summaryrefslogtreecommitdiff
path: root/src/modules
diff options
context:
space:
mode:
authorDaniel Vassdal <shutter@canternet.org>2013-07-02 12:35:52 +0200
committerDaniel Vassdal <shutter@canternet.org>2013-07-06 08:21:31 -0700
commitb31b911bba26d59ba6b44cf314b6b0e3e58e6d85 (patch)
treee16459f7fc7484883a9bec0f08de084ff3c3443f /src/modules
parent27ae66eb3fb7056570936e7f4655ec3128bac2a7 (diff)
Allow the user to specify any hashing mechanism supported by the underlying SSL library
Diffstat (limited to 'src/modules')
-rw-r--r--src/modules/extra/m_ssl_gnutls.cpp22
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp8
2 files changed, 25 insertions, 5 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index f6268c8d6..c303aa98f 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -28,6 +28,11 @@
#include "modules/ssl.h"
#include "modules/cap.h"
+#if ((GNUTLS_VERSION_MAJOR > 2) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 9) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR == 9 && GNUTLS_VERSION_PATCH >= 8))
+#define GNUTLS_HAS_MAC_GET_ID
+#include <gnutls/crypto.h>
+#endif
+
#ifdef _WIN32
# pragma comment(lib, "libgnutls.lib")
# pragma comment(lib, "libgcrypt.lib")
@@ -701,13 +706,28 @@ class ModuleSSLGnuTLS : public Module
iohook.dh_bits = dh_bits;
+ // As older versions of gnutls can't do this, let's disable it where needed.
+#ifdef GNUTLS_HAS_MAC_GET_ID
+ // As gnutls_digest_algorithm_t and gnutls_mac_algorithm_t are mapped 1:1, we can do this
+ // There is no gnutls_dig_get_id() at the moment, but it may come later
+ iohook.hash = (gnutls_digest_algorithm_t)gnutls_mac_get_id(hashname.c_str());
+ if (iohook.hash == GNUTLS_DIG_UNKNOWN)
+ throw ModuleException("Unknown hash type " + hashname);
+
+ // Check if the user is walking around with their head in the ass,
+ // giving us something that is a valid MAC but not digest
+ gnutls_hash_hd_t is_digest;
+ if (gnutls_hash_init(&is_digest, iohook.hash) < 0)
+ throw ModuleException("Unknown hash type " + hashname);
+ gnutls_hash_deinit(is_digest, NULL);
+#else
if (hashname == "md5")
iohook.hash = GNUTLS_DIG_MD5;
else if (hashname == "sha1")
iohook.hash = GNUTLS_DIG_SHA1;
else
throw ModuleException("Unknown hash type " + hashname);
-
+#endif
int ret;
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 8a516b7ae..ddecb8d00 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -177,7 +177,6 @@ class OpenSSLIOHook : public SSLIOHook
session->cert = certinfo;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
- const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5();
cert = SSL_get_peer_certificate((SSL*)session->sess);
@@ -224,7 +223,7 @@ class OpenSSLIOHook : public SSLIOHook
issl_session* sessions;
SSL_CTX* ctx;
SSL_CTX* clictx;
- bool use_sha;
+ const EVP_MD *digest;
OpenSSLIOHook(Module* mod)
: SSLIOHook(mod, "ssl/openssl")
@@ -566,9 +565,10 @@ class ModuleSSLOpenSSL : public Module
keyfile = conf->getString("keyfile", CONFIG_PATH "/key.pem");
dhfile = conf->getString("dhfile", CONFIG_PATH "/dhparams.pem");
std::string hash = conf->getString("hash", "md5");
- if (hash != "sha1" && hash != "md5")
+
+ iohook.digest = EVP_get_digestbyname(hash.c_str());
+ if (iohook.digest == NULL)
throw ModuleException("Unknown hash type " + hash);
- iohook.use_sha = (hash == "sha1");
std::string ciphers = conf->getString("ciphers", "");