diff options
author | Daniel Vassdal <shutter@canternet.org> | 2013-07-02 12:35:52 +0200 |
---|---|---|
committer | Daniel Vassdal <shutter@canternet.org> | 2013-07-06 08:21:31 -0700 |
commit | b31b911bba26d59ba6b44cf314b6b0e3e58e6d85 (patch) | |
tree | e16459f7fc7484883a9bec0f08de084ff3c3443f /src/modules | |
parent | 27ae66eb3fb7056570936e7f4655ec3128bac2a7 (diff) |
Allow the user to specify any hashing mechanism supported by the underlying SSL library
Diffstat (limited to 'src/modules')
-rw-r--r-- | src/modules/extra/m_ssl_gnutls.cpp | 22 | ||||
-rw-r--r-- | src/modules/extra/m_ssl_openssl.cpp | 8 |
2 files changed, 25 insertions, 5 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index f6268c8d6..c303aa98f 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -28,6 +28,11 @@ #include "modules/ssl.h" #include "modules/cap.h" +#if ((GNUTLS_VERSION_MAJOR > 2) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR > 9) || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR == 9 && GNUTLS_VERSION_PATCH >= 8)) +#define GNUTLS_HAS_MAC_GET_ID +#include <gnutls/crypto.h> +#endif + #ifdef _WIN32 # pragma comment(lib, "libgnutls.lib") # pragma comment(lib, "libgcrypt.lib") @@ -701,13 +706,28 @@ class ModuleSSLGnuTLS : public Module iohook.dh_bits = dh_bits; + // As older versions of gnutls can't do this, let's disable it where needed. +#ifdef GNUTLS_HAS_MAC_GET_ID + // As gnutls_digest_algorithm_t and gnutls_mac_algorithm_t are mapped 1:1, we can do this + // There is no gnutls_dig_get_id() at the moment, but it may come later + iohook.hash = (gnutls_digest_algorithm_t)gnutls_mac_get_id(hashname.c_str()); + if (iohook.hash == GNUTLS_DIG_UNKNOWN) + throw ModuleException("Unknown hash type " + hashname); + + // Check if the user is walking around with their head in the ass, + // giving us something that is a valid MAC but not digest + gnutls_hash_hd_t is_digest; + if (gnutls_hash_init(&is_digest, iohook.hash) < 0) + throw ModuleException("Unknown hash type " + hashname); + gnutls_hash_deinit(is_digest, NULL); +#else if (hashname == "md5") iohook.hash = GNUTLS_DIG_MD5; else if (hashname == "sha1") iohook.hash = GNUTLS_DIG_SHA1; else throw ModuleException("Unknown hash type " + hashname); - +#endif int ret; diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 8a516b7ae..ddecb8d00 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -177,7 +177,6 @@ class OpenSSLIOHook : public SSLIOHook session->cert = certinfo; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; - const EVP_MD *digest = use_sha ? EVP_sha1() : EVP_md5(); cert = SSL_get_peer_certificate((SSL*)session->sess); @@ -224,7 +223,7 @@ class OpenSSLIOHook : public SSLIOHook issl_session* sessions; SSL_CTX* ctx; SSL_CTX* clictx; - bool use_sha; + const EVP_MD *digest; OpenSSLIOHook(Module* mod) : SSLIOHook(mod, "ssl/openssl") @@ -566,9 +565,10 @@ class ModuleSSLOpenSSL : public Module keyfile = conf->getString("keyfile", CONFIG_PATH "/key.pem"); dhfile = conf->getString("dhfile", CONFIG_PATH "/dhparams.pem"); std::string hash = conf->getString("hash", "md5"); - if (hash != "sha1" && hash != "md5") + + iohook.digest = EVP_get_digestbyname(hash.c_str()); + if (iohook.digest == NULL) throw ModuleException("Unknown hash type " + hash); - iohook.use_sha = (hash == "sha1"); std::string ciphers = conf->getString("ciphers", ""); |