#include "ssl_internal.h"
#include <assert.h>
static const char* _gnutls_error_msg (const struct error_extra_type *type, const union error_extra *extra)
{
(void) type;
return gnutls_strerror(extra->int_);
}
static const struct error_extra_type _gnutls_error_type = {
.name = "gnutls",
.msg_func = _gnutls_error_msg
};
const struct error_list ssl_errors = ERROR_LIST("gnutls",
ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_ALLOC_CRED, "gnutls_certificate_allocate_credentials", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_GLOBAL_INIT, "gnutls_global_init", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_SET_DEFAULT_PRIORITY, "gnutls_set_default_priority", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_CRED_SET, "gnutls_credentials_set", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_HANDSHAKE, "gnutls_handshake", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_SEND, "gnutls_record_send", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_RECV, "gnutls_record_recv", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_GET_DIRECTION, "gnutls_record_get_direction", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_VERIFY_PEERS2, "gnutls_certificate_verify_peers2", &_gnutls_error_type ),
ERROR_TYPE_STRING( ERR_GNUTLS_CERT_VERIFY, "X.509 Certificate verification failed" ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_SET_X509_TRUST_FILE,"gnutls_certificate_set_x509_trust_file", &_gnutls_error_type ),
ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_SET_X509_KEY_FILE, "gnutls_certificate_set_x509_key_file", &_gnutls_error_type )
);
/*
* Global shared anonymous client credentials
*/
struct ssl_client_cred ssl_client_cred_anon = { .x509 = NULL, .verify = false, .refcount = 0 };
// XXX: GnuTLS log func
void _log (int level, const char *msg)
{
printf("gnutls: %d: %s", level, msg);
}
err_t ssl_global_init (error_t *err)
{
// global init
if ((ERROR_EXTRA(err) = gnutls_global_init()) < 0)
return SET_ERROR(err, ERR_GNUTLS_GLOBAL_INIT);
// initialize the anon client credentials
if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&ssl_client_cred_anon.x509)) < 0)
return SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED);
// XXX: debug
// gnutls_global_set_log_function(&_log);
// gnutls_global_set_log_level(11);
// done
return SUCCESS;
}
static void ssl_client_cred_destroy (struct ssl_client_cred *cred)
{
// simple
gnutls_certificate_free_credentials(cred->x509);
free(cred);
}
err_t ssl_client_cred_create (struct ssl_client_cred **ctx_cred,
const char *cafile_path, bool verify,
const char *cert_path, const char *pkey_path,
error_t *err
) {
struct ssl_client_cred *cred;
// alloc it
if ((cred = calloc(1, sizeof(*cred))) == NULL)
return SET_ERROR(err, ERR_CALLOC);
// create the cert
if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&cred->x509)) < 0)
JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED);
// load the trusted ca certs?
if (cafile_path) {
// load them
if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_trust_file(cred->x509, cafile_path, GNUTLS_X509_FMT_PEM)) < 0)
JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_TRUST_FILE);
}
// set the verify flags?
cred->verify = verify;
gnutls_certificate_set_verify_flags(cred->x509, 0);
// load the client cert?
if (cert_path || pkey_path) {
// need both...
assert(cert_path && pkey_path);
// load
if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_key_file(cred->x509, cert_path, pkey_path, GNUTLS_X509_FMT_PEM)))
JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_KEY_FILE);
}
// ok
cred->refcount = 1;
*ctx_cred = cred;
return SUCCESS;
error:
// release
ssl_client_cred_destroy(cred);
return ERROR_CODE(err);
}
void ssl_client_cred_get (struct ssl_client_cred *cred)
{
cred->refcount++;
}
void ssl_client_cred_put (struct ssl_client_cred *cred)
{
if (--cred->refcount == 0)
ssl_client_cred_destroy(cred);
}