bool CTlsSocket::InitSession()
{
int res = gnutls_init(&m_session, GNUTLS_CLIENT);
if (res) {
LogError(res, _T("gnutls_init"));
Uninit();
return false;
}
// Even though the name gnutls_db_set_cache_expiration
// implies expiration of some cache, it also governs
// the actual session lifetime, independend whether the
// session is cached or not.
gnutls_db_set_cache_expiration(m_session, 100000000);
res = gnutls_priority_set_direct(m_session, ciphers, 0);
if (res) {
LogError(res, _T("gnutls_priority_set_direct"));
Uninit();
return false;
}
gnutls_dh_set_prime_bits(m_session, 512);
gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials);
// Setup transport functions
gnutls_transport_set_push_function(m_session, PushFunction);
gnutls_transport_set_pull_function(m_session, PullFunction);
gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
return true;
}
struct tls_connection * tls_connection_init(void *ssl_ctx)
{
struct tls_connection *conn;
const int cert_types[2] = { GNUTLS_CRT_X509, 0 };
const int protos[2] = { GNUTLS_TLS1, 0 };
conn = malloc(sizeof(*conn));
if (conn == NULL)
return NULL;
memset(conn, 0, sizeof(*conn));
if (gnutls_init(&conn->session, GNUTLS_CLIENT) < 0) {
wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS "
"connection");
free(conn);
return NULL;
}
gnutls_set_default_priority(conn->session);
gnutls_certificate_type_set_priority(conn->session, cert_types);
gnutls_protocol_set_priority(conn->session, protos);
gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func);
gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn);
gnutls_certificate_allocate_credentials(&conn->xcred);
return conn;
}
//general tls stuff-------------------------------------------------------------
static gnutls_session_t initialize_tls_session(bool sServer,
gnutls_srp_client_credentials_t &cClient, const struct sockaddr *aAddress,
socklen_t lLength, const char *aActual)
{
gnutls_session_t session;
gnutls_init(&session, sServer? GNUTLS_SERVER : GNUTLS_CLIENT);
if (use_srp_auth)
{
gnutls_priority_set_direct(session, sServer?
"NORMAL:+SRP" : "PERFORMANCE:+SRP", NULL);
if (!sServer)
set_client_passwd(cClient, aAddress, lLength, aActual);
gnutls_credentials_set(session, GNUTLS_CRD_SRP, sServer?
(void*) srp_server : (void*) cClient);
}
else
{
gnutls_priority_set_direct(session, sServer?
"NORMAL:+ANON-DH" : "PERFORMANCE:+ANON-DH", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, credentials);
}
gnutls_dh_set_prime_bits(session, 1024);
gnutls_transport_set_push_function(session, (gnutls_push_func) &write_wrapper);
gnutls_transport_set_pull_function(session, (gnutls_pull_func) &read_wrapper);
return session;
}
static gnutls_session new_tls_session(int sock)
{
int ret;
gnutls_session session;
const int kx_priority[] = {
GNUTLS_KX_ANON_DH,
#ifdef GNUTLS_SRP_ENABLED
GNUTLS_KX_SRP, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA,
#endif
0 };
gnutls_init(&session, GNUTLS_SERVER);
gnutls_set_default_priority(session);
gnutls_kx_set_priority(session, kx_priority);
#ifdef GNUTLS_SRP_ENABLED
gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred);
gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE);
#endif
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr(session, fd_to_ptr(sock));
gnutls_transport_set_pull_function(session, tls_pull);
gnutls_transport_set_push_function(session, tls_push);
ret = gnutls_handshake(session);
if ( ret < 0 ) {
fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret));
gnutls_alert_send_appropriate(session, ret);
return NULL;
}
return session;
}
static rfbBool
InitializeTLSSession(rfbClient* client, rfbBool anonTLS)
{
int ret;
const char *p;
if (client->tlsSession) return TRUE;
if ((ret = gnutls_init((gnutls_session_t*)&client->tlsSession, GNUTLS_CLIENT)) < 0)
{
rfbClientLog("Failed to initialized TLS session: %s.\n", gnutls_strerror(ret));
return FALSE;
}
if ((ret = gnutls_priority_set_direct((gnutls_session_t)client->tlsSession,
anonTLS ? rfbAnonTLSPriority : rfbTLSPriority, &p)) < 0)
{
rfbClientLog("Warning: Failed to set TLS priority: %s (%s).\n", gnutls_strerror(ret), p);
}
gnutls_transport_set_ptr((gnutls_session_t)client->tlsSession, (gnutls_transport_ptr_t)client);
gnutls_transport_set_push_function((gnutls_session_t)client->tlsSession, PushTLS);
gnutls_transport_set_pull_function((gnutls_session_t)client->tlsSession, PullTLS);
rfbClientLog("TLS session initialized.\n");
return TRUE;
}
bool CTlsSocket::Init()
{
// This function initializes GnuTLS
int res = gnutls_global_init();
if (res)
{
LogError(res);
return false;
}
m_initialized = true;
res = gnutls_certificate_allocate_credentials(&m_certCredentials);
if (res < 0)
{
LogError(res);
Uninit();
return false;
}
res = gnutls_init(&m_session, GNUTLS_CLIENT);
if (res)
{
LogError(res);
Uninit();
return false;
}
res = gnutls_set_default_priority(m_session);
if (res)
{
LogError(res);
Uninit();
return false;
}
// Set which type of certificates we accept
const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
gnutls_certificate_type_set_priority(m_session, cert_type_priority);
if (res)
{
LogError(res);
Uninit();
return false;
}
gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials);
// Setup transport functions
gnutls_transport_set_push_function(m_session, PushFunction);
gnutls_transport_set_pull_function(m_session, PullFunction);
gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
gnutls_transport_set_lowat(m_session, 0);
m_shutdown_requested = false;
// At this point, we can start shaking hands.
return true;
}
static int
tls_handshake (struct ikstls_data **datap, ikstransport *trans, void *sock)
{
const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
struct ikstls_data *data;
int ret;
*datap = NULL;
data = iks_malloc (sizeof(*data));
if (!data) return IKS_NOMEM;
memset (data, 0, sizeof(*data));
data->trans = trans;
data->sock = sock;
data->timeout = -1;
if (gnutls_global_init () != 0) {
iks_free (data);
return IKS_NOMEM;
}
if (gnutls_certificate_allocate_credentials (&data->cred) < 0) {
iks_free (data);
return IKS_NOMEM;
}
if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
gnutls_certificate_free_credentials (data->cred);
iks_free (data);
return IKS_NOMEM;
}
gnutls_protocol_set_priority (data->sess, protocol_priority);
gnutls_cipher_set_priority(data->sess, cipher_priority);
gnutls_compression_set_priority(data->sess, comp_priority);
gnutls_kx_set_priority(data->sess, kx_priority);
gnutls_mac_set_priority(data->sess, mac_priority);
gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
gnutls_transport_set_ptr (data->sess, data);
ret = gnutls_handshake (data->sess);
if (ret != 0) {
gnutls_deinit (data->sess);
gnutls_certificate_free_credentials (data->cred);
iks_free (data);
return IKS_NET_TLSFAIL;
}
*datap = data;
return IKS_OK;
}
TLSSocket::TLSSocket(std::shared_ptr<TLSSession> session, std::shared_ptr<socket> sok)
: m_session(session), m_wrapped(sok), m_connected(false),
m_handshaking(false), m_ex(NULL)
{
gnutls_transport_set_ptr(*m_session->m_gnutlsSession, this);
gnutls_transport_set_push_function(*m_session->m_gnutlsSession, gnutlsPushFunc);
gnutls_transport_set_pull_function(*m_session->m_gnutlsSession, gnutlsPullFunc);
}
liGnuTLSFilter* li_gnutls_filter_new(
liServer *srv, liWorker *wrk,
const liGnuTLSFilterCallbacks *callbacks, gpointer data,
gnutls_session_t session, liStream *crypt_source, liStream *crypt_drain
) {
liEventLoop *loop = crypt_source->loop;
liGnuTLSFilter *f;
liCQLimit *out_limit;
f = g_slice_new0(liGnuTLSFilter);
f->refcount = 5; /* 1 + 4 streams */
f->callbacks = callbacks;
f->callback_data = data;
f->srv = srv;
f->wrk = wrk;
f->session = session;
gnutls_transport_set_ptr(f->session, (gnutls_transport_ptr_t) f);
gnutls_transport_set_push_function(f->session, stream_push);
#ifdef HAVE_GIOVEC
gnutls_transport_set_vec_push_function(f->session, stream_pushv);
#endif
gnutls_transport_set_pull_function(f->session, stream_pull);
gnutls_session_set_ptr(f->session, f);
gnutls_handshake_set_post_client_hello_function(f->session, post_client_hello_cb);
f->initial_handshaked_finished = 0;
f->closing = f->aborted = 0;
f->write_wants_read = 0;
li_stream_init(&f->crypt_source, loop, stream_crypt_source_cb);
li_stream_init(&f->crypt_drain, loop, stream_crypt_drain_cb);
li_stream_init(&f->plain_source, loop, stream_plain_source_cb);
li_stream_init(&f->plain_drain, loop, stream_plain_drain_cb);
/* "virtual" connections - the content goes through SSL */
li_stream_connect(&f->plain_drain, &f->crypt_source);
li_stream_connect(&f->crypt_drain, &f->plain_source);
li_stream_connect(crypt_source, &f->crypt_drain);
li_stream_connect(&f->crypt_source, crypt_drain);
/* separate limit for buffer of encrypted data
*
* f->plain_drain is already connected to f->crypt_source,
* so they won't share the same limit */
out_limit = li_cqlimit_new();
out_limit->notify = stream_crypt_source_limit_notify_cb;
out_limit->context = f;
li_cqlimit_set_limit(out_limit, 32*1024);
li_chunkqueue_set_limit(crypt_drain->out, out_limit);
li_chunkqueue_set_limit(f->crypt_source.out, out_limit);
li_cqlimit_release(out_limit);
return f;
}
/**
* Enables SSL for the given connection.
*
* @param connection The connection to enable SSL for.
*
* @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection
* is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when
* SSL initialization, setup, or handshake fails.
*/
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_global_init();
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback);
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert);
if (uerr != USERPREF_E_SUCCESS) {
debug_info("Error %d when loading keys and certificates! %d", uerr);
}
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno)
debug_info("WARN: errno says %s before handshake!", strerror(errno));
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
return ret;
}
GIOChannel *g_io_channel_gnutls_new(int fd)
{
GIOGnuTLSChannel *gnutls_channel;
GIOChannel *channel;
int err;
DBG("");
gnutls_channel = g_new(GIOGnuTLSChannel, 1);
channel = (GIOChannel *) gnutls_channel;
g_io_channel_init(channel);
channel->funcs = &gnutls_channel_funcs;
gnutls_channel->fd = fd;
channel->is_seekable = FALSE;
channel->is_readable = TRUE;
channel->is_writeable = TRUE;
channel->do_encode = FALSE;
g_io_gnutls_global_init();
err = gnutls_init(&gnutls_channel->session, GNUTLS_CLIENT);
if (err < 0) {
g_free(gnutls_channel);
return NULL;
}
gnutls_transport_set_ptr(gnutls_channel->session, gnutls_channel);
gnutls_transport_set_push_function(gnutls_channel->session,
g_io_gnutls_push_func);
gnutls_transport_set_pull_function(gnutls_channel->session,
g_io_gnutls_pull_func);
#if GNUTLS_VERSION_NUMBER < 0x020c00
gnutls_transport_set_lowat(gnutls_channel->session, 0);
gnutls_priority_set_direct(gnutls_channel->session,
"NORMAL:%COMPAT", NULL);
#else
gnutls_priority_set_direct(gnutls_channel->session,
"NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL);
#endif
gnutls_certificate_allocate_credentials(&gnutls_channel->cred);
gnutls_credentials_set(gnutls_channel->session,
GNUTLS_CRD_CERTIFICATE, gnutls_channel->cred);
DBG("channel %p", channel);
return channel;
}
void InitSession(StreamSocket* user, bool me_server)
{
gnutls_init(&sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
profile->SetupSession(sess);
gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(user));
gnutls_transport_set_push_function(sess, gnutls_push_wrapper);
gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper);
if (me_server)
gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
}
static int tls_gnutls_init_session(struct tls_global *global,
struct tls_connection *conn)
{
#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
const char *err;
#else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */
const int cert_types[2] = { GNUTLS_CRT_X509, 0 };
const int protos[2] = { GNUTLS_TLS1, 0 };
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */
int ret;
ret = gnutls_init(&conn->session,
global->server ? GNUTLS_SERVER : GNUTLS_CLIENT);
if (ret < 0) {
wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS "
"connection: %s", gnutls_strerror(ret));
return -1;
}
ret = gnutls_set_default_priority(conn->session);
if (ret < 0)
goto fail;
#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0",
&err);
if (ret < 0) {
wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at "
"'%s'", err);
goto fail;
}
#else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */
ret = gnutls_certificate_type_set_priority(conn->session, cert_types);
if (ret < 0)
goto fail;
ret = gnutls_protocol_set_priority(conn->session, protos);
if (ret < 0)
goto fail;
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */
gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func);
gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn);
return 0;
fail:
wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s",
gnutls_strerror(ret));
gnutls_deinit(conn->session);
return -1;
}
static int
handshake (struct stream_data *data)
{
const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
int ret;
#ifndef WIN32
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
#endif
if (gnutls_global_init () != 0)
return IKS_NOMEM;
if (gnutls_certificate_allocate_credentials (&data->cred) < 0)
return IKS_NOMEM;
if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
gnutls_certificate_free_credentials (data->cred);
return IKS_NOMEM;
}
gnutls_protocol_set_priority (data->sess, protocol_priority);
gnutls_cipher_set_priority(data->sess, cipher_priority);
gnutls_compression_set_priority(data->sess, comp_priority);
gnutls_kx_set_priority(data->sess, kx_priority);
gnutls_mac_set_priority(data->sess, mac_priority);
gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
gnutls_transport_set_ptr (data->sess, data->prs);
ret = gnutls_handshake (data->sess);
if (ret != 0) {
gnutls_deinit (data->sess);
gnutls_certificate_free_credentials (data->cred);
return IKS_NET_TLSFAIL;
}
data->flags &= (~SF_TRY_SECURE);
data->flags |= SF_SECURE;
iks_send_header (data->prs, data->server);
return IKS_OK;
} // HAVE_GNUTLS
void GnuTlsStream::handshake(const GnuTlsServer& server)
{
log_debug("gnutls_init(session, GNUTLS_SERVER)");
int ret = gnutls_init(&_session, GNUTLS_SERVER);
if (ret != 0)
throw GnuTlsException("gnutls_init", ret);
log_debug("gnutls_set_default_priority");
ret = gnutls_set_default_priority(_session);
if (ret != 0)
throw GnuTlsException("gnutls_set_default_priority", ret);
log_debug("gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, "
<< server.getCred() << ')');
ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, server.getCred());
if (ret != 0)
throw GnuTlsException("gnutls_credentials_set", ret);
log_debug("gnutls_dh_set_prime_bits(session, 1024)");
gnutls_dh_set_prime_bits(_session, 1024);
_fdInfo.fd = getFd();
_fdInfo.timeout = getTimeout();
log_debug("gnutls_transport_set_ptr(ptr)");
gnutls_transport_set_ptr(_session, static_cast<gnutls_transport_ptr_t>(&_fdInfo));
log_debug("gnutls_transport_set_pull_function()");
gnutls_transport_set_pull_function(_session, pull_func);
log_debug("gnutls_transport_set_push_function()");
gnutls_transport_set_push_function(_session, push_func);
// non-blocking/with timeout
_fdInfo.timeout = 10000;
log_debug("gnutls_handshake");
ret = gnutls_handshake(_session);
log_debug("gnutls_handshake => " << ret);
if (ret != 0)
throw GnuTlsException("gnutls_handshake", ret);
_connected = true;
_fdInfo.timeout = getTimeout();
log_debug("ssl-handshake was completed");
}
void
evcom_stream_assign_fds (evcom_stream *stream, int recvfd, int sendfd)
{
assert(recvfd >= 0);
assert(sendfd >= 0);
if (recvfd == sendfd) stream->flags |= EVCOM_DUPLEX;
if (set_nonblock(recvfd) != 0) {
evcom_perror("set_nonblock(recvfd)", errno);
}
if (set_nonblock(sendfd) != 0) {
evcom_perror("set_nonblock(sendfd)", errno);
}
#ifdef SO_NOSIGPIPE
if (DUPLEX(stream)) {
int flags = 1;
int r = setsockopt(sendfd, SOL_SOCKET, SO_NOSIGPIPE, &flags, sizeof(flags));
if (r < 0) {
evcom_perror("setsockopt(SO_NOSIGPIPE)", errno);
}
}
#endif
ev_io_set(&stream->read_watcher, recvfd, EV_READ);
ev_io_set(&stream->write_watcher, sendfd, EV_WRITE);
stream->recvfd = recvfd;
stream->sendfd = sendfd;
stream->send_action = stream__connection_established;
stream->recv_action = stream__connection_established;
stream->flags |= EVCOM_READABLE;
stream->flags |= EVCOM_WRITABLE;
#if EVCOM_HAVE_GNUTLS
if (SECURE(stream)) {
gnutls_transport_set_lowat(stream->session, 0);
gnutls_transport_set_push_function(stream->session, nosigpipe_push);
gnutls_transport_set_pull_function(stream->session, pull);
gnutls_transport_set_ptr2(stream->session, stream, stream);
}
#endif
}
TLSSocket_GnuTLS::TLSSocket_GnuTLS(
const shared_ptr <TLSSession_GnuTLS>& session,
const shared_ptr <socket>& sok
)
: m_session(session),
m_wrapped(sok),
m_connected(false),
m_ex(NULL),
m_status(0),
m_errno(0) {
gnutls_transport_set_ptr(*m_session->m_gnutlsSession, this);
gnutls_transport_set_push_function(*m_session->m_gnutlsSession, gnutlsPushFunc);
gnutls_transport_set_pull_function(*m_session->m_gnutlsSession, gnutlsPullFunc);
gnutls_transport_set_errno_function(*m_session->m_gnutlsSession, gnutlsErrnoFunc);
}
static gnutls_session_t new_tls_session(int sock)
{
int ret;
gnutls_session_t session;
const char *err;
#if defined LIBGNUTLS_VERSION_MAJOR && LIBGNUTLS_VERSION_MAJOR >= 3
# define TLS_DH_STR "+ANON-ECDH:+ANON-DH"
#else
# define TLS_DH_STR "+ANON-DH"
#endif
#ifdef GNUTLS_SRP_ENABLED
const char *pstring = "NORMAL:+SRP:+SRP-DSS:+SRP-RSA:" TLS_DH_STR;
#else
const char *pstring = "NORMAL:" TLS_DH_STR;
#endif
gnutls_init(&session, GNUTLS_SERVER);
gnutls_set_default_priority(session);
ret = gnutls_priority_set_direct(session, pstring, &err);
if (ret < 0) {
fprintf(stderr, "TLS priority syntax error at: %s\n", err);
return NULL;
}
#ifdef GNUTLS_SRP_ENABLED
gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred);
gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE);
#endif
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr(session, fd_to_ptr(sock));
gnutls_transport_set_pull_function(session, tls_pull);
gnutls_transport_set_push_function(session, tls_push);
ret = gnutls_handshake(session);
if ( ret < 0 ) {
fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret));
gnutls_alert_send_appropriate(session, ret);
return NULL;
}
return session;
}
/** \brief Start the action
*/
crypto_err_t tls_full_t::start(tls_privctx_t * p_tls_privctx
, const pkt_t &p_lower_buf_l2u) throw()
{
// log to debug
KLOG_DBG("enter");
// copy the parameters
this->m_tls_privctx = p_tls_privctx;
this->m_lower_buf_l2u = p_lower_buf_l2u;
// set all the custom read/write function
gnutls_session_t gnutls_sess = m_tls_privctx->session();
gnutls_transport_set_ptr(gnutls_sess, (gnutls_transport_ptr_t) this);
gnutls_transport_set_pull_function(gnutls_sess, tls_full_c_read_cb);
gnutls_transport_set_push_function(gnutls_sess, tls_full_c_write_cb);
// return no error
return crypto_err_t::OK;
}
bool GnuTLSClientAnon::init( const std::string&,
const std::string&,
const StringList& )
{
if( m_initLib && gnutls_global_init() != 0 )
return false;
if( gnutls_anon_allocate_client_credentials( &m_anoncred ) < 0 )
return false;
if( gnutls_init( m_session, GNUTLS_CLIENT ) != 0 )
return false;
#if GNUTLS_VERSION_NUMBER >= 0x020600
int ret = gnutls_priority_set_direct( *m_session, "SECURE128:+PFS:+COMP-ALL:+VERS-TLS-ALL:-VERS-SSL3.0:+SIGN-ALL:+CURVE-ALL", 0 );
if( ret != GNUTLS_E_SUCCESS )
return false;
#else
const int protocolPriority[] = {
#ifdef GNUTLS_TLS1_2
GNUTLS_TLS1_2,
#endif
GNUTLS_TLS1_1, GNUTLS_TLS1, 0 };
const int protocolPriority[] = { GNUTLS_TLS1, 0 };
const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 };
const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
gnutls_protocol_set_priority( *m_session, protocolPriority );
gnutls_cipher_set_priority( *m_session, cipherPriority );
gnutls_compression_set_priority( *m_session, compPriority );
gnutls_kx_set_priority( *m_session, kxPriority );
gnutls_mac_set_priority( *m_session, macPriority );
#endif
gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred );
gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this );
gnutls_transport_set_push_function( *m_session, pushFunc );
gnutls_transport_set_pull_function( *m_session, pullFunc );
m_valid = true;
return true;
}
void Plugin::onDestroy(LightBird::IClient &client)
{
gnutls_session_t session;
if (client.getInformations().contains("gnutls_session"))
{
session = client.getInformations().value("gnutls_session").value<gnutls_session_t>();
// Properly terminates the TLS session
if (client.getSocket().isConnected())
{
gnutls_transport_set_pull_function(session, Record::pull);
gnutls_transport_set_push_function(session, Plugin::push);
gnutls_bye(session, GNUTLS_SHUT_RDWR);
}
this->handshake->removeTimeout(client);
gnutls_deinit(session);
}
}
/** \brief Start the action
*/
crypto_err_t tls_resp_t::start() throw()
{
crypto_err_t crypto_err;
// log to debug
KLOG_DBG("enter");
// start the tls_privctx_t
m_tls_privctx = nipmem_new tls_privctx_t();
crypto_err = m_tls_privctx->start_server(m_profile);
if( crypto_err.failed() ) return crypto_err;
// set all the custom read/write function
gnutls_session_t gnutls_sess = m_tls_privctx->session();
gnutls_transport_set_ptr(gnutls_sess, (gnutls_transport_ptr_t) this);
gnutls_transport_set_pull_function(gnutls_sess, tls_resp_c_read_cb);
gnutls_transport_set_push_function(gnutls_sess, tls_resp_c_write_cb);
// return no error
return crypto_err_t::OK;
}
void ssl_init(gnutls_session_t *session,
gnutls_certificate_credentials_t *xcred,
void *push_cb,
void *pull_cb,
void *pull_timeout_cb)
{
/* X509 */
gnutls_certificate_allocate_credentials(xcred);
gnutls_certificate_set_verify_function(*xcred, _verify_certificate_callback);
/* init things! */
gnutls_init(session, GNUTLS_CLIENT);
gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, *xcred);
gnutls_transport_set_push_function(*session, push_cb);
gnutls_transport_set_pull_function(*session, pull_cb);
gnutls_transport_set_pull_timeout_function(*session, pull_timeout_cb);
/* handshake */
gnutls_handshake(*session);
}
my_bool ma_ssl_connect(MARIADB_SSL *cssl)
{
gnutls_session_t ssl = (gnutls_session_t)cssl->ssl;
my_bool blocking;
MYSQL *mysql;
MARIADB_PVIO *pvio;
int ret;
mysql= (MYSQL *)gnutls_session_get_ptr(ssl);
if (!mysql)
return 1;
pvio= mysql->net.pvio;
/* Set socket to blocking if not already set */
if (!(blocking= pvio->methods->is_blocking(pvio)))
pvio->methods->blocking(pvio, TRUE, 0);
/* we don't use GnuTLS read/write functions */
gnutls_transport_set_ptr(ssl, pvio);
gnutls_transport_set_push_function(ssl, ma_ssl_push);
gnutls_transport_set_pull_function(ssl, ma_ssl_pull);
gnutls_transport_set_pull_timeout_function(ssl, ma_ssl_pull_timeout);
gnutls_handshake_set_timeout(ssl, pvio->timeout[PVIO_CONNECT_TIMEOUT]);
do {
ret = gnutls_handshake(ssl);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0)
{
ma_ssl_set_error(mysql, ret);
/* restore blocking mode */
if (!blocking)
pvio->methods->blocking(pvio, FALSE, 0);
return 1;
}
cssl->ssl= (void *)ssl;
return 0;
}
static int
tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
{
struct tls_data *p;
tlsg_session *session = arg;
assert( sbiod != NULL );
p = LBER_MALLOC( sizeof( *p ) );
if ( p == NULL ) {
return -1;
}
gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
gnutls_transport_set_pull_function( session->session, tlsg_recv );
gnutls_transport_set_push_function( session->session, tlsg_send );
p->session = session;
p->sbiod = sbiod;
sbiod->sbiod_pvt = p;
return 0;
}
void InitSession(StreamSocket* user, bool me_server)
{
issl_session* session = &sessions[user->GetFd()];
gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
session->socket = user;
#ifdef GNUTLS_NEW_PRIO_API
gnutls_priority_set(session->sess, priority);
#endif
gnutls_credentials_set(session->sess, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_dh_set_prime_bits(session->sess, dh_bits);
gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session));
gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper);
gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper);
if (me_server)
gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
Handshake(session, user);
}
static int tls_gnutls_init_session(struct tls_global *global,
struct tls_connection *conn)
{
const int cert_types[2] = { GNUTLS_CRT_X509, 0 };
const int protos[2] = { GNUTLS_TLS1, 0 };
int ret;
ret = gnutls_init(&conn->session,
global->server ? GNUTLS_SERVER : GNUTLS_CLIENT);
if (ret < 0) {
wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS "
"connection: %s", gnutls_strerror(ret));
return -1;
}
ret = gnutls_set_default_priority(conn->session);
if (ret < 0)
goto fail;
ret = gnutls_certificate_type_set_priority(conn->session, cert_types);
if (ret < 0)
goto fail;
ret = gnutls_protocol_set_priority(conn->session, protos);
if (ret < 0)
goto fail;
gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func);
gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn);
return 0;
fail:
wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s",
gnutls_strerror(ret));
gnutls_deinit(conn->session);
return -1;
}
bool GnuTLSServerAnon::init( const std::string&,
const std::string&,
const StringList& )
{
const int protocolPriority[] = { GNUTLS_TLS1, 0 };
const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 };
const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
if( m_initLib && gnutls_global_init() != 0 )
return false;
if( gnutls_anon_allocate_server_credentials( &m_anoncred ) < 0 )
return false;
generateDH();
gnutls_anon_set_server_dh_params( m_anoncred, m_dhParams );
if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 )
return false;
gnutls_protocol_set_priority( *m_session, protocolPriority );
gnutls_cipher_set_priority( *m_session, cipherPriority );
gnutls_compression_set_priority( *m_session, compPriority );
gnutls_kx_set_priority( *m_session, kxPriority );
gnutls_mac_set_priority( *m_session, macPriority );
gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred );
gnutls_dh_set_prime_bits( *m_session, m_dhBits );
gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this );
gnutls_transport_set_push_function( *m_session, pushFunc );
gnutls_transport_set_pull_function( *m_session, pullFunc );
m_valid = true;
return true;
}
static int tls_gnutls_init_session(struct tls_global *global,
struct tls_connection *conn)
{
const char *err;
int ret;
ret = gnutls_init(&conn->session,
global->server ? GNUTLS_SERVER : GNUTLS_CLIENT);
if (ret < 0) {
wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS "
"connection: %s", gnutls_strerror(ret));
return -1;
}
ret = gnutls_set_default_priority(conn->session);
if (ret < 0)
goto fail;
ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0",
&err);
if (ret < 0) {
wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at "
"'%s'", err);
goto fail;
}
gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func);
gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr_t) conn);
gnutls_session_set_ptr(conn->session, conn);
return 0;
fail:
wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s",
gnutls_strerror(ret));
gnutls_deinit(conn->session);
return -1;
}
static void ekg_gnutls_new_session(
GSocketClient *sockclient,
GSocketConnection *sock,
struct ekg_connection_starter *cs)
{
gnutls_session_t s;
gnutls_certificate_credentials_t cred;
struct ekg_gnutls_connection *conn = g_slice_new(struct ekg_gnutls_connection);
struct ekg_gnutls_connection_starter *gcs = g_slice_new(struct ekg_gnutls_connection_starter);
g_assert(!gnutls_certificate_allocate_credentials(&cred));
g_assert(!gnutls_init(&s, GNUTLS_CLIENT));
g_assert(!gnutls_priority_set_direct(s, "PERFORMANCE", NULL)); /* XXX */
g_assert(!gnutls_credentials_set(s, GNUTLS_CRD_CERTIFICATE, cred));
gnutls_transport_set_pull_function(s, ekg_gnutls_pull);
gnutls_transport_set_push_function(s, ekg_gnutls_push);
gnutls_transport_set_ptr(s, conn);
gcs->parent = cs;
gcs->conn = conn;
gcs->sockclient = sockclient;
conn->session = s;
conn->cred = cred;
conn->connection_error = NULL;
conn->connection = get_connection_by_outstream(
ekg_connection_add(
sock,
g_io_stream_get_input_stream(G_IO_STREAM(sock)),
g_io_stream_get_output_stream(G_IO_STREAM(sock)),
ekg_gnutls_handle_handshake_input,
ekg_gnutls_handle_handshake_failure,
gcs)
);
g_assert(conn->connection);
ekg_gnutls_async_handshake(gcs);
}
