int
manos_tls_init (manos_tls_socket_t *tls, const char *cert, const char *key)
{
manos_tls_socket_t socket;
int err;
socket = malloc (sizeof (*socket));
if (socket == NULL) {
return ENOMEM;
}
memset (socket, 0, sizeof (*socket));
err = gnutls_certificate_allocate_credentials (&socket->credentials);
if (err != 0) {
return err;
}
err = gnutls_certificate_set_x509_key_file (socket->credentials, cert, key, GNUTLS_X509_FMT_PEM);
if (err != 0) {
return err;
}
gnutls_certificate_set_params_function(socket->credentials, get_dh_params);
*tls = socket;
return 0;
}
int ne_ssl_context_keypair(ne_ssl_context *ctx,
const char *cert, const char *key)
{
gnutls_certificate_set_x509_key_file(ctx->cred, cert, key,
GNUTLS_X509_FMT_PEM);
return 0;
}
void TLSSocket::init(const std::string& caPath,
const std::string& crlPath,
const std::string& certPath,
const std::string& keyPath) {
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
gnutls_global_init();
gnutls_certificate_allocate_credentials(&xcred);
if (!caPath.empty()) {
gnutls_certificate_set_x509_trust_file(xcred,
caPath.c_str(),
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_flags (xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
}
if (!crlPath.empty()) {
gnutls_certificate_set_x509_crl_file(xcred,
crlPath.c_str(),
GNUTLS_X509_FMT_PEM);
}
gnutls_certificate_set_x509_key_file(xcred,
certPath.c_str(),
keyPath.c_str(),
GNUTLS_X509_FMT_PEM);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, 1024);
gnutls_priority_init(&priority_cache, "NORMAL", NULL);
gnutls_certificate_set_dh_params(xcred, dh_params);
}
int ufwissl_ssl_context_keypair(ufwissl_ssl_context * ctx,
const char *cert, const char *key)
{
return (gnutls_certificate_set_x509_key_file(ctx->cred, cert, key,
GNUTLS_X509_FMT_PEM)
== 0) ? UFWISSL_OK : UFWISSL_ERROR;
}
static bool
ConnSSL_LoadServerKey_gnutls(void)
{
int err;
const char *cert_file;
err = gnutls_certificate_allocate_credentials(&x509_cred);
if (err < 0) {
Log(LOG_ERR, "gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err));
return false;
}
cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
if (!cert_file) {
Log(LOG_NOTICE, "No SSL server key configured, SSL disabled.");
return false;
}
if (array_bytes(&Conf_SSLOptions.KeyFilePassword))
Log(LOG_WARNING,
"Ignoring KeyFilePassword: Not supported by GNUTLS.");
if (!Load_DH_params())
return false;
gnutls_certificate_set_dh_params(x509_cred, dh_params);
err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM);
if (err < 0) {
Log(LOG_ERR, "gnutls_certificate_set_x509_key_file (cert %s, key %s): %s",
cert_file, Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", gnutls_strerror(err));
return false;
}
return true;
}
//////////////////////////////////////////////////////////////////////
// GnuTlsX509Cred
//
GnuTlsX509Cred::GnuTlsX509Cred(const char* certificateFile, const char* privateKeyFile)
{
int ret;
log_debug("gnutls_certificate_allocate_credentials");
ret = gnutls_certificate_allocate_credentials(&_x509_cred);
if (ret != 0)
throw GnuTlsException("gnutls_certificate_allocate_credentials", ret);
log_debug("gnutls_certificate_allocate_credentials => " << _x509_cred);
// gnutls_certificate_set_x509_trust_file(x509_cred, caFile, GNUTLS_X509_FMT_PEM);
// gnutls_certificate_set_x509_crl_file(x509_cred, crlFile, GNUTLS_X509_FMT_PEM);
try
{
log_debug("gnutls_certificate_set_x509_key_file(x509_cred, \""
<< certificateFile << "\", \"" << privateKeyFile
<< "\", GNUTLS_X509_FMT_PEM)");
ret = gnutls_certificate_set_x509_key_file(_x509_cred, certificateFile,
privateKeyFile, GNUTLS_X509_FMT_PEM);
if (ret < 0)
throw GnuTlsException("gnutls_certificate_set_x509_key_file", ret);
log_debug("gnutls_certificate_set_dh_params");
gnutls_certificate_set_dh_params(_x509_cred, _init.getDhParams());
}
catch (...)
{
log_debug("gnutls_certificate_free_credentials");
gnutls_certificate_free_credentials(_x509_cred);
throw;
}
}
struct rfbssl_ctx *rfbssl_init_global(char *key, char *cert)
{
int ret = GNUTLS_E_SUCCESS;
struct rfbssl_ctx *ctx = NULL;
if (NULL == (ctx = malloc(sizeof(struct rfbssl_ctx)))) {
ret = GNUTLS_E_MEMORY_ERROR;
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_global_init())) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_allocate_credentials(&ctx->x509_cred))) {
/* */
} else if ((ret = gnutls_certificate_set_x509_trust_file(ctx->x509_cred, cert, GNUTLS_X509_FMT_PEM)) < 0) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_set_x509_key_file(ctx->x509_cred, cert, key, GNUTLS_X509_FMT_PEM))) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = generate_dh_params(ctx))) {
/* */
#ifdef I_LIKE_RSA_PARAMS_THAT_MUCH
} else if (!GNUTLS_E_SUCCESS == (ret = generate_rsa_params(ctx))) {
/* */
#endif
} else {
gnutls_global_set_log_function(rfbssl_log_func);
gnutls_global_set_log_level(1);
gnutls_certificate_set_dh_params(ctx->x509_cred, ctx->dh_params);
/* newly allocated memory should be initialized, at least where it is important */
ctx->peekstart = ctx->peeklen = 0;
return ctx;
}
free(ctx);
return NULL;
}
void certificate_credentials::set_x509_key_file (const char *certfile,
const char *keyfile,
gnutls_x509_crt_fmt_t type)
{
RETWRAP (gnutls_certificate_set_x509_key_file
(cred, certfile, keyfile, type));
}
secure::server_t secure::server(const char *certfile, const char *ca)
{
context *ctx = new context;
if(!ctx)
return NULL;
ctx->error = secure::OK;
ctx->connect = GNUTLS_SERVER;
ctx->xtype = GNUTLS_CRD_CERTIFICATE;
ctx->xcred = NULL;
ctx->dh = NULL;
gnutls_certificate_allocate_credentials(&ctx->xcred);
gnutls_certificate_set_x509_key_file(ctx->xcred, certfile, certfile, GNUTLS_X509_FMT_PEM);
if(!ca)
return ctx;
if(eq(ca, "*"))
ca = oscerts();
gnutls_certificate_set_x509_trust_file (ctx->xcred, ca, GNUTLS_X509_FMT_PEM);
return ctx;
}
void
initialize_tls_global(void)
{
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&xcred);
gnutls_certificate_set_x509_trust_file (xcred, CACERT, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file (xcred, CLIENTCERT, CLIENTKEY, GNUTLS_X509_FMT_PEM);
}
void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
int ret = gnutls_global_init ();
if (ret < 0)
throw format ("TLS init error. {1}", gnutls_strerror (ret));
ret = gnutls_certificate_allocate_credentials (&_credentials);
if (ret < 0)
throw format ("TLS allocation error. {1}", gnutls_strerror (ret));
if (_ca != "" &&
(ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CA file. {1}", gnutls_strerror (ret));
if ( _crl != "" &&
(ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CRL file. {1}", gnutls_strerror (ret));
if (_cert != "" &&
_key != "" &&
(ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CERT file. {1}", gnutls_strerror (ret));
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
// The automatic verification for the client certificate with
// gnutls_certificate_set_verify_function only works with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
void TLSClient::init (
const std::string& ca,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_cert = cert;
_key = key;
int ret = gnutls_global_init ();
if (ret < 0)
throw format ("TLS init error. {1}", gnutls_strerror (ret));
ret = gnutls_certificate_allocate_credentials (&_credentials);
if (ret < 0)
throw format ("TLS allocation error. {1}", gnutls_strerror (ret));
if (_ca != "" &&
(ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CA file. {1}", gnutls_strerror (ret));
if (_cert != "" &&
_key != "" &&
(ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CERT file. {1}", gnutls_strerror (ret));
#if GNUTLS_VERSION_NUMBER >= 0x02090a
// The automatic verification for the server certificate with
// gnutls_certificate_set_verify_function only works with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
ret = gnutls_init (&_session, GNUTLS_CLIENT);
if (ret < 0)
throw format ("TLS client init error. {1}", gnutls_strerror (ret));
// Use default priorities unless overridden.
if (_ciphers == "")
_ciphers = "NORMAL";
const char *err;
ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err);
if (ret < 0)
{
if (_debug && ret == GNUTLS_E_INVALID_REQUEST)
std::cout << "c: ERROR Priority error at: " << err << "\n";
throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret));
}
// Apply the x509 credentials to the current session.
ret = gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials);
if (ret < 0)
throw format ("TLS credentials error. {1}", gnutls_strerror (ret));
}
void
relay_network_set_ssl_cert_key (int verbose)
{
#ifdef HAVE_GNUTLS
char *certkey_path, *certkey_path2;
int ret;
gnutls_certificate_free_credentials (relay_gnutls_x509_cred);
gnutls_certificate_allocate_credentials (&relay_gnutls_x509_cred);
relay_network_init_ssl_cert_key_ok = 0;
certkey_path = weechat_string_expand_home (weechat_config_string (relay_config_network_ssl_cert_key));
if (certkey_path)
{
certkey_path2 = weechat_string_replace (certkey_path, "%h",
weechat_info_get ("weechat_dir",
NULL));
if (certkey_path2)
{
ret = gnutls_certificate_set_x509_key_file (relay_gnutls_x509_cred,
certkey_path2,
certkey_path2,
GNUTLS_X509_FMT_PEM);
if (ret >= 0)
{
relay_network_init_ssl_cert_key_ok = 1;
if (verbose)
{
weechat_printf (NULL,
_("%s: SSL certificate and key have been "
"set"),
RELAY_PLUGIN_NAME);
}
}
else
{
if (verbose)
{
weechat_printf (NULL,
_("%s%s: warning: no SSL certificate/key "
"found (option relay.network.ssl_cert_key)"),
weechat_prefix ("error"), RELAY_PLUGIN_NAME);
}
}
free (certkey_path2);
}
free (certkey_path);
}
#else
/* make C compiler happy */
(void) verbose;
#endif
}
static gnutls_certificate_credentials_t
CreateX509CertCredential(rfbCredential *cred)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
if (!cred->x509Credential.x509CACertFile)
{
rfbClientLog("No CA certificate provided.\n");
return NULL;
}
if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0)
{
rfbClientLog("Cannot allocate credentials: %s.\n", gnutls_strerror(ret));
return NULL;
}
if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
cred->x509Credential.x509CACertFile, GNUTLS_X509_FMT_PEM)) < 0)
{
rfbClientLog("Cannot load CA credentials: %s.\n", gnutls_strerror(ret));
gnutls_certificate_free_credentials (x509_cred);
return NULL;
}
if (cred->x509Credential.x509ClientCertFile && cred->x509Credential.x509ClientKeyFile)
{
if ((ret = gnutls_certificate_set_x509_key_file(x509_cred,
cred->x509Credential.x509ClientCertFile, cred->x509Credential.x509ClientKeyFile,
GNUTLS_X509_FMT_PEM)) < 0)
{
rfbClientLog("Cannot load client certificate or key: %s.\n", gnutls_strerror(ret));
gnutls_certificate_free_credentials (x509_cred);
return NULL;
}
} else
{
rfbClientLog("No client certificate or key provided.\n");
}
if (cred->x509Credential.x509CACrlFile)
{
if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
cred->x509Credential.x509CACrlFile, GNUTLS_X509_FMT_PEM)) < 0)
{
rfbClientLog("Cannot load CRL: %s.\n", gnutls_strerror(ret));
gnutls_certificate_free_credentials (x509_cred);
return NULL;
}
} else
{
rfbClientLog("No CRL provided.\n");
}
gnutls_certificate_set_dh_params (x509_cred, rfbDHParams);
return x509_cred;
}
struct cert* loadCert(const char* ca, const char* cert, const char* key) {
struct cert* oc = xmalloc(sizeof(struct cert));
gnutls_certificate_allocate_credentials(&oc->cert);
if (ca != NULL) gnutls_certificate_set_x509_trust_file(oc->cert, ca, GNUTLS_X509_FMT_PEM);
int e1 = gnutls_certificate_set_x509_key_file(oc->cert, cert, key, GNUTLS_X509_FMT_PEM);
if (e1 < 0) {
return NULL;
}
gnutls_priority_init(&oc->priority, "PERFORMANCE:%SERVER_PRECEDENCE", NULL);
gnutls_certificate_set_dh_params(oc->cert, dh_params);
return oc;
}
static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
if (!vd->tls.x509cacert) {
VNC_DEBUG("No CA x509 certificate specified\n");
return NULL;
}
if (!vd->tls.x509cert) {
VNC_DEBUG("No server x509 certificate specified\n");
return NULL;
}
if (!vd->tls.x509key) {
VNC_DEBUG("No server private key specified\n");
return NULL;
}
if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
return NULL;
}
if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
vd->tls.x509cacert,
GNUTLS_X509_FMT_PEM)) < 0) {
VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));
gnutls_certificate_free_credentials(x509_cred);
return NULL;
}
if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,
vd->tls.x509cert,
vd->tls.x509key,
GNUTLS_X509_FMT_PEM)) < 0) {
VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));
gnutls_certificate_free_credentials(x509_cred);
return NULL;
}
if (vd->tls.x509cacrl) {
if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
vd->tls.x509cacrl,
GNUTLS_X509_FMT_PEM)) < 0) {
VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));
gnutls_certificate_free_credentials(x509_cred);
return NULL;
}
}
gnutls_certificate_set_dh_params (x509_cred, dh_params);
return x509_cred;
}
static Eina_Bool
_ecore_con_ssl_server_privkey_add_gnutls(Ecore_Con_Server *svr,
const char *key_file)
{
SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_key_file(svr->cert, svr->cert_file, key_file,
GNUTLS_X509_FMT_PEM));
return EINA_TRUE;
error:
ERR("Could not load certificate/key file!");
return EINA_FALSE;
}
static gpointer
server_thread (gpointer user_data)
{
int listener = GPOINTER_TO_INT (user_data), client;
gnutls_certificate_credentials creds;
gnutls_session_t session;
struct sockaddr_in sin;
int len;
char buf[BUFSIZE];
int status;
gnutls_certificate_allocate_credentials (&creds);
if (gnutls_certificate_set_x509_key_file (creds,
ssl_cert_file, ssl_key_file,
GNUTLS_X509_FMT_PEM) != 0) {
g_error ("Failed to set SSL certificate and key files "
"(%s, %s).", ssl_cert_file, ssl_key_file);
}
gnutls_certificate_set_dh_params (creds, dh_params);
/* Create a new session */
gnutls_init (&session, GNUTLS_SERVER);
gnutls_set_default_priority (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, creds);
gnutls_dh_set_prime_bits (session, DH_BITS);
/* Wait for client thread to connect */
len = sizeof (sin);
client = accept (listener, (struct sockaddr *) &sin, (void *)&len);
gnutls_transport_set_ptr (session, GINT_TO_POINTER (client));
/* Initial handshake */
status = gnutls_handshake (session);
if (status < 0)
g_error ("initial handshake failed: %d", status);
/* Synchronous client test. */
server_read (session, buf, BUFSIZE);
server_write (session, buf, BUFSIZE);
/* Async client test. */
server_read (session, buf, BUFSIZE);
server_write (session, buf, BUFSIZE);
/* That's all, folks. */
gnutls_bye (session, GNUTLS_SHUT_WR);
gnutls_deinit (session);
close (client);
gnutls_certificate_free_credentials (creds);
return NULL;
}
G_GNUC_COLD void
tls_global_init(void)
{
static const struct {
const char * const name;
const int major;
const int minor;
} f = {
"tls", 1, 0
};
char *cert_file, *key_file;
#if !defined(REMAP_ZALLOC) && !defined(TRACK_MALLOC) && !defined(TRACK_ZALLOC)
gnutls_global_set_mem_functions(halloc, halloc, NULL, hrealloc, hfree);
#endif
if (gnutls_global_init()) {
g_error("gnutls_global_init() failed");
}
#ifdef USE_TLS_CUSTOM_IO
gnutls_global_set_log_level(9);
gnutls_global_set_log_function(tls_log_function);
#endif /* USE_TLS_CUSTOM_IO */
get_dh_params();
gnutls_certificate_allocate_credentials(&cert_cred);
key_file = make_pathname(settings_config_dir(), "key.pem");
cert_file = make_pathname(settings_config_dir(), "cert.pem");
if (file_exists(key_file) && file_exists(cert_file)) {
int ret;
ret = gnutls_certificate_set_x509_key_file(cert_cred,
cert_file, key_file, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
g_warning("gnutls_certificate_set_x509_key_file() failed: %s",
gnutls_strerror(ret));
} else {
gnutls_certificate_set_dh_params(cert_cred, get_dh_params());
}
}
HFREE_NULL(key_file);
HFREE_NULL(cert_file);
header_features_add(FEATURES_CONNECTIONS, f.name, f.major, f.minor);
header_features_add(FEATURES_G2_CONNECTIONS, f.name, f.major, f.minor);
header_features_add(FEATURES_DOWNLOADS, f.name, f.major, f.minor);
header_features_add(FEATURES_UPLOADS, f.name, f.major, f.minor);
}
SSL *
SSL_new (SSL_CTX * ctx)
{
SSL *ssl;
int err;
ssl = (SSL *) calloc (1, sizeof (SSL));
if (!ssl)
return NULL;
err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred);
if (err < 0)
{
last_error = err;
free (ssl);
return NULL;
}
gnutls_init (&ssl->gnutls_state, ctx->method->connend);
gnutls_protocol_set_priority (ssl->gnutls_state,
ctx->method->protocol_priority);
gnutls_cipher_set_priority (ssl->gnutls_state,
ctx->method->cipher_priority);
gnutls_compression_set_priority (ssl->gnutls_state,
ctx->method->comp_priority);
gnutls_kx_set_priority (ssl->gnutls_state, ctx->method->kx_priority);
gnutls_mac_set_priority (ssl->gnutls_state, ctx->method->mac_priority);
gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE,
ssl->gnutls_cred);
if (ctx->certfile)
gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred,
ctx->certfile,
ctx->certfile_type);
if (ctx->keyfile)
gnutls_certificate_set_x509_key_file (ssl->gnutls_cred,
ctx->certfile, ctx->keyfile,
ctx->keyfile_type);
ssl->ctx = ctx;
ssl->verify_mode = ctx->verify_mode;
ssl->verify_callback = ctx->verify_callback;
ssl->options = ctx->options;
ssl->rfd = (gnutls_transport_ptr_t) - 1;
ssl->wfd = (gnutls_transport_ptr_t) - 1;
return ssl;
}
gtlsClientData::gtlsClientData(std::string const& _caFile,
std::string const& _certFile,
std::string const& _keyFile)
{
int ret = 0;
gnutls_global_set_log_level(loglevel);
gnutls_global_set_log_function(gtlsGeneric::logCallback);
gnutls_certificate_allocate_credentials(&cred_);
// GNUTLS_NOTICE("Allocted credentials");
// Add the certificate authority used.
// GNUTLS_NOTICE("Setting CA, file='" << _caFile << "'");
ret = gnutls_certificate_set_x509_trust_file(cred_, _caFile.c_str(), GNUTLS_X509_FMT_PEM);
// printerror("gnutls_certificate_set_x509_trust_file", ret);
// GNUTLS_NOTICE("Processed " << ret << " certificates.");
// Set the cert and private key.
// Set the certificate and priate key pair.
// GNUTLS_NOTICE("Setting certificate, file='" << _certFile << "'");
// GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'");
ret = gnutls_certificate_set_x509_key_file(cred_,
_certFile.c_str(),
_keyFile.c_str(),
GNUTLS_X509_FMT_PEM);
// printerror("gnutls_certificate_set_x509_key_file", ret);
// GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s).");
ret = gnutls_init(&session_, GNUTLS_CLIENT);
// printerror("gnutls_init", ret);
ret = gnutls_set_default_priority(session_);
// printerror("gnutls_set_default_priority", ret);
gnutls_dh_set_prime_bits(session_, gtlsGeneric::GNUTLSIF_DH_BITS);
const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 };
ret = gnutls_certificate_type_set_priority(session_,
cert_type_priority);
// printerror("gnutls_certificate_type_set_priority", ret);
ret = gnutls_credentials_set(session_,
GNUTLS_CRD_CERTIFICATE,
cred_);
// printerror("gnutls_credentials_set", ret);
}
void initialize_tls_global(void)
{
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, CACERT,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, CACRL,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file (x509_cred, SERVERCERT, SERVERKEY,
GNUTLS_X509_FMT_PEM);
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_generate2 (dh_params, DH_BITS);
gnutls_certificate_set_dh_params (x509_cred, dh_params);
}
void ssl_init(struct sockifo* ifo, const char* key, const char* cert, const char* ca, int server) {
int rv;
rv = gnutls_certificate_allocate_credentials(&ifo->xcred);
if (rv < 0) goto out_err;
if (cert && *cert) {
rv = gnutls_certificate_set_x509_key_file(ifo->xcred, cert, key, GNUTLS_X509_FMT_PEM);
if (rv < 0) goto out_err_cred;
}
if (ca && *ca) {
if (!access(ca, R_OK)) {
ifo->state.ssl_verify_type = VERIFY_CA;
rv = gnutls_certificate_set_x509_trust_file(ifo->xcred, ca, GNUTLS_X509_FMT_PEM);
if (rv < 0) goto out_err_cred;
} else {
ifo->state.ssl_verify_type = VERIFY_FP;
ifo->fingerprint = strdup(ca);
}
}
gnutls_certificate_set_dh_params(ifo->xcred, dh_params);
rv = gnutls_init(&ifo->ssl, server ? GNUTLS_SERVER : GNUTLS_CLIENT);
if (rv < 0) goto out_err_cred;
rv = gnutls_set_default_priority(ifo->ssl);
if (rv < 0) goto out_err_all;
rv = gnutls_credentials_set(ifo->ssl, GNUTLS_CRD_CERTIFICATE, ifo->xcred);
if (rv < 0) goto out_err_all;
if (server) {
gnutls_dh_set_prime_bits(ifo->ssl, 1024);
gnutls_certificate_server_set_request(ifo->ssl, GNUTLS_CERT_REQUEST);
}
gnutls_transport_set_ptr(ifo->ssl, (gnutls_transport_ptr_t)(long) ifo->fd);
ifo->state.ssl = SSL_HSHK;
if (!ifo->state.connpend)
ssl_handshake(ifo);
return;
out_err_all:
gnutls_deinit(ifo->ssl);
out_err_cred:
gnutls_certificate_free_credentials(ifo->xcred);
if (ifo->fingerprint)
free(ifo->fingerprint);
out_err:
esock(ifo, gnutls_strerror(rv));
}
SSL *
SSL_new (SSL_CTX * ctx)
{
SSL *ssl;
int err;
ssl = (SSL *) calloc (1, sizeof (SSL));
if (!ssl)
return NULL;
err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred);
if (err < 0)
{
last_error = err;
free (ssl);
return NULL;
}
gnutls_init (&ssl->gnutls_state, ctx->method->connend);
gnutls_priority_set_direct (ssl->gnutls_state,
ctx->method->priority_string, NULL);
gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE,
ssl->gnutls_cred);
if (ctx->certfile)
gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred,
ctx->certfile,
ctx->certfile_type);
if (ctx->keyfile)
gnutls_certificate_set_x509_key_file (ssl->gnutls_cred,
ctx->certfile, ctx->keyfile,
ctx->keyfile_type);
ssl->ctx = ctx;
ssl->verify_mode = ctx->verify_mode;
ssl->verify_callback = ctx->verify_callback;
ssl->options = ctx->options;
ssl->rfd = (gnutls_transport_ptr_t) - 1;
ssl->wfd = (gnutls_transport_ptr_t) - 1;
ssl->ssl_peek_buffer = NULL;
ssl->ssl_peek_buffer_size = ssl->ssl_peek_avail = 0;
return ssl;
}
void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&_credentials);
if (_ca != "" &&
gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CA file.");
if ( _crl != "" &&
gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CRL file.");
if (_cert != "" &&
_key != "" &&
gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CERT file.");
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
/* similar to server_init.
*
* the user of secure server might want to set additional callbacks from
* GNUTLS. In particular
* gnutls_global_set_mem_functions()
* gnutls_global_set_log_function()
* Also see the note above ebb_connection_init() about setting gnutls cache
* access functions
*
* cert_file: the filename of a PEM certificate file
*
* key_file: the filename of a private key. Currently only PKCS-1 encoded
* RSA and DSA private keys are accepted.
*/
int
ebb_server_set_secure (ebb_server *server, const char *cert_file, const char *key_file)
{
server->secure = TRUE;
gnutls_global_init();
gnutls_certificate_allocate_credentials(&server->credentials);
/* todo gnutls_certificate_free_credentials */
int r = gnutls_certificate_set_x509_key_file( server->credentials
, cert_file
, key_file
, GNUTLS_X509_FMT_PEM
);
if(r < 0) {
error("loading certificates");
return -1;
}
return 1;
}
void TLSClient::init (
const std::string& ca,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_cert = cert;
_key = key;
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&_credentials);
if (_ca != "" &&
gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CA file.");
if (_cert != "" &&
_key != "" &&
gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CERT file.");
#if GNUTLS_VERSION_NUMBER >= 0x02090a
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
gnutls_init (&_session, GNUTLS_CLIENT);
// Use default priorities unless overridden.
if (_ciphers == "")
_ciphers = "NORMAL";
const char *err;
int ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err);
if (ret < 0)
{
if (_debug && ret == GNUTLS_E_INVALID_REQUEST)
std::cout << "c: ERROR Priority error at: " << err << "\n";
throw std::string ("Error initializing TLS.");
}
// Apply the x509 credentials to the current session.
gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials);
}
/**
* @short Same as onion_https_set_certificate, but with a va_list
* @memberof onion_https_t
*
* This allows to manage va_lists more easily.
*
* @see onion_https_set_certificate
*/
int onion_https_set_certificate_argv(onion_listen_point *ol, onion_ssl_certificate_type type, const char *filename, va_list va){
onion_https *https=(onion_https*)ol->user_data;
if (ol->write!=onion_https_write){
ONION_ERROR("Trying to et a certificate on a non HTTPS listen point");
errno=EINVAL;
return -1;
}
int r=0;
switch(type&0x0FF){
case O_SSL_CERTIFICATE_CRL:
ONION_DEBUG("Setting SSL Certificate CRL");
r=gnutls_certificate_set_x509_crl_file(https->x509_cred, filename, (type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM);
break;
case O_SSL_CERTIFICATE_KEY:
{
//va_arg(va, const char *); // Ignore first.
const char *keyfile=va_arg(va, const char *);
ONION_DEBUG("Setting certificate to %p: cert %s, key %s", ol, filename, keyfile);
r=gnutls_certificate_set_x509_key_file(https->x509_cred, filename, keyfile,
(type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM);
}
break;
case O_SSL_CERTIFICATE_TRUST:
ONION_DEBUG("Setting SSL Certificate Trust");
r=gnutls_certificate_set_x509_trust_file(https->x509_cred, filename, (type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM);
break;
case O_SSL_CERTIFICATE_PKCS12:
{
ONION_DEBUG("Setting SSL Certificate PKCS12");
r=gnutls_certificate_set_x509_simple_pkcs12_file(https->x509_cred, filename,
(type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM,
va_arg(va, const char *));
}
break;
default:
r=-1;
ONION_ERROR("Set unknown type of certificate: %d",type);
}
return r;
}
gtlsGlobalServerData::gtlsGlobalServerData(std::string const& _CAfile,
/*std::string const& _CRLFile,*/
std::string const& _CertFile,
std::string const& _keyFile)
: cert_cred(0),
initialized_(true)
{
int ret = 0;
// Logging.
gnutls_global_set_log_level(loglevel);
gnutls_global_set_log_function(gtlsGeneric::logCallback);
// Allocate the structures used to keep certificates in.
ret = gnutls_certificate_allocate_credentials(&cert_cred);
// printerror("gnutls_certificate_allocate_credentials", ret);
if (ret < 0) { initialized_ = false; }
// Set the CA certificate.
// GNUTLS_NOTICE("Setting CA, file='" << _CAfile << "'");
ret = gnutls_certificate_set_x509_trust_file(cert_cred,
_CAfile.c_str(),
GNUTLS_X509_FMT_PEM);
// printerror("gnutls_certificate_set_x509_trust_file", ret);
if (ret < 0) { initialized_ = false; }
// GNUTLS_NOTICE("Processed " << ret << " certificates.");
// Set the certificate and priate key pair.
//GNUTLS_NOTICE("Setting certificate, file='" << _CertFile << "'");
//GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'");
ret = gnutls_certificate_set_x509_key_file(cert_cred,
_CertFile.c_str(),
_keyFile.c_str(),
GNUTLS_X509_FMT_PEM);
// printerror("gnutls_certificate_set_x509_key_file", ret);
if (ret < 0) { initialized_ = false; }
// GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s).");
// Generate and set DH params.
generate_dh_params();
gnutls_certificate_set_dh_params(cert_cred, dh_params);
}
void initializeCertificate()
{
char* certificatePath = (char*) getStrConf(CERTIFICATE);
if(!certificatePath) {
Log_fatal("No certificate file specified.");
}
char* keyPath = (char*) getStrConf(KEY);
if(!keyPath) {
Log_fatal("No key file specified");
}
gnutls_certificate_allocate_credentials(&certificate);
int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM);
if( error != GNUTLS_E_SUCCESS ) {
Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
}
}
