+/* Copyright (C) 2015-2016, Felix Morgner <felix.morgner@gmail.com>
+
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ - Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ - Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ - Neither the name of the Developers nor the names of its contributors may
+ be used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
#include "ssl.h"
#include "conf.h"
#include "log.h"
+#include "memory.h"
+
+#include <stdlib.h>
static gnutls_dh_params_t dhParameters;
static gnutls_certificate_credentials_t certificate;
-static const char * ciphers = "NONE:+CTYPE-X.509:+DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA256:+SHA1:+VERS-TLS-ALL:+COMP-ALL:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1";
+static const char * ciphers = "NONE:"
+ "+ECDHE-ECDSA:+ECDHE-RSA:+RSA:"
+ "+AES-256-GCM:+AES-128-GCM:"
+ "+AEAD:+SHA384:+SHA256:+SHA1:"
+ "+CURVE-ALL:"
+ "+COMP-NULL:"
+ "+SIGN-ALL:"
+ "+VERS-TLS1.2:+VERS-TLS1.0:"
+ "+CTYPE-X509";
+
static gnutls_priority_t cipherCache;
void initializeCertificate()
- {
- char* certificatePath = (char*) getStrConf(CERTIFICATE);
+{
+ char* certificatePath = (char*) getStrConf(CERTIFICATE);
- if(!certificatePath) {
- Log_fatal("No certificate file specified.");
- }
+ if(!certificatePath) {
+ Log_fatal("No certificate file specified.");
+ }
- char* keyPath = (char*) getStrConf(KEY);
+ char* keyPath = (char*) getStrConf(KEY);
- if(!keyPath) {
- Log_fatal("No key file specified");
- }
+ if(!keyPath) {
+ Log_fatal("No key file specified");
+ }
- gnutls_certificate_allocate_credentials(&certificate);
+ gnutls_certificate_allocate_credentials(&certificate);
- int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM);
+ int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM);
- if( error != GNUTLS_E_SUCCESS ) {
- Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
- }
-
- }
+ if( error != GNUTLS_E_SUCCESS ) {
+ Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
+ }
+}
void SSLi_init()
- {
- unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
-
- gnutls_dh_params_init(&dhParameters);
- gnutls_dh_params_generate2(dhParameters, bitCount);
+{
+ if(gnutls_priority_init(&cipherCache, ciphers, NULL) != GNUTLS_E_SUCCESS)
+ {
+ Log_fatal("Failed to set priorities");
+ }
-#if GNUTLS_VERSION_NUMBER < 0x030300
- gnutls_global_init();
-#endif
+ initializeCertificate();
- gnutls_priority_init(&cipherCache, ciphers, NULL);
-
- initializeCertificate();
-
- Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
-
- }
+ Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
+}
void SSLi_deinit()
- {
- gnutls_certificate_free_credentials(certificate);
- gnutls_priority_deinit(cipherCache);
- gnutls_global_deinit();
- }
+{
+ gnutls_certificate_free_credentials(certificate);
+ gnutls_priority_deinit(cipherCache);
+ gnutls_global_deinit();
+}
SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
- {
- gnutls_session_t * session = calloc(1, sizeof(gnutls_session_t));
+{
+ gnutls_session_t * session
+ = Memory_safeCalloc(1, sizeof(gnutls_session_t));
+
+ gnutls_init(session, GNUTLS_SERVER);
+ gnutls_priority_set(*session, cipherCache);
+ gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
- gnutls_init(session, GNUTLS_SERVER);
- gnutls_priority_set(*session, cipherCache);
- gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
+ gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
- gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
+ gnutls_transport_set_int(*session, *fileDescriptor);
- gnutls_transport_set_int(*session, *fileDescriptor);
+ if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
+ *isSSLReady = true;
- if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
- *isSSLReady = true;
+ return session;
+}
- return session;
- }
+bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash)
+{
+ gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL);
-bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
- {
- *hash = 0;
- return true;
- }
+ size_t resultSize = 0;
+ int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize);
+ return error == GNUTLS_E_SUCCESS && resultSize == 20;
+}
int SSLi_nonblockaccept( SSL_handle_t *session, bool_t * isSSLReady )
- {
- int error;
- do {
- error = gnutls_handshake(*session);
- } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error));
+{
+ int error;
+ do {
+ error = gnutls_handshake(*session);
+ } while(error < GNUTLS_E_SUCCESS && !gnutls_error_is_fatal(error));
- if ( error < GNUTLS_E_SUCCESS ) {
- Log_fatal("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error));
- }
+ if ( error < GNUTLS_E_SUCCESS ) {
+ Log_warn("TLS handshake failed with error %i (%s).", error, gnutls_strerror(error));
+ }
- if(isSSLReady)
- *isSSLReady = true;
+ if(isSSLReady)
+ *isSSLReady = true;
- return error;
- }
+ return error;
+}
int SSLi_read(SSL_handle_t *session, uint8_t *buffer, int length)
- {
- return gnutls_record_recv(*session, buffer, length);
- }
+{
+ return gnutls_record_recv(*session, buffer, length);
+}
int SSLi_write(SSL_handle_t *session, uint8_t *buffer, int length)
- {
- return gnutls_record_send(*session, buffer, length);
- }
+{
+ return gnutls_record_send(*session, buffer, length);
+}
int SSLi_get_error(SSL_handle_t *session, int code)
- {
- return code;
- }
+{
+ return code;
+}
bool_t SSLi_data_pending(SSL_handle_t *session)
- {
- return gnutls_record_check_pending(*session);
- }
+{
+ return gnutls_record_check_pending(*session);
+}
void SSLi_shutdown(SSL_handle_t *session)
- {
- gnutls_bye(*session, GNUTLS_SHUT_WR);
- }
+{
+ gnutls_bye(*session, GNUTLS_SHUT_WR);
+}
void SSLi_free(SSL_handle_t *session)
- {
- gnutls_deinit(*session);
- }
+{
+ gnutls_deinit(*session);
+ free(session);
+}
projects / umurmur.git / blobdiff