1 /* Copyright (C) 2015, Felix Morgner <felix.morgner@gmail.com>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
9 - Redistributions of source code must retain the above copyright notice,
10 this list of conditions and the following disclaimer.
11 - Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14 - Neither the name of the Developers nor the names of its contributors may
15 be used to endorse or promote products derived from this software without
16 specific prior written permission.
18 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
22 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 static gnutls_dh_params_t dhParameters;
38 static gnutls_certificate_credentials_t certificate;
40 static const char * ciphers = "NORMAL";
41 static gnutls_priority_t cipherCache;
43 void initializeCertificate()
45 char* certificatePath = (char*) getStrConf(CERTIFICATE);
47 if(!certificatePath) {
48 Log_fatal("No certificate file specified.");
51 char* keyPath = (char*) getStrConf(KEY);
54 Log_fatal("No key file specified");
57 gnutls_certificate_allocate_credentials(&certificate);
59 int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM);
61 if( error != GNUTLS_E_SUCCESS ) {
62 Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
69 unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
71 gnutls_priority_init(&cipherCache, ciphers, NULL);
72 initializeCertificate();
74 gnutls_dh_params_init(&dhParameters);
76 Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount);
77 int error = gnutls_dh_params_generate2(dhParameters, bitCount);
80 Log_info("Successfully generated Diffie-Hellman parameters");
82 Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error));
85 gnutls_certificate_set_dh_params(certificate, dhParameters);
87 Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
93 gnutls_certificate_free_credentials(certificate);
94 gnutls_priority_deinit(cipherCache);
95 gnutls_global_deinit();
98 SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
100 gnutls_session_t * session = calloc(1, sizeof(gnutls_session_t));
102 gnutls_init(session, GNUTLS_SERVER);
103 gnutls_priority_set(*session, cipherCache);
104 gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
106 gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
108 gnutls_transport_set_int(*session, *fileDescriptor);
110 if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
116 bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash)
118 gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL);
120 size_t resultSize = 0;
121 int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize);
122 return error == GNUTLS_E_SUCCESS && resultSize == 20;
125 int SSLi_nonblockaccept( SSL_handle_t *session, bool_t * isSSLReady )
129 error = gnutls_handshake(*session);
130 } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error));
132 if ( error < GNUTLS_E_SUCCESS ) {
133 Log_warn("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error));
142 int SSLi_read(SSL_handle_t *session, uint8_t *buffer, int length)
144 return gnutls_record_recv(*session, buffer, length);
147 int SSLi_write(SSL_handle_t *session, uint8_t *buffer, int length)
149 return gnutls_record_send(*session, buffer, length);
152 int SSLi_get_error(SSL_handle_t *session, int code)
157 bool_t SSLi_data_pending(SSL_handle_t *session)
159 return gnutls_record_check_pending(*session);
162 void SSLi_shutdown(SSL_handle_t *session)
164 gnutls_bye(*session, GNUTLS_SHUT_WR);
167 void SSLi_free(SSL_handle_t *session)
169 gnutls_deinit(*session);