diff -r 5229a5d098b2 -r cefec18b8268 src/lib/ssl.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/lib/ssl.c Thu May 28 01:17:36 2009 +0300 @@ -0,0 +1,129 @@ +#include "ssl_internal.h" + +#include + +static const char* _gnutls_error_msg (const struct error_extra_type *type, const union error_extra *extra) +{ + (void) type; + + return gnutls_strerror(extra->int_); +} + +static const struct error_extra_type _gnutls_error_type = { + .name = "gnutls", + .msg_func = _gnutls_error_msg +}; + +const struct error_list ssl_errors = ERROR_LIST("gnutls", + ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_ALLOC_CRED, "gnutls_certificate_allocate_credentials", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_GLOBAL_INIT, "gnutls_global_init", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_SET_DEFAULT_PRIORITY, "gnutls_set_default_priority", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_CRED_SET, "gnutls_credentials_set", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_HANDSHAKE, "gnutls_handshake", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_SEND, "gnutls_record_send", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_RECV, "gnutls_record_recv", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_RECORD_GET_DIRECTION, "gnutls_record_get_direction", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_VERIFY_PEERS2, "gnutls_certificate_verify_peers2", &_gnutls_error_type ), + ERROR_TYPE_STRING( ERR_GNUTLS_CERT_VERIFY, "X.509 Certificate verification failed" ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_SET_X509_TRUST_FILE,"gnutls_certificate_set_x509_trust_file", &_gnutls_error_type ), + ERROR_TYPE_EXTRA( ERR_GNUTLS_CERT_SET_X509_KEY_FILE, "gnutls_certificate_set_x509_key_file", &_gnutls_error_type ) +); + +/* + * Global shared anonymous client credentials + */ +struct ssl_client_cred ssl_client_cred_anon = { .x509 = NULL, .verify = false, .refcount = 0 }; + + +// XXX: GnuTLS log func +void _log (int level, const char *msg) +{ + printf("gnutls: %d: %s", level, msg); +} + +err_t ssl_global_init (error_t *err) +{ + // global init + if ((ERROR_EXTRA(err) = gnutls_global_init()) < 0) + return SET_ERROR(err, ERR_GNUTLS_GLOBAL_INIT); + + // initialize the anon client credentials + if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&ssl_client_cred_anon.x509)) < 0) + return SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED); + + // XXX: debug +// gnutls_global_set_log_function(&_log); +// gnutls_global_set_log_level(11); + + // done + return SUCCESS; +} + +static void ssl_client_cred_destroy (struct ssl_client_cred *cred) +{ + // simple + gnutls_certificate_free_credentials(cred->x509); + + free(cred); +} + +err_t ssl_client_cred_create (struct ssl_client_cred **ctx_cred, + const char *cafile_path, bool verify, + const char *cert_path, const char *pkey_path, + error_t *err +) { + struct ssl_client_cred *cred; + + // alloc it + if ((cred = calloc(1, sizeof(*cred))) == NULL) + return SET_ERROR(err, ERR_CALLOC); + + // create the cert + if ((ERROR_EXTRA(err) = gnutls_certificate_allocate_credentials(&cred->x509)) < 0) + JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_ALLOC_CRED); + + // load the trusted ca certs? + if (cafile_path) { + // load them + if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_trust_file(cred->x509, cafile_path, GNUTLS_X509_FMT_PEM)) < 0) + JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_TRUST_FILE); + + } + + // set the verify flags? + cred->verify = verify; + gnutls_certificate_set_verify_flags(cred->x509, 0); + + // load the client cert? + if (cert_path || pkey_path) { + // need both... + assert(cert_path && pkey_path); + + // load + if ((ERROR_EXTRA(err) = gnutls_certificate_set_x509_key_file(cred->x509, cert_path, pkey_path, GNUTLS_X509_FMT_PEM))) + JUMP_SET_ERROR(err, ERR_GNUTLS_CERT_SET_X509_KEY_FILE); + } + + // ok + cred->refcount = 1; + *ctx_cred = cred; + + return SUCCESS; + +error: + // release + ssl_client_cred_destroy(cred); + + return ERROR_CODE(err); +} + +void ssl_client_cred_get (struct ssl_client_cred *cred) +{ + cred->refcount++; +} + +void ssl_client_cred_put (struct ssl_client_cred *cred) +{ + if (--cred->refcount == 0) + ssl_client_cred_destroy(cred); +}