X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssli_gnutls.c;h=1f72857fde756ee19b608000bab87538b0c3839b;hb=c72ebd29f239793218f2248c3f8b48a7b3e0a541;hp=ab32d1e0da20fd77d1e3364eb7565c0f2a6d6084;hpb=8e8ff9af85dcf79469150009a96e1f8583ccc538;p=umurmur.git diff --git a/src/ssli_gnutls.c b/src/ssli_gnutls.c index ab32d1e..1f72857 100644 --- a/src/ssli_gnutls.c +++ b/src/ssli_gnutls.c @@ -1,84 +1,169 @@ +/* Copyright (C) 2015-2016, Felix Morgner + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + - Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + - Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + - Neither the name of the Developers nor the names of its contributors may + be used to endorse or promote products derived from this software without + specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + #include "ssl.h" #include "conf.h" #include "log.h" +#include "memory.h" + +#include static gnutls_dh_params_t dhParameters; static gnutls_certificate_credentials_t certificate; -static const char * ciphers = "SECURE128:-VERS-DTLS-ALL:-VERS-SSL3.0:-VERS-TLS1.0:+COMP_ALL"; +static const char * ciphers = "NONE:" + "+ECDHE-ECDSA:+ECDHE-RSA:+RSA:" + "+AES-256-GCM:+AES-128-GCM:" + "+AEAD:+SHA384:+SHA256:+SHA1:" + "+CURVE-ALL:" + "+COMP-NULL:" + "+SIGN-ALL:" + "+VERS-TLS1.2:+VERS-TLS1.0:" + "+CTYPE-X509"; + static gnutls_priority_t cipherCache; void initializeCertificate() - { - char* certificatePath = (char*) getStrConf(CERTIFICATE); - - if(!certificatePath) { - Log_fatal("No certificate file specified."); - } +{ + char* certificatePath = (char*) getStrConf(CERTIFICATE); - char* keyPath = (char*) getStrConf(KEY); + if(!certificatePath) { + Log_fatal("No certificate file specified."); + } - if(!keyPath) { - Log_fatal("No key file specified"); - } + char* keyPath = (char*) getStrConf(KEY); - gnutls_certificate_allocate_credentials(&certificate); + if(!keyPath) { + Log_fatal("No key file specified"); + } - int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM); + gnutls_certificate_allocate_credentials(&certificate); - if( error != GNUTLS_E_SUCCESS ) { - Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath); - } + int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM); - } + if( error != GNUTLS_E_SUCCESS ) { + Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath); + } +} void SSLi_init() - { - unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM); - - gnutls_dh_params_init(&dhParameters); - gnutls_dh_params_generate2(dhParameters, bitCount); - -#if GNUTLS_VERSION_NUMBER < 0x030300 - gnutls_global_init(); -#endif - - gnutls_priority_init(&cipherCache, ciphers, NULL); - - initializeCertificate(); +{ + if(gnutls_priority_init(&cipherCache, ciphers, NULL) != GNUTLS_E_SUCCESS) + { + Log_fatal("Failed to set priorities"); + } - Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL)); + initializeCertificate(); - } + Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL)); +} void SSLi_deinit() - { - gnutls_certificate_free_credentials(certificate); - gnutls_priority_deinit(cipherCache); - gnutls_global_deinit(); - } +{ + gnutls_certificate_free_credentials(certificate); + gnutls_priority_deinit(cipherCache); + gnutls_global_deinit(); +} SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady ) - { - gnutls_session_t * session; // Maybe we need to calloc here - - gnutls_init(session, GNUTLS_SERVER); - gnutls_priority_set(*session, cipherCache); - gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate); - - gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE); - - gnutls_transport_set_int(*session, *fileDescriptor); - - int error; - do { - gnutls_handshake(*session); - } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error)); - - if ( error < GNUTLS_E_SUCCESS ) { - Log_fatal("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error)); - } - - return session; - } - +{ + gnutls_session_t * session + = Memory_safeCalloc(1, sizeof(gnutls_session_t)); + + gnutls_init(session, GNUTLS_SERVER); + gnutls_priority_set(*session, cipherCache); + gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate); + + gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE); + + gnutls_transport_set_int(*session, *fileDescriptor); + + if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady)) + *isSSLReady = true; + + return session; +} + +bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash) +{ + gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL); + + size_t resultSize = 0; + int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize); + return error == GNUTLS_E_SUCCESS && resultSize == 20; +} + +int SSLi_nonblockaccept( SSL_handle_t *session, bool_t * isSSLReady ) +{ + int error; + do { + error = gnutls_handshake(*session); + } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error)); + + if ( error < GNUTLS_E_SUCCESS ) { + Log_warn("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error)); + } + + if(isSSLReady) + *isSSLReady = true; + + return error; +} + +int SSLi_read(SSL_handle_t *session, uint8_t *buffer, int length) +{ + return gnutls_record_recv(*session, buffer, length); +} + +int SSLi_write(SSL_handle_t *session, uint8_t *buffer, int length) +{ + return gnutls_record_send(*session, buffer, length); +} + +int SSLi_get_error(SSL_handle_t *session, int code) +{ + return code; +} + +bool_t SSLi_data_pending(SSL_handle_t *session) +{ + return gnutls_record_check_pending(*session); +} + +void SSLi_shutdown(SSL_handle_t *session) +{ + gnutls_bye(*session, GNUTLS_SHUT_WR); +} + +void SSLi_free(SSL_handle_t *session) +{ + gnutls_deinit(*session); + free(session); +}