int CTlsSocket::ContinueHandshake()
{
m_pOwner->LogMessage(Debug_Verbose, _T("CTlsSocket::ContinueHandshake()"));
wxASSERT(m_session);
wxASSERT(m_tlsState == handshake);
int res = gnutls_handshake(m_session);
while (res == GNUTLS_E_AGAIN || res == GNUTLS_E_INTERRUPTED)
{
if ( gnutls_record_get_direction(m_session) != 1 || !m_canWriteToSocket )
break;
res = gnutls_handshake(m_session);
}
if (!res)
{
m_pOwner->LogMessage(Debug_Info, _T("TLS Handshake successful"));
if (ResumedSession())
m_pOwner->LogMessage(Debug_Info, _T("TLS Session resumed"));
const wxString protocol = GetProtocolName();
const wxString keyExchange = GetKeyExchange();
const wxString cipherName = GetCipherName();
const wxString macName = GetMacName();
m_pOwner->LogMessage(Debug_Info, _T("Protocol: %s, Key exchange: %s, Cipher: %s, MAC: %s"), protocol.c_str(), keyExchange.c_str(), cipherName.c_str(), macName.c_str());
res = VerifyCertificate();
if (res != FZ_REPLY_OK)
return res;
if (m_shutdown_requested)
{
int error = Shutdown();
if (!error || error != EAGAIN)
{
CSocketEvent *evt = new CSocketEvent(m_pEvtHandler, this, CSocketEvent::close);
CSocketEventDispatcher::Get().SendEvent(evt);
}
}
return FZ_REPLY_OK;
}
else if (res == GNUTLS_E_AGAIN || res == GNUTLS_E_INTERRUPTED)
return FZ_REPLY_WOULDBLOCK;
Failure(res, ECONNABORTED);
return FZ_REPLY_ERROR;
}
int CTlsSocket::ContinueHandshake()
{
m_pOwner->LogMessage(MessageType::Debug_Verbose, _T("CTlsSocket::ContinueHandshake()"));
wxASSERT(m_session);
wxASSERT(m_tlsState == TlsState::handshake);
int res = gnutls_handshake(m_session);
while (res == GNUTLS_E_AGAIN || res == GNUTLS_E_INTERRUPTED) {
if (!(gnutls_record_get_direction(m_session) ? m_canWriteToSocket : m_canReadFromSocket)) {
break;
}
res = gnutls_handshake(m_session);
}
if (!res) {
m_pOwner->LogMessage(MessageType::Debug_Info, _T("TLS Handshake successful"));
if (ResumedSession())
m_pOwner->LogMessage(MessageType::Debug_Info, _T("TLS Session resumed"));
const wxString protocol = GetProtocolName();
const wxString keyExchange = GetKeyExchange();
const wxString cipherName = GetCipherName();
const wxString macName = GetMacName();
m_pOwner->LogMessage(MessageType::Debug_Info, _T("Protocol: %s, Key exchange: %s, Cipher: %s, MAC: %s"), protocol, keyExchange, cipherName, macName);
res = VerifyCertificate();
if (res != FZ_REPLY_OK)
return res;
if (m_shutdown_requested) {
int error = Shutdown();
if (!error || error != EAGAIN) {
m_pEvtHandler->send_event<CSocketEvent>(this, SocketEventType::close, 0);
}
}
return FZ_REPLY_OK;
}
else if (res == GNUTLS_E_AGAIN || res == GNUTLS_E_INTERRUPTED)
return FZ_REPLY_WOULDBLOCK;
Failure(res, true);
return FZ_REPLY_ERROR;
}
int CTlsSocket::VerifyCertificate()
{
if (m_tlsState != handshake)
{
m_pOwner->LogMessage(::Debug_Warning, _T("VerifyCertificate called at wrong time"));
return FZ_REPLY_ERROR;
}
m_tlsState = verifycert;
if (gnutls_certificate_type_get(m_session) != GNUTLS_CRT_X509)
{
m_pOwner->LogMessage(::Error, _("Unsupported certificate type"));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
unsigned int status = 0;
if (gnutls_certificate_verify_peers2(m_session, &status) < 0)
{
m_pOwner->LogMessage(::Error, _("Failed to verify peer certificate"));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
if (status & GNUTLS_CERT_REVOKED)
{
m_pOwner->LogMessage(::Error, _("Beware! Certificate has been revoked"));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
{
m_pOwner->LogMessage(::Error, _("Incomplete chain, top certificate is not self-signed certificate authority certificate"));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
if (m_require_root_trust && status & GNUTLS_CERT_SIGNER_NOT_FOUND)
{
m_pOwner->LogMessage(::Error, _("Root certificate is not trusted"));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
unsigned int cert_list_size;
const gnutls_datum_t* cert_list = gnutls_certificate_get_peers(m_session, &cert_list_size);
if (!cert_list || !cert_list_size)
{
m_pOwner->LogMessage(::Error, _("gnutls_certificate_get_peers returned no certificates"));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
if (m_implicitTrustedCert.data)
{
if (m_implicitTrustedCert.size != cert_list[0].size ||
memcmp(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size))
{
m_pOwner->LogMessage(::Error, _("Primary connection and data connection certificates don't match."));
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
TrustCurrentCert(true);
if (m_tlsState != conn)
return FZ_REPLY_ERROR;
return FZ_REPLY_OK;
}
std::vector<CCertificate> certificates;
for (unsigned int i = 0; i < cert_list_size; i++)
{
CCertificate cert;
if (ExtractCert(cert_list, cert))
certificates.push_back(cert);
else
{
Failure(0, ECONNABORTED);
return FZ_REPLY_ERROR;
}
++cert_list;
}
CCertificateNotification *pNotification = new CCertificateNotification(
m_pOwner->GetCurrentServer()->GetHost(),
m_pOwner->GetCurrentServer()->GetPort(),
GetProtocolName(),
GetKeyExchange(),
GetCipherName(),
GetMacName(),
certificates);
m_pOwner->SendAsyncRequest(pNotification);
m_pOwner->LogMessage(Status, _("Verifying certificate..."));
return FZ_REPLY_WOULDBLOCK;
}
