/* $Id$ */
+#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "sysdep.h"
+
#ifdef HAVE_OPENSSL
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#endif
+
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+# include <sys/time.h>
+# else
+# include <time.h>
+# endif
+#endif
+
#ifdef HAVE_PTHREAD_H
#include <pthread.h>
#endif
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
#include <stdio.h>
#include "server.h"
#include "serv_crypto.h"
#include "sysdep_decls.h"
-#include "dynloader.h"
+#include "serv_extensions.h"
#ifdef HAVE_OPENSSL
SSL_CTX *ssl_ctx; /* SSL context */
pthread_mutex_t **SSLCritters; /* Things needing locking */
+static unsigned long id_callback(void) {
+ return (unsigned long)pthread_self();
+}
void init_ssl(void)
{
SSL_METHOD *ssl_method;
DH *dh;
+
+ if (!access("/var/run/egd-pool", F_OK))
+ RAND_egd("/var/run/egd-pool");
if (!RAND_status()) {
lprintf(2, "PRNG not adequately seeded, won't do SSL/TLS\n");
#endif
#endif
CRYPTO_set_locking_callback(ssl_lock);
- CRYPTO_set_id_callback(pthread_self);
+ CRYPTO_set_id_callback(id_callback);
/* Load DH parameters into the context */
dh = DH_new();
/* Finally let the server know we're here */
CtdlRegisterProtoHook(cmd_stls, "STLS", "Start SSL/TLS session");
CtdlRegisterProtoHook(cmd_gtls, "GTLS", "Get SSL/TLS session status");
- CtdlRegisterProtoHook(cmd_etls, "ETLS", "End SSL/TLS session");
- CtdlRegisterSessionHook(endtls_atlogout, EVT_STOP);
+ CtdlRegisterSessionHook(endtls, EVT_STOP);
}
continue;
}
lprintf(9, "SSL_write got error %ld\n", errval);
- endtls(1);
+ endtls();
client_write(&buf[nbytes - nremain], nremain);
return;
}
continue;
}
lprintf(9, "SSL_read got error %ld\n", errval);
- endtls(1);
+ endtls();
return (client_read_to(&buf[len], bytes - len, timeout));
}
len += rlen;
ERR_reason_error_string(ERR_get_error()));
return;
}
- cprintf("%d \n", OK);
+ cprintf("%d \n", CIT_OK);
retval = SSL_accept(CC->ssl);
if (retval < 1) {
/*
}
BIO_set_close(CC->ssl->rbio, BIO_NOCLOSE);
bits = SSL_CIPHER_get_bits(SSL_get_current_cipher(CC->ssl), &alg_bits);
- lprintf(3, "Session %d using %s on %s (%d of %d bits)\n", CC->cs_pid,
+ lprintf(3, "SSL/TLS using %s on %s (%d of %d bits)\n",
SSL_CIPHER_get_name(SSL_get_current_cipher(CC->ssl)),
SSL_CIPHER_get_version(SSL_get_current_cipher(CC->ssl)),
bits, alg_bits);
return;
}
bits = SSL_CIPHER_get_bits(SSL_get_current_cipher(CC->ssl), &alg_bits);
- cprintf("%d %s|%s|%d|%d\n", OK,
+ cprintf("%d %s|%s|%d|%d\n", CIT_OK,
SSL_CIPHER_get_version(SSL_get_current_cipher(CC->ssl)),
SSL_CIPHER_get_name(SSL_get_current_cipher(CC->ssl)),
alg_bits, bits);
}
-/* Logout function hook */
-void endtls_atlogout(void)
-{
- endtls(1);
-}
-
-
-/* Command function hook */
-void cmd_etls(char *params)
-{
- endtls(0);
-}
-
-
/*
* endtls() shuts down the TLS connection
- * Parameter is NULL for client request, CitContext * for server request
*
* WARNING: This may make your session vulnerable to a known plaintext
* attack in the current implmentation.
*/
-void endtls(int who)
+void endtls(void)
{
- lprintf(7, "Session %d ending SSL/TLS%s\n", CC->cs_pid,
- (who) ? "" : " at client request");
+ lprintf(7, "Ending SSL/TLS\n");
- if (!who) {
- if (!CC->ssl) {
- cprintf("%d Connection is not encrypted.\n", ERROR);
- return;
- }
- cprintf("%d Now stop encryption.\n", OK);
- } else if (!CC->ssl) {
+ if (!CC->ssl) {
+ CC->redirect_ssl = 0;
return;
}
projects / citadel.git / blobdiff