (session);
+ gnutls_priority_set (session, priority);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cred);
+
+#ifndef FD_TO_SOCKET
+# define FD_TO_SOCKET(x) (x)
+#endif
- sslConnection = SSL_new (sslContext);
- if (sslConnection == 0)
- {
- freeSSL ();
- return -1;
- }
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) FD_TO_SOCKET
(fd));
-#ifdef WIN32
- if (SSL_set_fd (sslConnection, FD_TO_SOCKET (fd)) == 0)
-#else
- if (SSL_set_fd (sslConnection, fd) == 0)
-#endif
- {
- shutdown (2);
- freeSSL ();
- return -1;
- }
+#undef FD_TO_SOCKET
do
{
- sslAccept = SSL_accept (sslConnection);
- }
- while (sslAccept != 1
- && SSL_get_error (sslConnection, sslAccept) == SSL_ERROR_WANT_READ);
-
- if (sslAccept != 1)
- {
- shutdown (2);
- freeSSL ();
- return -1;
+ ret = gnutls_handshake (session);
}
-
- clientCert = SSL_get_peer_certificate (sslConnection);
-
- return 0;
+ while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+ return ret;
}
@@ -267,30 +209,18 @@ int SslSocket::recv (char* buffer, int len, int flags)
{
int err = 0;
- if (sslConnection)
+ for (;;)
{
- for (;;)
+ do
{
- int sslError;
- err = SSL_read (sslConnection, buffer, len);
-
- if (err > 0)
- break;
-
- sslError = SSL_get_error (sslConnection, err);
-
- if ((sslError != SSL_ERROR_WANT_READ)
- && (sslError != SSL_ERROR_WANT_WRITE))
- break;
+ err = gnutls_record_recv (session, buffer, len);
}
-
- if (err <= 0)
- return -1;
- else
- return err;
+ while (err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN);
+ if (err > 0)
+ break;
}
- return 0;
+ return err;
}
/*!
@@ -298,10 +228,9 @@ int SslSocket::recv (char* buffer, int len, int flags)
*/
u_long SslSocket::bytesToRead ()
{
- u_long nBytesToRead = 0;
-
- nBytesToRead = SSL_pending (sslConnection);
+ size_t nBytesToRead = 0;
+ nBytesToRead = gnutls_record_check_pending(session);
if (nBytesToRead)
return nBytesToRead;
diff --git a/myserver/src/base/ssl/ssl.cpp b/myserver/src/base/ssl/ssl.cpp
index c2dfb3b..eb5a8b9 100644
--- a/myserver/src/base/ssl/ssl.cpp
+++ b/myserver/src/base/ssl/ssl.cpp
@@ -48,9 +48,8 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL;
SslContext::SslContext ()
{
- context = 0;
- method = 0;
-
+ cred = NULL;
+ priority_cache = NULL;
certificateFile.assign ("");
privateKeyFile.assign ("");
}
@@ -60,50 +59,45 @@ SslContext::SslContext ()
*/
int SslContext::initialize ()
{
- context = 0;
- method = 0;
- method = SSLv23_server_method ();
- context = SSL_CTX_new (method);
-
- if (!context)
- return -1;
/*
The specified file doesn't exist.
*/
- if (FilesUtility::nodeExists (certificateFile.c_str ()) == 0)
+ if (FilesUtility::nodeExists (certificateFile.c_str ()) == 0
+ || FilesUtility::nodeExists (privateKeyFile) == 0)
return -1;
- if (SSL_CTX_use_certificate_file (context, certificateFile.c_str (),
- SSL_FILETYPE_PEM) != 1)
- return -1;
+ gnutls_priority_init (&priority_cache, "NORMAL", NULL);
- /*
- The specified file doesn't exist.
- */
- if (FilesUtility::nodeExists (privateKeyFile) == 0)
- return -1;
+ gnutls_certificate_allocate_credentials (&cred);
- if (SSL_CTX_use_PrivateKey_file (context, privateKeyFile.c_str (),
- SSL_FILETYPE_PEM) != 1)
- return -1;
+ gnutls_certificate_set_x509_trust_file (cred, certificateFile.c_str (),
+ SSL_FILETYPE_PEM);
+
+ /*TODO*/
+ gnutls_certificate_set_x509_crl_file (cred, "", GNUTLS_X509_FMT_PEM);
+
+ gnutls_certificate_set_x509_key_file (cred, certificateFile.c_str (),
+ privateKeyFile.c_str (),
+ GNUTLS_X509_FMT_PEM);
+
+
+ gnutls_dh_params_init (&dh_params);
+ gnutls_dh_params_generate2 (dh_params, 1024);
+ gnutls_certificate_set_dh_params (cred, dh_params);
return 1;
}
int SslContext::free ()
{
- int ret = 0;
- if (context)
- {
- SSL_CTX_free (context);
- ret = 1;
- context = 0;
- }
- else
- ret = 0;
- certificateFile.assign ("");
- privateKeyFile.assign ("");
- return ret;
+ if (cred)
+ gnutls_certificate_free_credentials (cred);
+ cred = NULL;
+
+ if (priority_cache)
+ gnutls_priority_deinit (priority_cache);
+ priority_cache = NULL;
+ return 0;
}
#if !HAVE_LIBGCRYPT || !HAVE_PTHREAD
diff --git a/myserver/src/conf/vhost/vhost.cpp
b/myserver/src/conf/vhost/vhost.cpp
index b24b15d..be85b35 100644
--- a/myserver/src/conf/vhost/vhost.cpp
+++ b/myserver/src/conf/vhost/vhost.cpp
@@ -484,14 +484,6 @@ int Vhost::initializeSSL ()
}
/*!
- Get the SSL context.
- */
-SSL_CTX* Vhost::getSSLContext ()
-{
- return sslContext.getContext ();
-}
-
-/*!
Clean the memory used by the SSL context.
*/
int Vhost::freeSSL ()
diff --git a/myserver/src/server/server.cpp b/myserver/src/server/server.cpp
index 94837ff..9c001cd 100644
--- a/myserver/src/server/server.cpp
+++ b/myserver/src/server/server.cpp
@@ -127,7 +127,6 @@ int Server::loadLibraries ()
XmlParser::startXML ();
myserver_safetime_init ();
- gnutls_global_init ();
if (Socket::startupSocketLib () != 0)
{
log (MYSERVER_LOG_MSG_ERROR, _("Error loading the socket library"));
@@ -1205,12 +1204,12 @@ ConnectionPtr Server::addConnectionToList (Socket* s,
if (doSSLhandshake)
{
int ret = 0;
- SSL_CTX* ctx = newConnection->host->getSSLContext ();
SslSocket *sslSocket = new SslSocket (s);
- sslSocket->setSSLContext (ctx);
- ret = sslSocket->sslAccept ();
+ sslSocket->setSSLContext (newConnection->host->getSSLContext (),
+ newConnection->host->getSSLPriorityCache ());
+ ret = sslSocket->sslAccept ();
if (ret < 0)
{
connectionsPoolLock.lock ();
diff --git a/myserver/tests/test_ssl_socket.cpp
b/myserver/tests/test_ssl_socket.cpp
index 22e14f2..3566840 100644
--- a/myserver/tests/test_ssl_socket.cpp
+++ b/myserver/tests/test_ssl_socket.cpp
@@ -132,9 +132,12 @@ public:
void testRecv ()
{
+ gnutls_priority_t priority_cache;
+ gnutls_dh_params_t dh_params;
+ gnutls_certificate_credentials_t cred;
+
Socket *obj = new Socket;
SslSocket *sslObj = NULL;
- SSL_CTX *ctx = NULL;;
ThreadID tid;
int optvalReuseAddr = 1;
@@ -154,19 +157,21 @@ public:
(const char*) &optvalReuseAddr,
sizeof (optvalReuseAddr)) != -1);
- ctx = SSL_CTX_new (SSLv23_server_method ());
- if (SSL_CTX_use_certificate_file (ctx, TESTSERVERPEM, SSL_FILETYPE_PEM) !=
1)
- {
- SSL_CTX_free (ctx);
- CPPUNIT_ASSERT (false);
- }
+ gnutls_certificate_allocate_credentials (&cred);
+ gnutls_priority_init (&priority_cache, "NORMAL", NULL);
+
+ gnutls_dh_params_init (&dh_params);
+ gnutls_dh_params_generate2 (dh_params, 1024);
+ gnutls_certificate_set_dh_params (cred, dh_params);
+
+ gnutls_certificate_set_x509_trust_file (cred, TESTSERVERPEM,
+ SSL_FILETYPE_PEM);
+
+ gnutls_certificate_set_x509_key_file (cred, TESTSERVERPEM,
+ TESTSERVERKEY,
+ GNUTLS_X509_FMT_PEM);
- if (SSL_CTX_use_PrivateKey_file (ctx, TESTSERVERKEY, SSL_FILETYPE_PEM) !=
1)
- {
- SSL_CTX_free (ctx);
- CPPUNIT_ASSERT (false);
- }
/* If the port is used by another program, try a few others. */
do
@@ -189,16 +194,15 @@ public:
Socket s = obj->accept (&sockIn, &sockInLen);
sslObj = new SslSocket (&s);
- sslObj->setSSLContext (ctx);
+ sslObj->setSSLContext (cred, priority_cache);
int ret = sslObj->sslAccept ();
if (ret < 0)
- {
- delete obj;
- delete sslObj;
- SSL_CTX_free (ctx);
- CPPUNIT_ASSERT (false);
- }
+ {
+ delete obj;
+ delete sslObj;
+ CPPUNIT_ASSERT (false);
+ }
char buf[32] = {0};
@@ -212,12 +216,13 @@ public:
CPPUNIT_ASSERT (obj->close () != -1);
- SSL_CTX_free (ctx);
-
Thread::join (tid);
if (!arg.success)
throw arg.reason;
+ gnutls_certificate_free_credentials (cred);
+ gnutls_priority_deinit (priority_cache);
+
delete obj;
delete sslObj;
}
-----------------------------------------------------------------------
Summary of changes:
myserver/configure.ac | 5 -
myserver/include/base/socket/ssl_socket.h | 15 +--
myserver/include/base/ssl/ssl.h | 19 ++--
myserver/include/conf/vhost/vhost.h | 3 +-
myserver/src/base/socket/ssl_socket.cpp | 189 +++++++++--------------------
myserver/src/base/ssl/ssl.cpp | 62 +++++-----
myserver/src/conf/vhost/vhost.cpp | 8 --
myserver/src/server/server.cpp | 7 +-
myserver/tests/test_ssl_socket.cpp | 47 ++++---
9 files changed, 133 insertions(+), 222 deletions(-)
hooks/post-receive
--
GNU MyServer
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [myserver-commit] [SCM] GNU MyServer branch, master, updated. v0.9.2-443-g063ead3,
Giuseppe Scrivano <=