static gnutls_x509_privkey gen_crypto(requiem_client_profile_t *cp,
const char *filename, requiem_uid_t uid, requiem_gid_t gid)
{
int ret;
char buf[65535];
gnutls_x509_privkey key;
size_t size = sizeof(buf);
key = generate_private_key();
if ( ! key ) {
fprintf(stderr, "error while generating RSA private key.\n");
return NULL;
}
ret = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &size);
if ( ret < 0 ) {
fprintf(stderr, "error exporting private key: %s\n", gnutls_strerror(ret));
gnutls_x509_privkey_deinit(key);
return NULL;
}
ret = save_buf(filename, uid, gid, (unsigned char *) buf, size);
if ( ret < 0 ) {
fprintf(stderr, "error saving private key.\n");
return NULL;
}
return key;
}
void ExtractFile(struct file *sFile, DWORD dwPos)
{
DWORD dwOffset;
DWORD dwSize;
BYTE bName[40];
GetValue(dwPos, 1, "%X", &dwOffset);
GetValue(dwPos, 2, "%d", &dwSize);
GetValue(dwPos, 0, "%s", bName);
save_buf(bName, sFile->bMap + dwOffset, dwSize);
}
static int crt_export(requiem_client_profile_t *cp, gnutls_x509_crt *crt, const char *filename)
{
int ret;
size_t size;
unsigned char buf[65535];
size = sizeof(buf);
ret = gnutls_x509_crt_export(*crt, GNUTLS_X509_FMT_PEM, buf, &size);
if ( ret < 0 ) {
fprintf(stderr, "error exporting self-signed certificate: %s.\n", gnutls_strerror(ret));
gnutls_x509_crt_deinit(*crt);
return -1;
}
ret = save_buf(filename, requiem_client_profile_get_uid(cp), requiem_client_profile_get_gid(cp), buf, size);
if ( ret < 0 ) {
fprintf(stderr, "error saving private key certificate.\n");
gnutls_x509_crt_deinit(*crt);
return -1;
}
return 0;
}
int tls_revoke_analyzer(requiem_client_profile_t *cp, gnutls_x509_privkey key,
gnutls_x509_crt crt, uint64_t revoked_analyzerid)
{
int ret, i;
size_t len, dsize;
gnutls_datum data;
gnutls_x509_crl crl;
uint64_t analyzerid;
char crlfile[PATH_MAX], buf[65535];
ret = gnutls_x509_crl_init(&crl);
requiem_client_profile_get_tls_server_crl_filename(cp, crlfile, sizeof(crlfile));
ret = access(crlfile, R_OK);
if ( ret == 0 ) {
ret = _requiem_load_file(crlfile, &data.data, &dsize);
if ( ret < 0 ) {
fprintf(stderr, "error loading '%s': %s.\n", crlfile, requiem_strerror(ret));
return ret;
}
data.size = (unsigned int) dsize;
ret = gnutls_x509_crl_import(crl, &data, GNUTLS_X509_FMT_PEM);
if ( ret < 0 ) {
fprintf(stderr, "error importing CRL: %s.\n", gnutls_strerror(ret));
return -1;
}
}
for ( i = 0; i < gnutls_x509_crl_get_crt_count(crl); i++ ) {
len = sizeof(analyzerid);
gnutls_x509_crl_get_crt_serial(crl, i, (unsigned char *) &analyzerid, &len, NULL);
if ( analyzerid == revoked_analyzerid )
return 0;
}
ret = gnutls_x509_crl_set_crt_serial(crl, &revoked_analyzerid, sizeof(revoked_analyzerid), time(NULL));
if ( ret < 0 ) {
fprintf(stderr, "error setting CRL certificate serial: %s.\n", gnutls_strerror(ret));
return -1;
}
gnutls_x509_crl_set_version(crl, 2);
gnutls_x509_crl_set_next_update(crl, time(NULL));
gnutls_x509_crl_set_this_update(crl, time(NULL));
ret = gnutls_x509_crl_sign(crl, crt, key);
if ( ret < 0 ) {
fprintf(stderr, "error signing CRL: %s.\n", gnutls_strerror(ret));
return -1;
}
len = sizeof(buf);
ret = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_PEM, buf, &len);
if ( ret < 0 ) {
fprintf(stderr, "error exporting certificate revocation list: %s\n", gnutls_strerror(ret));
gnutls_x509_crl_deinit(crl);
return -1;
}
gnutls_x509_crl_deinit(crl);
unlink(crlfile);
ret = save_buf(crlfile, requiem_client_profile_get_uid(cp),
requiem_client_profile_get_gid(cp), (unsigned char *) buf, len);
if ( ret < 0 ) {
fprintf(stderr, "error saving private key.\n");
return -1;
}
return 1;
}
int tls_request_certificate(requiem_client_profile_t *cp, requiem_io_t *fd,
gnutls_x509_privkey key, requiem_connection_permission_t permission)
{
ssize_t ret;
ssize_t rsize;
char buf[65535];
unsigned char *rbuf;
gnutls_x509_crq crq;
size_t size = sizeof(buf);
requiem_log_debug(1, "Sending certificate request.\n");
crq = generate_certificate_request(cp, permission, key, (unsigned char *) buf, &size);
if ( ! crq )
return -1;
gnutls_x509_crq_deinit(crq);
ret = requiem_io_write_delimited(fd, buf, size);
if ( ret < 0 || (size_t) ret != size ) {
requiem_perror(ret, "error sending certificate request");
return -1;
}
requiem_log_debug(1, "Receiving signed certificate.\n");
rsize = requiem_io_read_delimited(fd, &rbuf);
if ( rsize < 0 ) {
requiem_perror(rsize, "error receiving CA-signed certificate");
return -1;
}
requiem_client_profile_get_tls_client_keycert_filename(cp, buf, sizeof(buf));
ret = remove_old(buf, rbuf, rsize);
if ( ret < 0 )
return ret;
ret = save_buf(buf, requiem_client_profile_get_uid(cp), requiem_client_profile_get_gid(cp), rbuf, rsize);
if ( ret < 0 )
return ret;
free(rbuf);
requiem_log_debug(1, "Receiving CA certificate.\n");
rsize = requiem_io_read_delimited(fd, &rbuf);
if ( rsize < 0 ) {
requiem_perror(rsize, "error receiving server certificate");
return rsize;
}
requiem_client_profile_get_tls_client_trusted_cert_filename(cp, buf, sizeof(buf));
ret = remove_old(buf, rbuf, rsize);
if ( ret < 0 )
return ret;
ret = save_buf(buf, requiem_client_profile_get_uid(cp), requiem_client_profile_get_gid(cp), rbuf, rsize);
if ( ret < 0 )
return ret;
free(rbuf);
return 0;
}
