32 #include "../base/hosts.h"
34 #include <arpa/inet.h>
39 #include <gnutls/x509.h>
44 #include <sys/socket.h>
45 #include <sys/types.h>
52 #define G_LOG_DOMAIN "lib serv"
63 const gchar *, gnutls_session_t *,
64 gnutls_certificate_credentials_t *);
79 if (fcntl (client_connection->
socket, F_SETFL, O_NONBLOCK) == -1)
81 g_warning (
"%s: failed to set server socket flag: %s\n", __FUNCTION__,
86 if (shutdown (client_connection->
socket, SHUT_RDWR) == -1)
88 if (errno == ENOTCONN)
90 g_warning (
"%s: failed to shutdown server socket: %s\n", __FUNCTION__,
95 if (close (client_connection->
socket) == -1)
97 g_warning (
"%s: failed to close server socket: %s\n", __FUNCTION__,
113 if (client_connection->
tls)
135 ret = gnutls_certificate_verify_peers2 (session, &status);
138 g_warning (
"%s: failed to verify peers: %s", __FUNCTION__,
139 gnutls_strerror (ret));
143 if (status & GNUTLS_CERT_INVALID)
144 g_warning (
"%s: the certificate is not trusted", __FUNCTION__);
146 if (status & GNUTLS_CERT_SIGNER_NOT_CA)
147 g_warning (
"%s: the certificate's issuer is not a CA", __FUNCTION__);
149 if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
150 g_warning (
"%s: the certificate was signed using an insecure algorithm",
153 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
154 g_warning (
"%s: the certificate hasn't got a known issuer", __FUNCTION__);
156 if (status & GNUTLS_CERT_REVOKED)
157 g_warning (
"%s: the certificate has been revoked", __FUNCTION__);
159 if (status & GNUTLS_CERT_EXPIRED)
160 g_warning (
"%s: the certificate has expired", __FUNCTION__);
162 if (status & GNUTLS_CERT_NOT_ACTIVATED)
163 g_warning (
"%s: the certificate is not yet activated", __FUNCTION__);
186 if (!(f = fopen (file,
"r")) || fseek (f, 0, SEEK_END) != 0
187 || (filelen = ftell (f)) < 0 || fseek (f, 0, SEEK_SET) != 0
188 || !(ptr = g_malloc0 ((
size_t) filelen))
189 || fread (ptr, 1, (
size_t) filelen, f) < (
size_t) filelen)
196 loaded_file->data = ptr;
197 loaded_file->size = filelen;
282 const gnutls_datum_t *req_ca_rdn,
int nreqs,
283 const gnutls_pk_algorithm_t *sign_algos,
284 int sign_algos_length, gnutls_retr2_st *st)
288 static gnutls_x509_crt_t crt;
289 static gnutls_x509_privkey_t key;
295 (void) sign_algos_length;
298 gnutls_x509_crt_init (&crt);
299 ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM);
303 st->cert.x509 = &crt;
304 st->cert_type = GNUTLS_CRT_X509;
309 gnutls_x509_privkey_init (&key);
310 ret = gnutls_x509_privkey_import (key, &data, GNUTLS_X509_FMT_PEM);
315 st->key_type = GNUTLS_PRIVKEY_X509;
334 const char *ca_mem,
const char *pub_mem,
335 const char *priv_mem,
int verify)
339 struct addrinfo address_hints;
340 struct addrinfo *addresses, *
address;
344 gnutls_certificate_credentials_t credentials;
347 if (port < 1 || port > 65535)
349 g_warning (
"Failed to create client TLS session. "
358 g_warning (
"Failed to create client TLS session. Invalid host %s", host);
368 g_warning (
"Failed to create client TLS session.");
372 if (ca_mem && pub_mem && priv_mem)
377 gnutls_certificate_set_retrieve_function (credentials,
383 port_string = g_strdup_printf (
"%i", port);
387 memset (&address_hints, 0,
sizeof (address_hints));
388 address_hints.ai_family = AF_UNSPEC;
389 address_hints.ai_socktype = SOCK_STREAM;
390 address_hints.ai_protocol = 0;
392 if (getaddrinfo (host, port_string, &address_hints, &addresses))
394 g_free (port_string);
395 g_warning (
"Failed to get server addresses for %s: %s", host,
396 gai_strerror (errno));
397 gnutls_deinit (*session);
398 gnutls_certificate_free_credentials (credentials);
401 g_free (port_string);
409 if (
address->ai_family == AF_INET6)
410 server_socket = socket (PF_INET6, SOCK_STREAM, 0);
412 server_socket = socket (PF_INET, SOCK_STREAM, 0);
413 if (server_socket == -1)
415 g_warning (
"Failed to create server socket");
416 freeaddrinfo (addresses);
417 gnutls_deinit (*session);
418 gnutls_certificate_free_credentials (credentials);
424 if (connect (server_socket,
address->ai_addr,
address->ai_addrlen) == -1)
426 close (server_socket);
432 freeaddrinfo (addresses);
436 g_warning (
"Failed to connect to server");
437 gnutls_deinit (*session);
438 gnutls_certificate_free_credentials (credentials);
442 g_debug (
" Connected to server '%s' port %d.", host, port);
450 close (server_socket);
451 gnutls_deinit (*session);
452 gnutls_certificate_free_credentials (credentials);
454 close (server_socket);
459 close (server_socket);
463 return server_socket;
482 int port,
const char *ca_mem,
const char *pub_mem,
483 const char *priv_mem)
486 ca_mem && pub_mem && priv_mem);
546 unsigned int retries;
548 gnutls_transport_set_ptr (*session,
549 (gnutls_transport_ptr_t) GSIZE_TO_POINTER (socket));
554 int ret = gnutls_handshake (*session);
557 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
560 usleep (MIN ((retries - 10) * 10000, 5000000));
565 g_debug (
"Failed to shake hands with server '%s' port %d: %s", host,
566 port, gnutls_strerror (ret));
568 g_debug (
"Failed to shake hands with peer: %s", gnutls_strerror (ret));
569 if (shutdown (socket, SHUT_RDWR) == -1)
570 g_debug (
"Failed to shutdown server socket");
574 g_debug (
" Shook hands with server '%s' port %d.", host, port);
576 g_debug (
" Shook hands with peer.");
612 va_list ap,
int quiet)
617 left = vasprintf (&
string, fmt, ap);
627 g_debug (
" send %d from %.*s[...]", left, left < 30 ? left : 30,
629 count = gnutls_record_send (*session,
string, left);
632 if (count == GNUTLS_E_INTERRUPTED)
635 if (count == GNUTLS_E_REHANDSHAKE)
639 g_message (
" %s rehandshake", __FUNCTION__);
642 g_warning (
"Failed to write to server: %s", gnutls_strerror (count));
650 g_debug (
"= server closed");
655 g_debug (
"=> %.*s", (
int) count,
string);
681 char *string_start, *string;
684 left = vasprintf (&
string, fmt, ap);
688 string_start = string;
694 g_debug (
" send %d from %.*s[...]", left, left < 30 ? left : 30,
696 count = write (socket,
string, left);
699 if (errno == EINTR || errno == EAGAIN)
701 g_warning (
"Failed to write to server: %s", strerror (errno));
706 g_debug (
"=> %.*s", (
int) count,
string);
715 g_free (string_start);
732 va_list ap,
int quiet)
830 va_start (ap, format);
850 va_start (ap, format);
870 va_start (ap, format);
891 va_start (ap, format);
914 va_start (ap, format);
915 msg = g_markup_vprintf_escaped (format, ap);
939 va_start (ap, format);
940 msg = g_markup_vprintf_escaped (format, ap);
966 va_start (ap, format);
967 msg = g_markup_vprintf_escaped (format, ap);
988 const char *format, ...)
994 va_start (ap, format);
995 msg = g_markup_vprintf_escaped (format, ap);
1013 gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
1016 if (gnutls_global_init ())
1018 g_warning (
"Failed to initialize GNUTLS.");
1022 if (gnutls_certificate_allocate_credentials (server_credentials))
1024 g_warning (
"%s: failed to allocate server credentials\n", __FUNCTION__);
1043 gnutls_session_t *server_session,
1044 gnutls_certificate_credentials_t *server_credentials)
1048 if (gnutls_init (server_session, end_type))
1050 g_warning (
"%s: failed to initialise server session\n", __FUNCTION__);
1062 if ((err_gnutls = gnutls_priority_set_direct (
1063 *server_session, priority ? priority :
"NORMAL", NULL)))
1065 g_warning (
"%s: failed to set tls priorities: %s\n", __FUNCTION__,
1066 gnutls_strerror (err_gnutls));
1067 gnutls_deinit (*server_session);
1071 if (gnutls_credentials_set (*server_session, GNUTLS_CRD_CERTIFICATE,
1072 *server_credentials))
1074 g_warning (
"%s: failed to set server credentials\n", __FUNCTION__);
1075 gnutls_deinit (*server_session);
1079 if (end_type == GNUTLS_SERVER)
1080 gnutls_certificate_server_set_request (*server_session,
1081 GNUTLS_CERT_REQUEST);
1101 const gchar *ca_cert_file,
const gchar *cert_file,
1102 const gchar *key_file, gnutls_session_t *server_session,
1103 gnutls_certificate_credentials_t *server_credentials)
1108 if (cert_file && key_file)
1112 ret = gnutls_certificate_set_x509_key_file (
1113 *server_credentials, cert_file, key_file, GNUTLS_X509_FMT_PEM);
1116 g_warning (
"%s: failed to set credentials key file: %s\n",
1117 __FUNCTION__, gnutls_strerror (ret));
1118 g_warning (
"%s: cert file: %s\n", __FUNCTION__, cert_file);
1119 g_warning (
"%s: key file : %s\n", __FUNCTION__, key_file);
1120 gnutls_certificate_free_credentials (*server_credentials);
1129 ret = gnutls_certificate_set_x509_trust_file (
1130 *server_credentials, ca_cert_file, GNUTLS_X509_FMT_PEM);
1133 g_warning (
"%s: failed to set credentials trust file: %s\n",
1134 __FUNCTION__, gnutls_strerror (ret));
1135 g_warning (
"%s: trust file: %s\n", __FUNCTION__, ca_cert_file);
1136 gnutls_certificate_free_credentials (*server_credentials);
1142 server_credentials))
1144 gnutls_certificate_free_credentials (*server_credentials);
1166 gchar *key_file, gnutls_session_t *server_session,
1167 gnutls_certificate_credentials_t *server_credentials)
1170 server_session, server_credentials);
1188 const char *pub_key,
const char *priv_key,
1189 gnutls_session_t *session,
1190 gnutls_certificate_credentials_t *credentials)
1195 if (pub_key && priv_key)
1198 gnutls_datum_t pub, priv;
1200 pub.data = (
void *) pub_key;
1201 pub.size = strlen (pub_key);
1202 priv.data = (
void *) priv_key;
1203 priv.size = strlen (priv_key);
1205 ret = gnutls_certificate_set_x509_key_mem (*credentials, &pub, &priv,
1206 GNUTLS_X509_FMT_PEM);
1209 g_warning (
"%s: %s\n", __FUNCTION__, gnutls_strerror (ret));
1217 gnutls_datum_t data;
1219 data.data = (
void *) ca_cert;
1220 data.size = strlen (ca_cert);
1221 ret = gnutls_certificate_set_x509_trust_mem (*credentials, &data,
1222 GNUTLS_X509_FMT_PEM);
1225 g_warning (
"%s: %s\n", __FUNCTION__, gnutls_strerror (ret));
1226 gnutls_certificate_free_credentials (*credentials);
1233 gnutls_certificate_free_credentials (*credentials);
1250 const char *dhparams_file)
1253 gnutls_datum_t data;
1255 if (!creds || !dhparams_file)
1260 gnutls_dh_params_t params = g_malloc0 (
sizeof (gnutls_dh_params_t));
1261 ret = gnutls_dh_params_import_pkcs3 (params, &data, GNUTLS_X509_FMT_PEM);
1266 gnutls_certificate_set_dh_params (creds, params);
1284 gnutls_certificate_credentials_t server_credentials)
1288 if (fcntl (server_socket, F_SETFL, O_NONBLOCK) == -1)
1290 g_warning (
"%s: failed to set server socket flag: %s\n", __FUNCTION__,
1297 int ret = gnutls_bye (server_session, GNUTLS_SHUT_WR);
1298 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
1304 g_debug (
" Failed to gnutls_bye: %s\n",
1305 gnutls_strerror ((
int) ret));
1319 if (server_credentials)
1321 if (close (server_socket) == -1)
1323 g_warning (
"%s: failed to close server socket: %s\n", __FUNCTION__,
1327 gnutls_deinit (server_session);
1328 gnutls_certificate_free_credentials (server_credentials);
1332 gnutls_deinit (server_session);
1333 close (server_socket);
1336 gnutls_global_deinit ();