bool CTlsSocket::InitSession()
{
int res = gnutls_init(&m_session, GNUTLS_CLIENT);
if (res) {
LogError(res, _T("gnutls_init"));
Uninit();
return false;
}
// Even though the name gnutls_db_set_cache_expiration
// implies expiration of some cache, it also governs
// the actual session lifetime, independend whether the
// session is cached or not.
gnutls_db_set_cache_expiration(m_session, 100000000);
res = gnutls_priority_set_direct(m_session, ciphers, 0);
if (res) {
LogError(res, _T("gnutls_priority_set_direct"));
Uninit();
return false;
}
gnutls_dh_set_prime_bits(m_session, 512);
gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials);
// Setup transport functions
gnutls_transport_set_push_function(m_session, PushFunction);
gnutls_transport_set_pull_function(m_session, PullFunction);
gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
return true;
}
/* Returns true if resumed */
static unsigned handshake(const char *prio, unsigned t, const gnutls_datum_t *sdata,
gnutls_datum_t *ndata,
gnutls_datum_t *skey,
struct hsk_st *h)
{
int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
char buf[128];
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0);
assert(gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&server, GNUTLS_SERVER)>=0);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
assert(gnutls_priority_set_direct(server, prio, NULL)>=0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_session_set_ptr(server, h);
gnutls_db_set_cache_expiration(server, t);
assert(gnutls_session_ticket_enable_server(server, skey) >= 0);
gnutls_handshake_set_hook_function(server, -1,
GNUTLS_HOOK_POST,
handshake_callback);
assert(gnutls_certificate_allocate_credentials(&clientx509cred)>=0);
assert(gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&client, GNUTLS_CLIENT)>=0);
assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred)>=0);
assert(gnutls_priority_set_direct(client, prio, NULL)>=0);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
if (sdata) {
assert(gnutls_session_set_data(client, sdata->data, sdata->size)>=0);
}
memset(buf, 0, sizeof(buf));
ret = gnutls_session_set_data(client, buf, sizeof(buf));
if (ret != GNUTLS_E_DB_ERROR) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
HANDSHAKE(client, server);
gnutls_record_recv(client, buf, sizeof(buf));
if (ndata) {
ret = gnutls_session_get_data2(client, ndata);
if (ret < 0) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
}
ret = gnutls_session_is_resumed(client);
gnutls_deinit(server);
gnutls_deinit(client);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
reset_buffers();
return ret;
}
static gnutls_session
tls_session_init(int side, uschar *expciphers, uschar *expmac, uschar *expkx,
uschar *expproto)
{
gnutls_session session;
gnutls_init(&session, side);
/* Initialize the lists of permitted protocols, key-exchange methods, ciphers,
and MACs. */
memcpy(cipher_priority, default_cipher_priority, sizeof(cipher_priority));
memcpy(mac_priority, default_mac_priority, sizeof(mac_priority));
memcpy(kx_priority, default_kx_priority, sizeof(kx_priority));
memcpy(proto_priority, default_proto_priority, sizeof(proto_priority));
/* The names OpenSSL uses in tls_require_ciphers are of the form DES-CBC3-SHA,
using hyphen separators. GnuTLS uses underscore separators. So that I can use
either form for tls_require_ciphers in my tests, and also for general
convenience, we turn hyphens into underscores before scanning the list. */
if (expciphers != NULL)
{
uschar *s = expciphers;
while (*s != 0) { if (*s == '-') *s = '_'; s++; }
}
if ((expciphers != NULL &&
!set_priority(cipher_priority, sizeof(cipher_priority)/sizeof(int),
expciphers, cipher_index, sizeof(cipher_index)/sizeof(pri_item),
US"cipher")) ||
(expmac != NULL &&
!set_priority(mac_priority, sizeof(mac_priority)/sizeof(int),
expmac, mac_index, sizeof(mac_index)/sizeof(pri_item),
US"MAC")) ||
(expkx != NULL &&
!set_priority(kx_priority, sizeof(kx_priority)/sizeof(int),
expkx, kx_index, sizeof(kx_index)/sizeof(pri_item),
US"key-exchange")) ||
(expproto != NULL &&
!set_priority(proto_priority, sizeof(proto_priority)/sizeof(int),
expproto, proto_index, sizeof(proto_index)/sizeof(pri_item),
US"protocol")))
{
gnutls_deinit(session);
return NULL;
}
/* Define the various priorities */
gnutls_cipher_set_priority(session, cipher_priority);
gnutls_compression_set_priority(session, comp_priority);
gnutls_kx_set_priority(session, kx_priority);
gnutls_protocol_set_priority(session, proto_priority);
gnutls_mac_set_priority(session, mac_priority);
gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_dh_set_prime_bits(session, DH_BITS);
/* Request or demand a certificate of the peer, as configured. This will
happen only in a server. */
if (verify_requirement != VERIFY_NONE)
gnutls_certificate_server_set_request(session,
(verify_requirement == VERIFY_OPTIONAL)?
GNUTLS_CERT_REQUEST : GNUTLS_CERT_REQUIRE);
gnutls_db_set_cache_expiration(session, ssl_session_timeout);
/* Reduce security in favour of increased compatibility, if the admin
decides to make that trade-off. */
if (gnutls_compat_mode)
{
#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
gnutls_session_enable_compatibility_mode(session);
#else
DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
#endif
}
DEBUG(D_tls) debug_printf("initialized GnuTLS session\n");
return session;
}
void server_session::set_db_cache_expiration (unsigned int seconds)
{
gnutls_db_set_cache_expiration (s, seconds);
}
