diff options
Diffstat (limited to 'runtime/nsd_gtls.c')
| -rw-r--r-- | runtime/nsd_gtls.c | 36 |
1 files changed, 11 insertions, 25 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 15340738..c2db9c94 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -52,7 +52,6 @@ #include "nsd_gtls.h" /* things to move to some better place/functionality - TODO */ -#define DH_BITS 1024 #define CRLFILE "crl.pem" @@ -86,7 +85,6 @@ static pthread_mutex_t mutGtlsStrerror; /**< a mutex protecting the potentially /* ------------------------------ GnuTLS specifics ------------------------------ */ static gnutls_certificate_credentials xcred; -static gnutls_dh_params dh_params; #ifdef DEBUG #if 0 /* uncomment, if needed some time again -- DEV Debug only */ @@ -119,7 +117,7 @@ readFile(uchar *pszFile, gnutls_datum_t *pBuf) pBuf->data = NULL; - if((fd = open((char*)pszFile, 0)) == -1) { + if((fd = open((char*)pszFile, O_RDONLY)) == -1) { errmsg.LogError(0, RS_RET_FILE_NOT_FOUND, "can not read file '%s'", pszFile); ABORT_FINALIZE(RS_RET_FILE_NOT_FOUND); @@ -208,10 +206,14 @@ finalize_it: if(iRet != RS_RET_OK) { if(data.data != NULL) free(data.data); - if(pThis->bOurCertIsInit) + if(pThis->bOurCertIsInit) { gnutls_x509_crt_deinit(pThis->ourCert); - if(pThis->bOurKeyIsInit) + pThis->bOurCertIsInit = 0; + } + if(pThis->bOurKeyIsInit) { gnutls_x509_privkey_deinit(pThis->ourKey); + pThis->bOurKeyIsInit = 0; + } } RETiRet; } @@ -616,7 +618,6 @@ gtlsInitSession(nsd_gtls_t *pThis) /* request client certificate if any. */ gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUEST); - gnutls_dh_set_prime_bits(session, DH_BITS); pThis->sess = session; @@ -625,23 +626,6 @@ finalize_it: } -static rsRetVal -generate_dh_params(void) -{ - int gnuRet; - DEFiRet; - /* Generate Diffie Hellman parameters - for use with DHE - * kx algorithms. These should be discarded and regenerated - * once a day, once a week or once a month. Depending on the - * security requirements. - */ - CHKgnutls(gnutls_dh_params_init( &dh_params)); - CHKgnutls(gnutls_dh_params_generate2( dh_params, DH_BITS)); -finalize_it: - RETiRet; -} - - /* set up all global things that are needed for server operations * rgerhards, 2008-04-30 */ @@ -655,8 +639,6 @@ gtlsGlblInitLstn(void) * considered legacy. -- rgerhards, 2008-05-05 */ /*CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));*/ - CHKiRet(generate_dh_params()); - gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */ bGlblSrvrInitDone = 1; /* we are all set now */ /* now we need to add our certificate */ @@ -1428,6 +1410,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) /* we got a handshake, now check authorization */ CHKiRet(gtlsChkPeerAuth(pNew)); } else { + uchar *pGnuErr = gtlsStrerror(gnuRet); + errmsg.LogError(0, RS_RET_TLS_HANDSHAKE_ERR, + "gnutls returned error on handshake: %s\n", pGnuErr); + free(pGnuErr); ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR); } |