Branch: Tag:

2000-03-24

2000-03-24 17:34:26 by Per Hedbor <ph@opera.com>

Fixed the SSL-always-uses-demokey problem, and a so far undetected problem with '%' in site names

Rev: server/base_server/roxen.pike:1.464

4:   // Per Hedbor, Henrik Grubbström, Pontus Hagland, David Hedbor and others.      // ABS and suicide systems contributed freely by Francesco Chemolli - constant cvs_version="$Id: roxen.pike,v 1.463 2000/03/24 01:37:11 mast Exp $"; + constant cvs_version="$Id: roxen.pike,v 1.464 2000/03/24 17:34:26 per Exp $";      object backend_thread;   ArgCache argcache;
769: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile)
      void destroy()    { -  if (sslfile) { +  if (sslfile)    sslfile->close();    } -  } +        void create(object q, object ctx)    {
783: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile)
   object accept()    {    object q = ::accept(); -  if (q) { -  return destruct_protected_sslfile(q, ctx); -  } +  if (q) return destruct_protected_sslfile(q, ctx);    return 0;    }   
793: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile)
   {    ctx = SSL.context();    set_up_ssl_variables( this_object() ); +  port = pn; +  ip = i; +     restore();       object privs = Privs("Reading cert file");    -  string f = Stdio.read_file(query_option("ssl_cert_file") || -  "demo_certificate.pem"); -  string f2 = query_option("ssl_key_file") && -  strlen(query_option("ssl_key_file")) && -  Stdio.read_file(query_option("ssl_key_file")); -  if (privs) -  destruct(privs); +  string f, f2;    -  if (!f) { +  if( catch{ f = lopen(query_option("ssl_cert_file"), "r")->read(); } ) +  {    report_error("SSL3: Reading cert-file failed!\n");    destruct();    return;    } -  object msg = Tools.PEM.pem_msg()->init(f); +     -  object part = msg->parts["CERTIFICATE"] -  ||msg->parts["X509 CERTIFICATE"]; -  -  string cert; -  -  if (!part || !(cert = part->decoded_body())) { -  report_error("ssl3: No certificate found.\n"); +  if( strlen(query_option("ssl_key_file")) && +  catch{ f2 = lopen(query_option("ssl_key_file"),"r")->read(); } ) +  { +  report_error("SSL3: Reading key-file failed!\n");    destruct();    return;    }    -  if (query_option("ssl_key_file") && strlen(query_option("ssl_key_file") )) +  if (privs) +  destruct(privs); +  +  object msg = Tools.PEM.pem_msg()->init( f ); +  object part = msg->parts["CERTIFICATE"] || msg->parts["X509 CERTIFICATE"]; +  string cert; +  +  if (!part || !(cert = part->decoded_body()))    { -  if (!f2) { -  report_error("SSL3: Reading key-file failed!\n"); +  report_error("ssl3: No certificate found.\n");    destruct();    return;    } -  msg = Tools.PEM.pem_msg()->init(f2); -  } +     -  +  if( f2 ) +  msg = Tools.PEM.pem_msg()->init( f2 ); +     function r = Crypto.randomness.reasonably_random()->read;       SSL3_WERR(sprintf("key file contains: %O", indices(msg->parts)));
841: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile)
   {    string key;    -  if (!(key = part->decoded_body())) { +  if (!(key = part->decoded_body())) +  {    report_error("SSL3: Private rsa key not valid (PEM).\n");    destruct();    return;    }       object rsa = Standards.PKCS.RSA.parse_private_key(key); -  if (!rsa) { +  if (!rsa) +  {    report_error("SSL3: Private rsa key not valid (DER).\n");    destruct();    return;
868: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile)
   ctx->rsa_mode();       object tbs = Tools.X509.decode_certificate (cert); -  if (!tbs) { +  if (!tbs) +  {    report_error("ssl3: Certificate not valid (DER).\n");    destruct();    return;    } -  if (!tbs->public_key->rsa->public_key_equal (rsa)) { +  if (!tbs->public_key->rsa->public_key_equal (rsa)) +  {    report_error("ssl3: Certificate and private key do not match.\n");    destruct();    return;
883: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile)
   {    string key;    -  if (!(key = part->decoded_body())) { +  if (!(key = part->decoded_body())) +  {    report_error("ssl3: Private dsa key not valid (PEM).\n");    destruct();    return;    }       object dsa = Standards.PKCS.DSA.parse_private_key(key); -  if (!dsa) { +  if (!dsa) +  {    report_error("ssl3: Private dsa key not valid (DER).\n");    destruct();    return;
907: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile)
      // FIXME: Add cert <-> private key check.    } -  else { +  else +  {    report_error("ssl3: No private key found.\n");    destruct();    return;
919: Inside #if constant(Crypto) && constant(Crypto.rsa) && constant(Standards) && constant(Standards.PKCS.RSA) && constant(SSL) && constant(SSL.sslfile) and #if EXPORT
  #if EXPORT    ctx->export_mode();   #endif -  +     ::create(pn, i);    }   #else /* !constant(SSL.sslfile) */ -  void create(int pn, string i) { -  report_error("No SSL support\n"); +  void create(int pn, string i) +  { +  report_error("No SSL support available\n");    destruct();    }   #endif /* constant(SSL.sslfile) */ -  +     string _sprintf( )    {    return "SSLProtocol("+name+"://"+ip+":"+port+")";
2817:    foreach(list_all_configurations(), string config)    {    int t = gethrtime(); -  report_debug("\nEnabling the configuration "+config+" ...\n"); +  report_debug("\nEnabling the configuration %s ...\n", config);    if(err=catch( enable_configuration(config)->start() ))    report_error("\nError while loading configuration "+config+":\n"+    describe_backtrace(err)+"\n"); -  report_debug("Enabled "+config+" in %.1fms\n", (gethrtime()-t)/1000.0 ); +  report_debug("Enabled %s in %.1fms\n", config, (gethrtime()-t)/1000.0 );    }   }