static gnutls_session_t
initialize_tls_session (struct params_res *params)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct (session, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits (session, DH_BITS);
if (params->enable_db)
{
gnutls_db_set_retrieve_function (session, wrap_db_fetch);
gnutls_db_set_remove_function (session, wrap_db_delete);
gnutls_db_set_store_function (session, wrap_db_store);
gnutls_db_set_ptr (session, NULL);
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_enable_server (session, &session_ticket_key);
return session;
}
void server_session::set_db (const DB & db)
{
gnutls_db_set_ptr (s, const_cast < DB * >(&db));
gnutls_db_set_store_function (s, store_function);
gnutls_db_set_retrieve_function (s, retrieve_function);
gnutls_db_set_remove_function (s, remove_function);
}
gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
gnutls_init (&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_set_default_priority (session);
gnutls_kx_set_priority (session, kx_prio);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits (session, DH_BITS);
if (TLS_SESSION_CACHE != 0)
{
gnutls_db_set_retrieve_function (session, wrap_db_fetch);
gnutls_db_set_remove_function (session, wrap_db_delete);
gnutls_db_set_store_function (session, wrap_db_store);
gnutls_db_set_ptr (session, NULL);
}
return session;
}
static gnutls_session_t
initialize_tls_session (struct params_res *params)
{
gnutls_session_t session;
const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
gnutls_init (&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_set_default_priority (session);
gnutls_kx_set_priority (session, kx_prio);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits (session, DH_BITS);
if (params->enable_db)
{
gnutls_db_set_retrieve_function (session, wrap_db_fetch);
gnutls_db_set_remove_function (session, wrap_db_delete);
gnutls_db_set_store_function (session, wrap_db_store);
gnutls_db_set_ptr (session, NULL);
}
#ifdef ENABLE_SESSION_TICKET
if (params->enable_session_ticket_server)
gnutls_session_ticket_enable_server (session, &session_ticket_key);
#endif
return session;
}
// {{{ session cache
void SslDriver::cache(SslSocket *socket)
{
gnutls_db_set_ptr(socket->session_, this);
gnutls_db_set_store_function(socket->session_, &SslDriver::_store);
gnutls_db_set_remove_function(socket->session_, &SslDriver::_remove);
gnutls_db_set_retrieve_function(socket->session_, &SslDriver::_retrieve);
}
void SslDriver::initialize(SslSocket* socket)
{
gnutls_priority_set(socket->session_, priorities_);
// cache
gnutls_db_set_ptr(socket->session_, this);
gnutls_db_set_store_function(socket->session_, &SslDriver::_store);
gnutls_db_set_remove_function(socket->session_, &SslDriver::_remove);
gnutls_db_set_retrieve_function(socket->session_, &SslDriver::_retrieve);
}
static void
g_tls_server_connection_gnutls_init (GTlsServerConnectionGnutls *gnutls)
{
gnutls_certificate_credentials_t creds;
gnutls_session_t session;
gnutls->priv = G_TYPE_INSTANCE_GET_PRIVATE (gnutls, G_TYPE_TLS_SERVER_CONNECTION_GNUTLS, GTlsServerConnectionGnutlsPrivate);
creds = g_tls_connection_gnutls_get_credentials (G_TLS_CONNECTION_GNUTLS (gnutls));
gnutls_certificate_set_retrieve_function (creds, g_tls_server_connection_gnutls_retrieve_function);
session = g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (gnutls));
gnutls_db_set_retrieve_function (session, g_tls_server_connection_gnutls_db_retrieve);
gnutls_db_set_store_function (session, g_tls_server_connection_gnutls_db_store);
gnutls_db_set_remove_function (session, g_tls_server_connection_gnutls_db_remove);
}
void ebb_connection_start(ebb_connection *connection)
{
ebb_server *server = connection->server;
struct ev_loop *loop;
if(!connection->loop) {
connection->loop = server->loop;
}
loop = connection->loop;
/*Need thread safe session cache?*/
#ifdef HAVE_GNUTLS
if(server->secure) {
gnutls_init(&connection->session, GNUTLS_SERVER);
gnutls_transport_set_lowat(connection->session, 0);
gnutls_set_default_priority(connection->session);
gnutls_credentials_set(connection->session, GNUTLS_CRD_CERTIFICATE, connection->server->credentials);
gnutls_transport_set_ptr(connection->session, (gnutls_transport_ptr) fd);
gnutls_transport_set_push_function(connection->session, nosigpipe_push);
gnutls_db_set_ptr (connection->session, &server->session_cache);
gnutls_db_set_store_function (connection->session, session_cache_store);
gnutls_db_set_retrieve_function (connection->session, session_cache_retrieve);
gnutls_db_set_remove_function (connection->session, session_cache_remove);
}
ev_io_set(&connection->handshake_watcher, connection->fd, EV_READ | EV_WRITE);
#endif /* HAVE_GNUTLS */
/* Note: not starting the write watcher until there is data to be written */
ev_io_set(&connection->write_watcher, connection->fd, EV_WRITE);
ev_io_set(&connection->read_watcher, connection->fd, EV_READ);
/* XXX: seperate error watcher? */
ev_timer_again(loop, &connection->timeout_watcher);
#ifdef HAVE_GNUTLS
if(server->secure) {
ev_io_start(loop, &connection->handshake_watcher);
return;
}
#endif
ev_io_start(loop, &connection->read_watcher);
}
int ne_sock_accept_ssl(ne_socket *sock, ne_ssl_context *ctx)
{
int ret;
ne_ssl_socket ssl;
#if defined(HAVE_OPENSSL)
ssl = SSL_new(ctx->ctx);
SSL_set_fd(ssl, sock->fd);
sock->ssl = ssl;
ret = SSL_accept(ssl);
if (ret != 1) {
return error_ossl(sock, ret);
}
#elif defined(HAVE_GNUTLS)
gnutls_init(&ssl, GNUTLS_SERVER);
gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
gnutls_set_default_priority(ssl);
/* Set up dummy session cache. */
gnutls_db_set_store_function(ssl, store_sess);
gnutls_db_set_retrieve_function(ssl, retrieve_sess);
gnutls_db_set_remove_function(ssl, remove_sess);
gnutls_db_set_ptr(ssl, ctx);
if (ctx->verify)
gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
sock->ssl = ssl;
gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr) sock->fd);
ret = gnutls_handshake(ssl);
if (ret < 0) {
return error_gnutls(sock, ret);
}
if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
set_error(sock, _("Client certificate verification failed"));
return NE_SOCK_ERROR;
}
#endif
sock->ops = &iofns_ssl;
return 0;
}
static void server(int sds[], struct params_res *params)
{
gnutls_anon_server_credentials_t anoncred;
static gnutls_datum_t session_ticket_key = { NULL, 0 };
int ret;
size_t t;
gnutls_session_t session;
/* this must be called once in the program, it is mostly for the server.
*/
if (debug) {
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(3);
}
global_init();
gnutls_anon_allocate_server_credentials(&anoncred);
if (debug)
success("Launched, generating DH parameters...\n");
gnutls_anon_set_server_dh_params(anoncred, dh_params);
if (params->enable_db) {
wrap_db_init();
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_key_generate(&session_ticket_key);
for (t = 0; t < SESSIONS; t++) {
int sd = sds[t];
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits(session, DH_BITS);
if (params->enable_db) {
gnutls_db_set_retrieve_function(session, wrap_db_fetch);
gnutls_db_set_remove_function(session, wrap_db_delete);
gnutls_db_set_store_function(session, wrap_db_store);
gnutls_db_set_ptr(session, NULL);
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_enable_server(session,
&session_ticket_key);
gnutls_transport_set_int(session, sd);
gnutls_dtls_set_timeouts(session, 3*1000, 240 * 1000);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && (ret == GNUTLS_E_INTERRUPTED||ret == GNUTLS_E_AGAIN));
if (ret < 0) {
close(sd);
gnutls_deinit(session);
kill(child, SIGTERM);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
kill(child, SIGTERM);
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
}
if (params->enable_db) {
wrap_db_deinit();
}
gnutls_free(session_ticket_key.data);
session_ticket_key.data = NULL;
gnutls_anon_free_server_credentials(anoncred);
if (debug)
success("server: finished\n");
}
static gboolean mod_gnutls_con_new(liConnection *con, int fd) {
liEventLoop *loop = &con->wrk->loop;
liServer *srv = con->srv;
mod_context *ctx = con->srv_sock->data;
mod_connection_ctx *conctx;
gnutls_session_t session;
int r;
if (GNUTLS_E_SUCCESS > (r = gnutls_init(&session, GNUTLS_SERVER))) {
ERROR(srv, "gnutls_init (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
mod_gnutls_context_acquire(ctx);
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_set(session, ctx->server_priority))) {
ERROR(srv, "gnutls_priority_set (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
}
if (GNUTLS_E_SUCCESS > (r = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->server_cert))) {
ERROR(srv, "gnutls_credentials_set (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
}
if (NULL != ctx->session_db) {
gnutls_db_set_ptr(session, ctx->session_db);
gnutls_db_set_remove_function(session, session_db_remove_cb);
gnutls_db_set_retrieve_function(session, session_db_retrieve_cb);
gnutls_db_set_store_function(session, session_db_store_cb);
}
#ifdef HAVE_SESSION_TICKET
if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_enable_server(session, &ctx->ticket_key))) {
ERROR(srv, "gnutls_session_ticket_enable_server (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
}
#endif
#ifdef GNUTLS_ALPN_MAND
{
static const gnutls_datum_t proto_http1 = { (unsigned char*) CONST_STR_LEN("http/1.1") };
gnutls_alpn_set_protocols(session, &proto_http1, 1, 0);
}
#endif
conctx = g_slice_new0(mod_connection_ctx);
conctx->session = session;
conctx->sock_stream = li_iostream_new(con->wrk, fd, tcp_io_cb, conctx);
conctx->client_hello_stream = li_ssl_client_hello_stream(&con->wrk->loop, gnutls_client_hello_cb, conctx);
#ifdef USE_SNI
li_job_init(&conctx->sni_job, sni_job_cb);
conctx->sni_jobref = li_job_ref(&con->wrk->loop.jobqueue, &conctx->sni_job);
#endif
li_stream_connect(&conctx->sock_stream->stream_in, conctx->client_hello_stream);
conctx->tls_filter = li_gnutls_filter_new(srv, con->wrk, &filter_callbacks, conctx, conctx->session,
conctx->client_hello_stream, &conctx->sock_stream->stream_out);
conctx->con = con;
conctx->ctx = ctx;
con->con_sock.data = conctx;
con->con_sock.callbacks = &gnutls_tcp_cbs;
con->con_sock.raw_out = li_stream_plug_new(loop);
con->con_sock.raw_in = li_stream_plug_new(loop);
con->info.is_ssl = TRUE;
return TRUE;
fail:
gnutls_deinit(session);
mod_gnutls_context_release(ctx);
return FALSE;
}
/* Handle the high TCP length bit, currently only used for STARTTLS. */
int
kdc_extension (struct listenspec *ls)
{
int rc;
if (ls->usetls
|| ls->ai.ai_socktype != SOCK_STREAM
|| ls->bufpos < 4 || (ls->bufpos >= 4 && !(ls->buf[0] & 0x80)))
return 0;
if (x509cred == NULL || memcmp (ls->buf, STARTTLS_CLIENT_REQUEST,
STARTTLS_LEN) != 0)
return kdc_extension_reject (ls);
/* This message can arguably belong to LOG_AUTH,
* but leave it at the default facility. */
syslog (LOG_INFO, "Trying STARTTLS");
memcpy (ls->buf, STARTTLS_SERVER_ACCEPT, STARTTLS_LEN);
ls->bufpos = STARTTLS_LEN;
kdc_send1 (ls);
rc = gnutls_init (&ls->session, GNUTLS_SERVER);
if (rc != GNUTLS_E_SUCCESS)
{
syslog (LOG_ERR | LOG_DAEMON, "TLS initialization failed (%d): %s",
rc, gnutls_strerror (rc));
return -1;
}
rc = gnutls_priority_set_direct (ls->session, "NORMAL:+ANON-DH", NULL);
if (rc != GNUTLS_E_SUCCESS)
{
syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_psd %d: %s",
rc, gnutls_strerror (rc));
return -1;
}
rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_ANON, anoncred);
if (rc != GNUTLS_E_SUCCESS)
{
syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_cs %d: %s",
rc, gnutls_strerror (rc));
return -1;
}
rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_CERTIFICATE, x509cred);
if (rc != GNUTLS_E_SUCCESS)
{
syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_cs X.509 %d: %s",
rc, gnutls_strerror (rc));
return -1;
}
gnutls_certificate_server_set_request (ls->session, GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits (ls->session, DH_BITS);
gnutls_transport_set_ptr (ls->session, (gnutls_transport_ptr_t)
(unsigned long) ls->sockfd);
gnutls_db_set_retrieve_function (ls->session, resume_db_fetch);
gnutls_db_set_store_function (ls->session, resume_db_store);
gnutls_db_set_remove_function (ls->session, resume_db_delete);
rc = gnutls_handshake (ls->session);
if (rc < 0)
{
syslog (LOG_ERR | LOG_DAEMON, "TLS handshake failed (%d): %s\n",
rc, gnutls_strerror (rc));
return -1;
}
logtlsinfo (ls->session);
ls->bufpos = 0;
ls->usetls = 1;
return 0;
}
