1 /* Copyright (C) 2015, Felix Morgner <felix.morgner@gmail.com>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
9 - Redistributions of source code must retain the above copyright notice,
10 this list of conditions and the following disclaimer.
11 - Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14 - Neither the name of the Developers nor the names of its contributors may
15 be used to endorse or promote products derived from this software without
16 specific prior written permission.
18 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
22 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 static gnutls_dh_params_t dhParameters;
39 static gnutls_certificate_credentials_t certificate;
41 static const char * ciphers = "NORMAL";
42 static gnutls_priority_t cipherCache;
44 void initializeCertificate()
46 char* certificatePath = (char*) getStrConf(CERTIFICATE);
48 if(!certificatePath) {
49 Log_fatal("No certificate file specified.");
52 char* keyPath = (char*) getStrConf(KEY);
55 Log_fatal("No key file specified");
58 gnutls_certificate_allocate_credentials(&certificate);
60 int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM);
62 if( error != GNUTLS_E_SUCCESS ) {
63 Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
70 unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
72 gnutls_priority_init(&cipherCache, ciphers, NULL);
73 initializeCertificate();
75 gnutls_dh_params_init(&dhParameters);
77 Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount);
78 int error = gnutls_dh_params_generate2(dhParameters, bitCount);
81 Log_info("Successfully generated Diffie-Hellman parameters");
83 Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error));
86 gnutls_certificate_set_dh_params(certificate, dhParameters);
88 Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
94 gnutls_certificate_free_credentials(certificate);
95 gnutls_priority_deinit(cipherCache);
96 gnutls_global_deinit();
99 SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
101 gnutls_session_t * session
102 = Memory_safeCalloc(1, sizeof(gnutls_session_t));
104 gnutls_init(session, GNUTLS_SERVER);
105 gnutls_priority_set(*session, cipherCache);
106 gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
108 gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
110 gnutls_transport_set_int(*session, *fileDescriptor);
112 if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
118 bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash)
120 gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL);
122 size_t resultSize = 0;
123 int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize);
124 return error == GNUTLS_E_SUCCESS && resultSize == 20;
127 int SSLi_nonblockaccept( SSL_handle_t *session, bool_t * isSSLReady )
131 error = gnutls_handshake(*session);
132 } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error));
134 if ( error < GNUTLS_E_SUCCESS ) {
135 Log_warn("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error));
144 int SSLi_read(SSL_handle_t *session, uint8_t *buffer, int length)
146 return gnutls_record_recv(*session, buffer, length);
149 int SSLi_write(SSL_handle_t *session, uint8_t *buffer, int length)
151 return gnutls_record_send(*session, buffer, length);
154 int SSLi_get_error(SSL_handle_t *session, int code)
159 bool_t SSLi_data_pending(SSL_handle_t *session)
161 return gnutls_record_check_pending(*session);
164 void SSLi_shutdown(SSL_handle_t *session)
166 gnutls_bye(*session, GNUTLS_SHUT_WR);
169 void SSLi_free(SSL_handle_t *session)
171 gnutls_deinit(*session);