X-Git-Url: http://git.cascardo.eti.br/?a=blobdiff_plain;f=hcconn_ssl.c;h=aaf8037257167ae315592801d1f08e7d358972ac;hb=d2906090b274ce2698952608ccf737912f7725d5;hp=5956acc9531ebd9802dfeeaf9f21b0241db86baf;hpb=78fd5267a0533ca82c2c7733f24ed62f13023f9c;p=cascardo%2Frnetproxy.git diff --git a/hcconn_ssl.c b/hcconn_ssl.c index 5956acc..aaf8037 100644 --- a/hcconn_ssl.c +++ b/hcconn_ssl.c @@ -30,23 +30,71 @@ struct ssl_data gnutls_session_t session; GString *buffer; gboolean handshaking; + gboolean failed; gpointer lowconn; }; -static struct ssl_data * -ssl_data_new (void) +#define DH_BITS 1024 +void * +hc_conn_ssl_server_init_credentials (char *certfile, char *keyfile) +{ + static int initialized = 0; + static gnutls_certificate_credentials_t cred; + gnutls_dh_params_t dh_params; + if (initialized) + return cred; + gnutls_dh_params_init (&dh_params); + gnutls_dh_params_generate2 (dh_params, DH_BITS); + gnutls_certificate_allocate_credentials (&cred); + gnutls_certificate_set_x509_key_file (cred, certfile, keyfile, + GNUTLS_X509_FMT_PEM); + gnutls_certificate_set_dh_params (cred, dh_params); + initialized = 1; + return cred; +} + +static void * +ssl_server_get_credentials(void) +{ + return hc_conn_ssl_server_init_credentials (NULL, NULL); +} + +static void +ssl_server_session_new (gnutls_session_t *session) +{ + static void *cred; + cred = ssl_server_get_credentials (); + gnutls_init (session, GNUTLS_SERVER); + gnutls_set_default_priority (*session); + gnutls_credentials_set (*session, GNUTLS_CRD_CERTIFICATE, cred); + gnutls_dh_set_prime_bits (*session, DH_BITS); +} +#undef DH_BITS + +static void +ssl_client_session_new (gnutls_session_t *session) { - struct ssl_data *ssl; int kx_prio[] = {GNUTLS_KX_RSA, 0}; gnutls_certificate_credentials cred; gnutls_certificate_allocate_credentials (&cred); + gnutls_init (session, GNUTLS_CLIENT); + gnutls_set_default_priority (*session); + gnutls_kx_set_priority (*session, kx_prio); + gnutls_credentials_set (*session, GNUTLS_CRD_CERTIFICATE, cred); +} + +static struct ssl_data * +ssl_data_new (int server) +{ + struct ssl_data *ssl; ssl = g_slice_new (struct ssl_data); - gnutls_init (&ssl->session, GNUTLS_CLIENT); - gnutls_set_default_priority (ssl->session); - gnutls_kx_set_priority (ssl->session, kx_prio); - gnutls_credentials_set (ssl->session, GNUTLS_CRD_CERTIFICATE, cred); + if (server) + ssl_server_session_new (&ssl->session); + else + ssl_client_session_new (&ssl->session); ssl->buffer = g_string_sized_new (4096); ssl->handshaking = FALSE; + ssl->failed = FALSE; return ssl; } @@ -92,25 +140,31 @@ ssl_pull (gnutls_transport_ptr_t ptr, void *buffer, size_t len) } if (r == 0) { - gnutls_transport_set_errno (ssl->session, EAGAIN); + errno = (EAGAIN); return -1; } return r; } static void -ssl_server_handshake (struct ssl_data *ssl) +ssl_server_handshake (HCConn *conn) { + struct ssl_data *ssl = conn->layer; int error; if ((error = gnutls_handshake (ssl->session)) < 0) { if (gnutls_error_is_fatal (error)) - g_critical ("Fatal error while doing TLS handshaking: %s\n", - gnutls_strerror (error)); + { + g_critical ("Fatal error while doing TLS handshaking: %s\n", + gnutls_strerror (error)); + ssl->failed = TRUE; + } } else { ssl->handshaking = FALSE; + if (conn->func) + conn->func (conn, HC_EVENT_CONNECT, conn->data); } } @@ -122,7 +176,7 @@ ssl_server_connect (HCConn *conn) gnutls_transport_set_push_function (ssl->session, ssl_push); gnutls_transport_set_pull_function (ssl->session, ssl_pull); ssl->handshaking = TRUE; - ssl_server_handshake (ssl); + ssl_server_handshake (conn); } static void @@ -158,24 +212,35 @@ hc_conn_ssl_watch (HCConn *conn, HCEvent event, gpointer data) HCConn *ssl_conn = data; struct ssl_data *ssl = ssl_conn->layer; int r; - if (event != HC_EVENT_READ) - return; - if (ssl->handshaking) + switch (event) { - ssl_server_handshake (ssl); - return; + case HC_EVENT_READ: + if (ssl->handshaking) + { + ssl_server_handshake (ssl_conn); + /* FIXME: create HC_CONN_ERROR */ + if (ssl->failed && ssl_conn->func) + ssl_conn->func (ssl_conn, HC_EVENT_CLOSE, ssl_conn->data); + return; + } + while ((r = hc_conn_read (ssl->lowconn, buffer, sizeof (buffer))) > 0) + g_string_append_len (ssl->buffer, buffer, r); + if (ssl_conn->func && !ssl->handshaking) + ssl_conn->func (ssl_conn, event, ssl_conn->data); + break; + case HC_EVENT_CLOSE: + if (ssl_conn->func) + ssl_conn->func (ssl_conn, event, ssl_conn->data); } - while ((r = hc_conn_read (ssl->lowconn, buffer, sizeof (buffer))) > 0) - g_string_append_len (ssl->buffer, buffer, r); - if (ssl_conn->func && !ssl->handshaking) - ssl_conn->func (ssl_conn, event, ssl_conn->data); - return; } -void -hc_conn_set_driver_ssl (HCConn *conn, HCConn *lowconn) +static int +hc_conn_set_driver_ssl (HCConn *conn, HCConn *lowconn, int server) { - struct ssl_data *ssl = ssl_data_new (); + struct ssl_data *ssl; + ssl = ssl_data_new (server); + if (ssl == NULL) + return -1; ssl->lowconn = lowconn; conn->layer = ssl; conn->read = hc_conn_ssl_read; @@ -183,4 +248,17 @@ hc_conn_set_driver_ssl (HCConn *conn, HCConn *lowconn) conn->close = hc_conn_ssl_close; hc_conn_set_callback (lowconn, hc_conn_ssl_watch, conn); ssl_server_connect (conn); + return 0; +} + +int +hc_conn_set_driver_ssl_client (HCConn *conn, HCConn *lowconn) +{ + return hc_conn_set_driver_ssl (conn, lowconn, 0); +} + +int +hc_conn_set_driver_ssl_server (HCConn *conn, HCConn *lowconn) +{ + return hc_conn_set_driver_ssl (conn, lowconn, 1); }