/*
** Copyright (C) 2006 Thadeu Lima de Souza Cascardo <cascardo@minaslivre.org>
-** Copyright (C) 2009 Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
+** Copyright (C) 2009 Thadeu Lima de Souza Cascardo <cascardo@minaslivre.org>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
gnutls_session_t session;
GString *buffer;
gboolean handshaking;
+ gboolean failed;
gpointer lowconn;
};
-static struct ssl_data *
-ssl_data_new (void)
+#define DH_BITS 1024
+void *
+hc_conn_ssl_server_init_credentials (char *certfile, char *keyfile)
+{
+ static int initialized = 0;
+ static gnutls_certificate_credentials_t cred;
+ gnutls_dh_params_t dh_params;
+ if (initialized)
+ return cred;
+ gnutls_dh_params_init (&dh_params);
+ gnutls_dh_params_generate2 (dh_params, DH_BITS);
+ gnutls_certificate_allocate_credentials (&cred);
+ gnutls_certificate_set_x509_key_file (cred, certfile, keyfile,
+ GNUTLS_X509_FMT_PEM);
+ gnutls_certificate_set_dh_params (cred, dh_params);
+ initialized = 1;
+ return cred;
+}
+
+static void *
+ssl_server_get_credentials(void)
+{
+ return hc_conn_ssl_server_init_credentials (NULL, NULL);
+}
+
+static void
+ssl_server_session_new (gnutls_session_t *session)
+{
+ static void *cred;
+ cred = ssl_server_get_credentials ();
+ gnutls_init (session, GNUTLS_SERVER);
+ gnutls_set_default_priority (*session);
+ gnutls_credentials_set (*session, GNUTLS_CRD_CERTIFICATE, cred);
+ gnutls_dh_set_prime_bits (*session, DH_BITS);
+}
+#undef DH_BITS
+
+static void
+ssl_client_session_new (gnutls_session_t *session)
{
- struct ssl_data *ssl;
int kx_prio[] = {GNUTLS_KX_RSA, 0};
gnutls_certificate_credentials cred;
gnutls_certificate_allocate_credentials (&cred);
+ gnutls_init (session, GNUTLS_CLIENT);
+ gnutls_set_default_priority (*session);
+ gnutls_kx_set_priority (*session, kx_prio);
+ gnutls_credentials_set (*session, GNUTLS_CRD_CERTIFICATE, cred);
+}
+
+static struct ssl_data *
+ssl_data_new (int server)
+{
+ struct ssl_data *ssl;
ssl = g_slice_new (struct ssl_data);
- gnutls_init (&ssl->session, GNUTLS_CLIENT);
- gnutls_set_default_priority (ssl->session);
- gnutls_kx_set_priority (ssl->session, kx_prio);
- gnutls_credentials_set (ssl->session, GNUTLS_CRD_CERTIFICATE, cred);
+ if (server)
+ ssl_server_session_new (&ssl->session);
+ else
+ ssl_client_session_new (&ssl->session);
ssl->buffer = g_string_sized_new (4096);
ssl->handshaking = FALSE;
+ ssl->failed = FALSE;
return ssl;
}
}
if (r == 0)
{
- gnutls_transport_set_errno (ssl->session, EAGAIN);
+ errno = (EAGAIN);
return -1;
}
return r;
}
static void
-ssl_server_handshake (struct ssl_data *ssl)
+ssl_server_handshake (HCConn *conn)
{
+ struct ssl_data *ssl = conn->layer;
int error;
if ((error = gnutls_handshake (ssl->session)) < 0)
{
if (gnutls_error_is_fatal (error))
- g_critical ("Fatal error while doing TLS handshaking: %s\n",
- gnutls_strerror (error));
+ {
+ g_critical ("Fatal error while doing TLS handshaking: %s\n",
+ gnutls_strerror (error));
+ ssl->failed = TRUE;
+ }
}
else
{
ssl->handshaking = FALSE;
+ if (conn->func)
+ conn->func (conn, HC_EVENT_CONNECT, conn->data);
}
}
gnutls_transport_set_push_function (ssl->session, ssl_push);
gnutls_transport_set_pull_function (ssl->session, ssl_pull);
ssl->handshaking = TRUE;
- ssl_server_handshake (ssl);
+ ssl_server_handshake (conn);
}
static void
HCConn *ssl_conn = data;
struct ssl_data *ssl = ssl_conn->layer;
int r;
- if (event != HC_EVENT_READ)
- return;
- if (ssl->handshaking)
+ switch (event)
{
- ssl_server_handshake (ssl);
- return;
+ case HC_EVENT_READ:
+ if (ssl->handshaking)
+ {
+ ssl_server_handshake (ssl_conn);
+ /* FIXME: create HC_CONN_ERROR */
+ if (ssl->failed && ssl_conn->func)
+ ssl_conn->func (ssl_conn, HC_EVENT_CLOSE, ssl_conn->data);
+ return;
+ }
+ while ((r = hc_conn_read (ssl->lowconn, buffer, sizeof (buffer))) > 0)
+ g_string_append_len (ssl->buffer, buffer, r);
+ if (ssl_conn->func && !ssl->handshaking)
+ ssl_conn->func (ssl_conn, event, ssl_conn->data);
+ break;
+ case HC_EVENT_CLOSE:
+ if (ssl_conn->func)
+ ssl_conn->func (ssl_conn, event, ssl_conn->data);
}
- while ((r = hc_conn_read (ssl->lowconn, buffer, sizeof (buffer))) > 0)
- g_string_append_len (ssl->buffer, buffer, r);
- if (ssl_conn->func && !ssl->handshaking)
- ssl_conn->func (ssl_conn, event, ssl_conn->data);
- return;
}
-void
-hc_conn_set_driver_ssl (HCConn *conn, HCConn *lowconn)
+static int
+hc_conn_set_driver_ssl (HCConn *conn, HCConn *lowconn, int server)
{
- struct ssl_data *ssl = ssl_data_new ();
+ struct ssl_data *ssl;
+ ssl = ssl_data_new (server);
+ if (ssl == NULL)
+ return -1;
ssl->lowconn = lowconn;
conn->layer = ssl;
conn->read = hc_conn_ssl_read;
conn->close = hc_conn_ssl_close;
hc_conn_set_callback (lowconn, hc_conn_ssl_watch, conn);
ssl_server_connect (conn);
+ return 0;
+}
+
+int
+hc_conn_set_driver_ssl_client (HCConn *conn, HCConn *lowconn)
+{
+ return hc_conn_set_driver_ssl (conn, lowconn, 0);
+}
+
+int
+hc_conn_set_driver_ssl_server (HCConn *conn, HCConn *lowconn)
+{
+ return hc_conn_set_driver_ssl (conn, lowconn, 1);
+}
+
+void
+hc_conn_ssl_server_set_priority (HCConn *conn, char *priority)
+{
+ struct ssl_data *ssl;
+ ssl = conn->layer;
+ gnutls_priority_set_direct (ssl->session, priority, NULL);
}
projects / cascardo / rnetproxy.git / blobdiff