1 /* Copyright (C) 2015, Felix Morgner <felix.morgner@gmail.com>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
9 - Redistributions of source code must retain the above copyright notice,
10 this list of conditions and the following disclaimer.
11 - Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14 - Neither the name of the Developers nor the names of its contributors may
15 be used to endorse or promote products derived from this software without
16 specific prior written permission.
18 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
22 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 static gnutls_dh_params_t dhParameters;
38 static gnutls_certificate_credentials_t certificate;
40 static const char * ciphers = "NORMAL";
41 static gnutls_priority_t cipherCache;
43 void initializeCertificate()
45 char* certificatePath = (char*) getStrConf(CERTIFICATE);
47 if(!certificatePath) {
48 Log_fatal("No certificate file specified.");
51 char* keyPath = (char*) getStrConf(KEY);
54 Log_fatal("No key file specified");
57 gnutls_certificate_allocate_credentials(&certificate);
59 int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM);
61 if( error != GNUTLS_E_SUCCESS ) {
62 Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
69 unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
71 gnutls_dh_params_init(&dhParameters);
72 gnutls_dh_params_generate2(dhParameters, bitCount);
74 #if GNUTLS_VERSION_NUMBER < 0x030300
78 gnutls_priority_init(&cipherCache, ciphers, NULL);
80 initializeCertificate();
82 Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
88 gnutls_certificate_free_credentials(certificate);
89 gnutls_priority_deinit(cipherCache);
90 gnutls_global_deinit();
93 SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
95 gnutls_session_t * session = calloc(1, sizeof(gnutls_session_t));
97 gnutls_init(session, GNUTLS_SERVER);
98 gnutls_priority_set(*session, cipherCache);
99 gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
101 gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
103 gnutls_transport_set_int(*session, *fileDescriptor);
105 if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
111 bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash)
113 gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL);
115 size_t resultSize = 0;
116 int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize);
117 return error == GNUTLS_E_SUCCESS && resultSize == 20;
120 int SSLi_nonblockaccept( SSL_handle_t *session, bool_t * isSSLReady )
124 error = gnutls_handshake(*session);
125 } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error));
127 if ( error < GNUTLS_E_SUCCESS ) {
128 Log_warn("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error));
137 int SSLi_read(SSL_handle_t *session, uint8_t *buffer, int length)
139 return gnutls_record_recv(*session, buffer, length);
142 int SSLi_write(SSL_handle_t *session, uint8_t *buffer, int length)
144 return gnutls_record_send(*session, buffer, length);
147 int SSLi_get_error(SSL_handle_t *session, int code)
152 bool_t SSLi_data_pending(SSL_handle_t *session)
154 return gnutls_record_check_pending(*session);
157 void SSLi_shutdown(SSL_handle_t *session)
159 gnutls_bye(*session, GNUTLS_SHUT_WR);
162 void SSLi_free(SSL_handle_t *session)
164 gnutls_deinit(*session);