|
1 #include "ssl_internal.h" |
|
2 |
|
3 #include <assert.h> |
|
4 |
|
5 static const char* _gnutls_error_msg (const struct error_extra_type *type, const union error_extra *extra) |
|
6 { |
|
7 (void) type; |
|
8 |
|
9 return gnutls_strerror(extra->int_); |
|
10 } |
|
11 |
|
12 static const struct error_extra_type _gnutls_error_type = { |
|
13 .name = "gnutls", |
|
14 .msg_func = _gnutls_error_msg |
|
15 }; |
|
16 |
|
17 const struct error_list ssl_errors = ERROR_LIST("gnutls", |
|
18 ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_ALLOC_CRED, "gnutls_certificate_allocate_credentials", &_gnutls_error_type ), |
|
19 ERROR_TYPE_EXTRA( ERR_GNUTLS_GLOBAL_INIT, "gnutls_global_init", &_gnutls_error_type ), |
|
20 ERROR_TYPE_EXTRA( ERR_GNUTLS_SET_DEFAULT_PRIORITY, "gnutls_set_default_priority", &_gnutls_error_type ), |
|
21 ERROR_TYPE_EXTRA( ERR_GNUTLS_CRED_SET, "gnutls_credentials_set", &_gnutls_error_type ), |
|
22 ERROR_TYPE_EXTRA( ERR_GNUTLS_HANDSHAKE, "gnutls_handshake", &_gnutls_error_type ), |
|
23 ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_SEND, "gnutls_record_send", &_gnutls_error_type ), |
|
24 ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_RECV, "gnutls_record_recv", &_gnutls_error_type ), |
|
25 ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_GET_DIRECTION, "gnutls_record_get_direction", &_gnutls_error_type ), |
|
26 ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_VERIFY_PEERS2, "gnutls_certificate_verify_peers2", &_gnutls_error_type ), |
|
27 ERROR_TYPE_STRING( ERR_GNUTLS_CERT_VERIFY, "X.509 Certificate verification failed" ), |
|
28 ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_SET_X509_TRUST_FILE,"gnutls_certificate_set_x509_trust_file", &_gnutls_error_type ), |
|
29 ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_SET_X509_KEY_FILE, "gnutls_certificate_set_x509_key_file", &_gnutls_error_type ) |
|
30 ); |
|
31 |
|
32 /* |
|
33 * Global shared anonymous client credentials |
|
34 */ |
|
35 struct ssl_client_cred ssl_client_cred_anon = { .x509 = NULL, .verify = false, .refcount = 0 }; |
|
36 |
|
37 |
|
38 // XXX: GnuTLS log func |
|
39 void _log (int level, const char *msg) |
|
40 { |
|
41 printf("gnutls: %d: %s", level, msg); |
|
42 } |
|
43 |
|
44 err_t ssl_global_init (error_t *err) |
|
45 { |
|
46 // global init |
|
47 if ((ERROR_EXTRA(err) = gnutls_global_init()) < 0) |
|
48 return SET_ERROR(err, ERR_GNUTLS_GLOBAL_INIT); |
|
49 |
|
50 // initialize the anon client credentials |
|
51 if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&ssl_client_cred_anon.x509)) < 0) |
|
52 return SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED); |
|
53 |
|
54 // XXX: debug |
|
55 // gnutls_global_set_log_function(&_log); |
|
56 // gnutls_global_set_log_level(11); |
|
57 |
|
58 // done |
|
59 return SUCCESS; |
|
60 } |
|
61 |
|
62 static void ssl_client_cred_destroy (struct ssl_client_cred *cred) |
|
63 { |
|
64 // simple |
|
65 gnutls_certificate_free_credentials(cred->x509); |
|
66 |
|
67 free(cred); |
|
68 } |
|
69 |
|
70 err_t ssl_client_cred_create (struct ssl_client_cred **ctx_cred, |
|
71 const char *cafile_path, bool verify, |
|
72 const char *cert_path, const char *pkey_path, |
|
73 error_t *err |
|
74 ) { |
|
75 struct ssl_client_cred *cred; |
|
76 |
|
77 // alloc it |
|
78 if ((cred = calloc(1, sizeof(*cred))) == NULL) |
|
79 return SET_ERROR(err, ERR_CALLOC); |
|
80 |
|
81 // create the cert |
|
82 if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&cred->x509)) < 0) |
|
83 JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED); |
|
84 |
|
85 // load the trusted ca certs? |
|
86 if (cafile_path) { |
|
87 // load them |
|
88 if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_trust_file(cred->x509, cafile_path, GNUTLS_X509_FMT_PEM)) < 0) |
|
89 JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_TRUST_FILE); |
|
90 |
|
91 } |
|
92 |
|
93 // set the verify flags? |
|
94 cred->verify = verify; |
|
95 gnutls_certificate_set_verify_flags(cred->x509, 0); |
|
96 |
|
97 // load the client cert? |
|
98 if (cert_path || pkey_path) { |
|
99 // need both... |
|
100 assert(cert_path && pkey_path); |
|
101 |
|
102 // load |
|
103 if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_key_file(cred->x509, cert_path, pkey_path, GNUTLS_X509_FMT_PEM))) |
|
104 JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_KEY_FILE); |
|
105 } |
|
106 |
|
107 // ok |
|
108 cred->refcount = 1; |
|
109 *ctx_cred = cred; |
|
110 |
|
111 return SUCCESS; |
|
112 |
|
113 error: |
|
114 // release |
|
115 ssl_client_cred_destroy(cred); |
|
116 |
|
117 return ERROR_CODE(err); |
|
118 } |
|
119 |
|
120 void ssl_client_cred_get (struct ssl_client_cred *cred) |
|
121 { |
|
122 cred->refcount++; |
|
123 } |
|
124 |
|
125 void ssl_client_cred_put (struct ssl_client_cred *cred) |
|
126 { |
|
127 if (--cred->refcount == 0) |
|
128 ssl_client_cred_destroy(cred); |
|
129 } |