static int handshake_callback(gnutls_session_t session, unsigned int htype,
unsigned post, unsigned int incoming, const gnutls_datum_t *rawmsg)
{
static unsigned idx = 0;
unsigned int msg;
if (msg_order[idx] != htype) {
fail("%s: %s, expected %s\n",
incoming != 0 ? "Received" : "Sent",
gnutls_handshake_description_get_name(htype),
gnutls_handshake_description_get_name(msg_order
[idx]));
exit(1);
}
idx++;
if (incoming != 0) {
msg = gnutls_handshake_get_last_in(session);
if (msg != htype) {
fail("last input message was not recorded (exp: %d, found: %d) \n", msg, htype);
exit(1);
}
} else {
msg = gnutls_handshake_get_last_out(session);
if (msg != htype) {
fail("last output message was not recorded (exp: %d, found: %d) \n", msg, htype);
exit(1);
}
}
return 0;
}
static Eina_Bool
_process_data(gnutls_session_t client, Ecore_Fd_Handler * fd_handler)
{
static int ret, lastret;
static unsigned int count = 0;
if (!done) {
lastret = ret;
ret = gnutls_handshake(client);
count++;
if (gnutls_record_get_direction(client))
ecore_main_fd_handler_active_set(fd_handler,
ECORE_FD_WRITE);
else
ecore_main_fd_handler_active_set(fd_handler,
ECORE_FD_READ);
/* avoid printing messages infinity times */
if (lastret != ret && ret != 0 && ret != GNUTLS_E_AGAIN) {
print("gnutls returned with: %s - %s",
gnutls_strerror_name(ret),
gnutls_strerror(ret));
if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED)
|| (ret == GNUTLS_E_FATAL_ALERT_RECEIVED))
print("Also received alert: %s",
gnutls_alert_get_name
(gnutls_alert_get(client)));
print("last out: %s",
SSL_GNUTLS_PRINT_HANDSHAKE_STATUS
(gnutls_handshake_get_last_out(client)));
print("last in: %s",
SSL_GNUTLS_PRINT_HANDSHAKE_STATUS
(gnutls_handshake_get_last_in(client)));
}
if (gnutls_error_is_fatal(ret)) {
print("yarrr this be an error!");
exit(1);
}
}
if (ret == GNUTLS_E_SUCCESS) {
done = 1;
//print("Handshake successful in %u handshake calls!", count);
ecore_main_loop_quit();
}
return ECORE_CALLBACK_RENEW;
}
static int server_callback(gnutls_session_t session)
{
server_ok = 1;
if (gnutls_handshake_get_last_in(session) !=
GNUTLS_HANDSHAKE_CERTIFICATE_PKT) {
fail("client's last input message was unexpected\n");
exit(1);
}
if (gnutls_handshake_get_last_out(session) !=
GNUTLS_HANDSHAKE_SERVER_HELLO_DONE) {
fail("client's last output message was unexpected\n");
exit(1);
}
return server_ret_val;
}
static Ecore_Con_Ssl_Error
_ecore_con_ssl_client_init_gnutls(Ecore_Con_Client *cl)
{
const gnutls_datum_t *cert_list;
unsigned int iter, cert_list_size;
const char *priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
int ret = 0;
switch (cl->ssl_state)
{
case ECORE_CON_SSL_STATE_DONE:
return ECORE_CON_SSL_ERROR_NONE;
case ECORE_CON_SSL_STATE_INIT:
if (cl->host_server->type & ECORE_CON_USE_SSL2) /* not supported because of security issues */
return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
switch (cl->host_server->type & ECORE_CON_SSL)
{
case ECORE_CON_USE_SSL3:
case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-TLS1.0:!VERS-TLS1.1";
break;
case ECORE_CON_USE_TLS:
case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-SSL3.0";
break;
case ECORE_CON_USE_MIXED:
case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
break;
default:
return ECORE_CON_SSL_ERROR_NONE;
}
_client_connected++;
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_init(&cl->session, GNUTLS_SERVER));
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_key_generate(&cl->session_ticket));
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_enable_server(cl->session, &cl->session_ticket));
INF("Applying priority string: %s", priority);
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_priority_set_direct(cl->session, priority, NULL));
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_CERTIFICATE, cl->host_server->cert));
// SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_PSK, cl->host_server->pskcred_s));
if (!cl->host_server->use_cert)
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_ANON, cl->host_server->anoncred_s));
gnutls_certificate_server_set_request(cl->session, GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits(cl->session, 2048);
gnutls_transport_set_ptr(cl->session, (gnutls_transport_ptr_t)((intptr_t)cl->fd));
cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
case ECORE_CON_SSL_STATE_HANDSHAKING:
if (!cl->session)
{
DBG("Client was previously lost, going to error condition");
goto error;
}
DBG("calling gnutls_handshake()");
ret = gnutls_handshake(cl->session);
SSL_ERROR_CHECK_GOTO_ERROR(gnutls_error_is_fatal(ret));
if (!ret)
{
cl->handshaking = EINA_FALSE;
cl->ssl_state = ECORE_CON_SSL_STATE_DONE;
}
else
{
if (gnutls_record_get_direction(cl->session))
ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
else
ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
return ECORE_CON_SSL_ERROR_NONE;
}
default:
break;
}
if (!cl->host_server->verify)
/* not verifying certificates, so we're done! */
return ECORE_CON_SSL_ERROR_NONE;
ret = 0;
/* use CRL/CA lists to verify */
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_verify_peers2(cl->session, &iter));
if (iter & GNUTLS_CERT_INVALID)
ERR("The certificate is not trusted.");
else if (iter & GNUTLS_CERT_SIGNER_NOT_FOUND)
ERR("The certificate hasn't got a known issuer.");
else if (iter & GNUTLS_CERT_REVOKED)
ERR("The certificate has been revoked.");
else if (iter & GNUTLS_CERT_EXPIRED)
ERR("The certificate has expired");
else if (iter & GNUTLS_CERT_NOT_ACTIVATED)
ERR("The certificate is not yet activated");
if (iter)
goto error;
if (gnutls_certificate_type_get(cl->session) != GNUTLS_CRT_X509)
{
ERR("Warning: PGP certificates are not yet supported!");
goto error;
}
SSL_ERROR_CHECK_GOTO_ERROR(!(cert_list = gnutls_certificate_get_peers(cl->session, &cert_list_size)));
SSL_ERROR_CHECK_GOTO_ERROR(!cert_list_size);
DBG("SSL certificate verification succeeded!");
return ECORE_CON_SSL_ERROR_NONE;
error:
_gnutls_print_errors(ret);
if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) || (ret == GNUTLS_E_FATAL_ALERT_RECEIVED))
ERR("Also received alert: %s", gnutls_alert_get_name(gnutls_alert_get(cl->session)));
if (cl->session && (cl->ssl_state != ECORE_CON_SSL_STATE_DONE))
{
ERR("last out: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_out(cl->session)));
ERR("last in: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_in(cl->session)));
}
_ecore_con_ssl_client_shutdown_gnutls(cl);
return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
}
gnutls_handshake_description_t session::get_handshake_last_out () const
{
return gnutls_handshake_get_last_out (s);
}
