terom@181: #include "ssl_internal.h" terom@181: terom@181: #include terom@181: terom@181: /* terom@181: * Global shared anonymous client credentials terom@181: */ terom@181: struct ssl_client_cred ssl_client_cred_anon = { .x509 = NULL, .verify = false, .refcount = 0 }; terom@181: terom@181: terom@181: // XXX: GnuTLS log func terom@181: void _log (int level, const char *msg) terom@181: { terom@181: printf("gnutls: %d: %s", level, msg); terom@181: } terom@181: terom@181: err_t ssl_global_init (error_t *err) terom@181: { terom@181: // global init terom@181: if ((ERROR_EXTRA(err) = gnutls_global_init()) < 0) terom@181: return SET_ERROR(err, ERR_GNUTLS_GLOBAL_INIT); terom@181: terom@181: // initialize the anon client credentials terom@181: if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&ssl_client_cred_anon.x509)) < 0) terom@181: return SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED); terom@181: terom@181: // XXX: debug terom@181: // gnutls_global_set_log_function(&_log); terom@181: // gnutls_global_set_log_level(11); terom@181: terom@181: // done terom@181: return SUCCESS; terom@181: } terom@181: terom@181: static void ssl_client_cred_destroy (struct ssl_client_cred *cred) terom@181: { terom@181: // simple terom@181: gnutls_certificate_free_credentials(cred->x509); terom@181: terom@181: free(cred); terom@181: } terom@181: terom@181: err_t ssl_client_cred_create (struct ssl_client_cred **ctx_cred, terom@181: const char *cafile_path, bool verify, terom@181: const char *cert_path, const char *pkey_path, terom@181: error_t *err terom@181: ) { terom@181: struct ssl_client_cred *cred; terom@181: terom@181: // alloc it terom@181: if ((cred = calloc(1, sizeof(*cred))) == NULL) terom@181: return SET_ERROR(err, ERR_CALLOC); terom@181: terom@181: // create the cert terom@181: if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&cred->x509)) < 0) terom@181: JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED); terom@181: terom@181: // load the trusted ca certs? terom@181: if (cafile_path) { terom@181: // load them terom@181: if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_trust_file(cred->x509, cafile_path, GNUTLS_X509_FMT_PEM)) < 0) terom@181: JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_TRUST_FILE); terom@181: terom@181: } terom@181: terom@181: // set the verify flags? terom@181: cred->verify = verify; terom@181: gnutls_certificate_set_verify_flags(cred->x509, 0); terom@181: terom@181: // load the client cert? terom@181: if (cert_path || pkey_path) { terom@181: // need both... terom@181: assert(cert_path && pkey_path); terom@181: terom@181: // load terom@181: if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_key_file(cred->x509, cert_path, pkey_path, GNUTLS_X509_FMT_PEM))) terom@181: JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_KEY_FILE); terom@181: } terom@181: terom@181: // ok terom@181: cred->refcount = 1; terom@181: *ctx_cred = cred; terom@181: terom@181: return SUCCESS; terom@181: terom@181: error: terom@181: // release terom@181: ssl_client_cred_destroy(cred); terom@181: terom@181: return ERROR_CODE(err); terom@181: } terom@181: terom@181: void ssl_client_cred_get (struct ssl_client_cred *cred) terom@181: { terom@181: cred->refcount++; terom@181: } terom@181: terom@181: void ssl_client_cred_put (struct ssl_client_cred *cred) terom@181: { terom@181: if (--cred->refcount == 0) terom@181: ssl_client_cred_destroy(cred); terom@181: }