summaryrefslogtreecommitdiffstats
path: root/runtime/nsd_gtls.c
diff options
context:
space:
mode:
Diffstat (limited to 'runtime/nsd_gtls.c')
-rw-r--r--runtime/nsd_gtls.c127
1 files changed, 122 insertions, 5 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index a06d7cca..51d32b6c 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -35,6 +35,13 @@
#include "nsd_ptcp.h"
#include "nsd_gtls.h"
+/* things to move to some better place/functionality - TODO */
+#define DH_BITS 1024
+#define CAFILE "ca.pem" // TODO: allow to specify
+#define KEYFILE "key.pem"
+#define CERTFILE "cert.pem"
+#define CRLFILE "crl.pem"
+
MODULE_TYPE_LIB
/* static data */
@@ -43,19 +50,36 @@ DEFobjCurrIf(errmsg)
DEFobjCurrIf(glbl)
DEFobjCurrIf(nsd_ptcp)
+static int bGlblSrvrInitDone = 0; /**< 0 - server global init not yet done, 1 - already done */
/* a macro to check GnuTLS calls against unexpected errors */
#define CHKgnutls(x) \
if((gnuRet = (x)) != 0) { \
- dbgprintf("unexpected GnuTLS error %d in %s:%d\n", gnuRet, __FILE__, __LINE__); \
- gnutls_perror(gnuRet); /* TODO: can we do better? */ \
+ uchar *pErr = gtlsStrerror(gnuRet); \
+ dbgprintf("unexpected GnuTLS error %d in %s:%d: %s\n", gnuRet, __FILE__, __LINE__, pErr); \
+ free(pErr); \
ABORT_FINALIZE(RS_RET_GNUTLS_ERR); \
}
-#define CAFILE "ca.pem" // TODO: allow to specify
/* ------------------------------ GnuTLS specifics ------------------------------ */
static gnutls_certificate_credentials xcred;
+static gnutls_dh_params dh_params;
+
+/* a thread-safe variant of gnutls_strerror - TODO: implement it!
+ * The caller must free the returned string.
+ * rgerhards, 2008-04-30
+ */
+uchar *gtlsStrerror(int error)
+{
+ uchar *pErr;
+
+ // TODO: guard by mutex!
+ pErr = (uchar*) strdup(gnutls_strerror(error));
+
+ return pErr;
+}
+
/* globally initialize GnuTLS */
static rsRetVal
@@ -76,6 +100,71 @@ finalize_it:
RETiRet;
}
+static rsRetVal
+gtlsInitSession(nsd_gtls_t *pThis)
+{
+ DEFiRet;
+ int gnuRet;
+ gnutls_session session;
+
+ gnutls_init(&session, GNUTLS_SERVER);
+ pThis->bHaveSess = 1;
+ pThis->bIsInitiator = 0;
+
+ /* avoid calling all the priority functions, since the defaults are adequate. */
+ CHKgnutls(gnutls_set_default_priority(session));
+ CHKgnutls(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred));
+
+ /* request client certificate if any. */
+ gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUEST);
+ gnutls_dh_set_prime_bits(session, DH_BITS);
+
+ pThis->sess = session;
+
+finalize_it:
+ RETiRet;
+}
+
+
+
+static rsRetVal
+generate_dh_params(void)
+{
+ int gnuRet;
+ DEFiRet;
+ /* Generate Diffie Hellman parameters - for use with DHE
+ * kx algorithms. These should be discarded and regenerated
+ * once a day, once a week or once a month. Depending on the
+ * security requirements.
+ */
+ CHKgnutls(gnutls_dh_params_init( &dh_params));
+ CHKgnutls(gnutls_dh_params_generate2( dh_params, DH_BITS));
+finalize_it:
+ RETiRet;
+}
+
+
+/* set up all global things that are needed for server operations
+ * rgerhards, 2008-04-30
+ */
+static rsRetVal
+gtlsGlblInitLstn(void)
+{
+ int gnuRet;
+ DEFiRet;
+
+ if(bGlblSrvrInitDone == 0) {
+ //CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));
+ CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM));
+ CHKiRet(generate_dh_params());
+ gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */
+ bGlblSrvrInitDone = 1; /* we are all set now */
+ }
+
+finalize_it:
+ RETiRet;
+}
+
/* globally de-initialize GnuTLS */
static rsRetVal
@@ -100,9 +189,11 @@ gtlsEndSess(nsd_gtls_t *pThis)
DEFiRet;
if(pThis->bHaveSess) {
- gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR);
- while(gnuRet == GNUTLS_E_INTERRUPTED || gnuRet == GNUTLS_E_AGAIN) {
+ if(pThis->bIsInitiator) {
gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR);
+ while(gnuRet == GNUTLS_E_INTERRUPTED || gnuRet == GNUTLS_E_AGAIN) {
+ gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR);
+ }
}
gnutls_deinit(pThis->sess);
}
@@ -116,6 +207,7 @@ gtlsEndSess(nsd_gtls_t *pThis)
/* Standard-Constructor */
BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
iRet = nsd_ptcp.Construct(&pThis->pTcp);
+ pThis->iMode = 1; // TODO: remove!
ENDobjConstruct(nsd_gtls)
@@ -204,7 +296,9 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
uchar *pLstnPort, uchar *pLstnIP, int iSessMax)
{
DEFiRet;
+ CHKiRet(gtlsGlblInitLstn());
iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax);
+finalize_it:
RETiRet;
}
@@ -247,6 +341,7 @@ static rsRetVal
AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
{
DEFiRet;
+ int gnuRet;
nsd_gtls_t *pNew = NULL;
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
@@ -256,6 +351,23 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
CHKiRet(nsd_ptcp.Destruct(&pNew->pTcp));
CHKiRet(nsd_ptcp.AcceptConnReq(pThis->pTcp, &pNew->pTcp));
+ if(pThis->iMode == 0) {
+ /* we are in non-TLS mode, so we are done */
+ *ppNew = (nsd_t*) pNew;
+ FINALIZE;
+ }
+
+ /* if we reach this point, we are in TLS mode */
+ CHKiRet(gtlsInitSession(pNew));
+ gnutls_transport_set_ptr(pNew->sess, (gnutls_transport_ptr)((nsd_ptcp_t*) (pNew->pTcp))->sock);
+
+ /* we now do the handshake. This is a bit complicated, because we are
+ * on non-blocking sockets. Usually, the handshake will not complete
+ * immediately, so that we need to retry it some time later.
+ */
+ CHKgnutls(gnutls_handshake(pNew->sess));
+ pThis->iMode = 1; /* this session is now in TLS mode! */
+
*ppNew = (nsd_t*) pNew;
finalize_it:
@@ -280,6 +392,8 @@ static rsRetVal
Rcv(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
{
DEFiRet;
+ int gnuRet;
+ ssize_t lenRcvd;
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
ISOBJ_TYPE_assert(pThis, nsd_gtls);
@@ -289,6 +403,8 @@ Rcv(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
}
/* in TLS mode now */
+ lenRcvd = gnutls_record_recv(pThis->sess, pBuf, *pLenBuf);
+ *pLenBuf = lenRcvd;
finalize_it:
RETiRet;
@@ -358,6 +474,7 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host)
/* we reach this point if in TLS mode */
CHKgnutls(gnutls_init(&pThis->sess, GNUTLS_CLIENT));
pThis->bHaveSess = 1;
+ pThis->bIsInitiator = 1;
/* Use default priorities */
CHKgnutls(gnutls_set_default_priority(pThis->sess));
generated by cgit (git 2.34.1) at 2024-06-10 14:46:07 +0000