1 /* Copyright (C) 2015-2016, Felix Morgner <felix.morgner@gmail.com>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
9 - Redistributions of source code must retain the above copyright notice,
10 this list of conditions and the following disclaimer.
11 - Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14 - Neither the name of the Developers nor the names of its contributors may
15 be used to endorse or promote products derived from this software without
16 specific prior written permission.
18 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
22 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 static gnutls_dh_params_t dhParameters;
39 static gnutls_certificate_credentials_t certificate;
41 static const char * ciphers = "NONE:"
42 "+ECDHE-ECDSA:+ECDHE-RSA:+RSA:"
43 "+AES-256-GCM:+AES-128-GCM:"
44 "+AEAD:+SHA384:+SHA256:+SHA1:"
48 "+VERS-TLS1.2:+VERS-TLS1.0:"
51 static gnutls_priority_t cipherCache;
53 void initializeCertificate()
55 char* certificatePath = (char*) getStrConf(CERTIFICATE);
57 if(!certificatePath) {
58 Log_fatal("No certificate file specified.");
61 char* keyPath = (char*) getStrConf(KEY);
64 Log_fatal("No key file specified");
67 gnutls_certificate_allocate_credentials(&certificate);
69 int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM);
71 if( error != GNUTLS_E_SUCCESS ) {
72 Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
78 if(gnutls_priority_init(&cipherCache, ciphers, NULL) != GNUTLS_E_SUCCESS)
80 Log_fatal("Failed to set priorities");
83 initializeCertificate();
85 Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
90 gnutls_certificate_free_credentials(certificate);
91 gnutls_priority_deinit(cipherCache);
92 gnutls_global_deinit();
95 SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
97 gnutls_session_t * session
98 = Memory_safeCalloc(1, sizeof(gnutls_session_t));
100 gnutls_init(session, GNUTLS_SERVER);
101 gnutls_priority_set(*session, cipherCache);
102 gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
104 gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
106 gnutls_transport_set_int(*session, *fileDescriptor);
108 if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
114 bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash)
116 gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL);
118 size_t resultSize = 0;
119 int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize);
120 return error == GNUTLS_E_SUCCESS && resultSize == 20;
123 int SSLi_nonblockaccept( SSL_handle_t *session, bool_t * isSSLReady )
127 error = gnutls_handshake(*session);
128 } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error));
130 if ( error < GNUTLS_E_SUCCESS ) {
131 Log_warn("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error));
140 int SSLi_read(SSL_handle_t *session, uint8_t *buffer, int length)
142 return gnutls_record_recv(*session, buffer, length);
145 int SSLi_write(SSL_handle_t *session, uint8_t *buffer, int length)
147 return gnutls_record_send(*session, buffer, length);
150 int SSLi_get_error(SSL_handle_t *session, int code)
155 bool_t SSLi_data_pending(SSL_handle_t *session)
157 return gnutls_record_check_pending(*session);
160 void SSLi_shutdown(SSL_handle_t *session)
162 gnutls_bye(*session, GNUTLS_SHUT_WR);
165 void SSLi_free(SSL_handle_t *session)
167 gnutls_deinit(*session);