1 #include "ssl_internal.h"

     2 

     3 #include <assert.h>

     4 

     5 static const char* _gnutls_error_msg (const struct error_extra_type *type, const union error_extra *extra)

     6 {

     7     (void) type;

     8 

     9     return gnutls_strerror(extra->int_);

    10 }

    11 

    12 static const struct error_extra_type _gnutls_error_type = {

    13     .name       = "gnutls",

    14     .msg_func   = _gnutls_error_msg

    15 };

    16 

    17 const struct error_list ssl_errors = ERROR_LIST("gnutls",

    18     ERROR_TYPE_EXTRA(   ERR_GNUTLS_CERT_ALLOC_CRED,         "gnutls_certificate_allocate_credentials",  &_gnutls_error_type    ),

    19     ERROR_TYPE_EXTRA(   ERR_GNUTLS_GLOBAL_INIT,             "gnutls_global_init",                       &_gnutls_error_type    ),

    20     ERROR_TYPE_EXTRA(   ERR_GNUTLS_SET_DEFAULT_PRIORITY,    "gnutls_set_default_priority",              &_gnutls_error_type    ),

    21     ERROR_TYPE_EXTRA(   ERR_GNUTLS_CRED_SET,                "gnutls_credentials_set",                   &_gnutls_error_type    ),

    22     ERROR_TYPE_EXTRA(   ERR_GNUTLS_HANDSHAKE,               "gnutls_handshake",                         &_gnutls_error_type    ),

    23     ERROR_TYPE_EXTRA(   ERR_GNUTLS_RECORD_SEND,             "gnutls_record_send",                       &_gnutls_error_type    ),

    24     ERROR_TYPE_EXTRA(   ERR_GNUTLS_RECORD_RECV,             "gnutls_record_recv",                       &_gnutls_error_type    ),

    25     ERROR_TYPE_EXTRA(   ERR_GNUTLS_RECORD_GET_DIRECTION,    "gnutls_record_get_direction",              &_gnutls_error_type    ),

    26     ERROR_TYPE_EXTRA(   ERR_GNUTLS_CERT_VERIFY_PEERS2,      "gnutls_certificate_verify_peers2",         &_gnutls_error_type    ),

    27     ERROR_TYPE_STRING(  ERR_GNUTLS_CERT_VERIFY,             "X.509 Certificate verification failed"                            ),

    28     ERROR_TYPE_EXTRA(   ERR_GNUTLS_CERT_SET_X509_TRUST_FILE,"gnutls_certificate_set_x509_trust_file",   &_gnutls_error_type    ),

    29     ERROR_TYPE_EXTRA(   ERR_GNUTLS_CERT_SET_X509_KEY_FILE,  "gnutls_certificate_set_x509_key_file",     &_gnutls_error_type    )

    30 );

    31 

    32 /*

    33  * Global shared anonymous client credentials

    34  */

    35 struct ssl_client_cred ssl_client_cred_anon = { .x509 = NULL, .verify = false, .refcount = 0 };

    36 

    37 

    38 // XXX: GnuTLS log func

    39 void _log (int level, const char *msg)

    40 {

    41     printf("gnutls: %d: %s", level, msg);

    42 }

    43 

    44 err_t ssl_global_init (error_t *err)

    45 {

    46     // global init

    47     if ((ERROR_EXTRA(err) = gnutls_global_init()) < 0)

    48         return SET_ERROR(err, ERR_GNUTLS_GLOBAL_INIT);

    49 

    50     // initialize the anon client credentials

    51     if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&ssl_client_cred_anon.x509)) < 0)

    52         return SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED);

    53 

    54     // XXX: debug

    55 //    gnutls_global_set_log_function(&_log);

    56 //    gnutls_global_set_log_level(11);

    57 

    58     // done

    59     return SUCCESS;

    60 }

    61 

    62 static void ssl_client_cred_destroy (struct ssl_client_cred *cred)

    63 {

    64     // simple

    65     gnutls_certificate_free_credentials(cred->x509);

    66 

    67     free(cred);

    68 }

    69 

    70 err_t ssl_client_cred_create (struct ssl_client_cred **ctx_cred,

    71         const char *cafile_path, bool verify,

    72         const char *cert_path, const char *pkey_path,

    73         error_t *err

    74 ) {

    75     struct ssl_client_cred *cred;

    76 

    77     // alloc it

    78     if ((cred = calloc(1, sizeof(*cred))) == NULL)

    79         return SET_ERROR(err, ERR_CALLOC);

    80 

    81     // create the cert

    82     if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&cred->x509)) < 0)

    83         JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED);

    84     

    85     // load the trusted ca certs?

    86     if (cafile_path) {

    87         // load them

    88         if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_trust_file(cred->x509, cafile_path, GNUTLS_X509_FMT_PEM)) < 0)

    89             JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_TRUST_FILE);

    90 

    91     }

    92 

    93     // set the verify flags?

    94     cred->verify = verify;

    95     gnutls_certificate_set_verify_flags(cred->x509, 0);

    96 

    97     // load the client cert?

    98     if (cert_path || pkey_path) {

    99         // need both...

   100         assert(cert_path && pkey_path);

   101 

   102         // load

   103         if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_key_file(cred->x509, cert_path, pkey_path, GNUTLS_X509_FMT_PEM)))

   104             JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_KEY_FILE);

   105     }

   106 

   107     // ok

   108     cred->refcount = 1;

   109     *ctx_cred = cred;

   110 

   111     return SUCCESS;

   112 

   113 error:

   114     // release

   115     ssl_client_cred_destroy(cred);

   116 

   117     return ERROR_CODE(err);

   118 }

   119 

   120 void ssl_client_cred_get (struct ssl_client_cred *cred)

   121 {

   122     cred->refcount++;

   123 }

   124 

   125 void ssl_client_cred_put (struct ssl_client_cred *cred)

   126 {

   127     if (--cred->refcount == 0)

   128         ssl_client_cred_destroy(cred);

   129 }