This allows us to simplify things by getting rid of some old compatibility code. People should really be using current versions of GnuTLS anyway to stay secure.tags/v1.4.90
-- FLTK 1.3.3 or later | -- FLTK 1.3.3 or later | ||||
-- If building TLS support: | -- If building TLS support: | ||||
* GnuTLS | |||||
* GnuTLS 3.x | |||||
* See "Building TLS Support" below. | * See "Building TLS Support" below. | ||||
-- If building native language support (NLS): | -- If building native language support (NLS): |
include_directories(${GNUTLS_INCLUDE_DIR}) | include_directories(${GNUTLS_INCLUDE_DIR}) | ||||
add_definitions("-DHAVE_GNUTLS") | add_definitions("-DHAVE_GNUTLS") | ||||
add_definitions(${GNUTLS_DEFINITIONS}) | add_definitions(${GNUTLS_DEFINITIONS}) | ||||
# Detect old version of GnuTLS | |||||
set(CMAKE_REQUIRED_FLAGS -I${GNUTLS_INCLUDE_DIR}) | |||||
set(CMAKE_EXTRA_INCLUDE_FILES gnutls/gnutls.h) | |||||
set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) | |||||
if(WIN32) | |||||
set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES} ws2_32 user32) | |||||
endif() | |||||
if(ZLIB_FOUND) | |||||
# When we build against the static version of GnuTLS, we also use the | |||||
# included version of Zlib, but it isn't built yet, so we have to use the | |||||
# system's version (if available) to perform this test. | |||||
set(CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES};-lz) | |||||
endif() | |||||
check_function_exists(gnutls_transport_set_errno HAVE_GNUTLS_SET_ERRNO) | |||||
check_function_exists(gnutls_transport_set_global_errno HAVE_GNUTLS_SET_GLOBAL_ERRNO) | |||||
check_function_exists(gnutls_x509_crt_print HAVE_GNUTLS_X509_CRT_PRINT) | |||||
check_type_size(gnutls_x509_crt_t GNUTLS_X509_CRT_T) | |||||
check_type_size(gnutls_datum_t GNUTLS_DATUM_T) | |||||
check_type_size(gnutls_pk_algorithm_t GNUTLS_PK_ALGORITHM_T) | |||||
check_type_size(gnutls_sign_algorithm_t GNUTLS_SIGN_ALGORITHM_T) | |||||
set(CMAKE_REQUIRED_FLAGS) | |||||
set(CMAKE_EXTRA_INCLUDE_FILES) | |||||
set(CMAKE_REQUIRED_LIBRARIES) | |||||
endif() | endif() | ||||
endif() | endif() | ||||
add_library(os STATIC | add_library(os STATIC | ||||
w32tiger.c | w32tiger.c | ||||
os.cxx | |||||
tls.cxx) | |||||
os.cxx) | |||||
if(UNIX) | if(UNIX) | ||||
libtool_create_control_file(os) | libtool_create_control_file(os) |
/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. | |||||
* | |||||
* This is free software; you can redistribute it and/or modify | |||||
* it under the terms of the GNU General Public License as published by | |||||
* the Free Software Foundation; either version 2 of the License, or | |||||
* (at your option) any later version. | |||||
* | |||||
* This software is distributed in the hope that it will be useful, | |||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | |||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||||
* GNU General Public License for more details. | |||||
* | |||||
* You should have received a copy of the GNU General Public License | |||||
* along with this software; if not, write to the Free Software | |||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | |||||
* USA. | |||||
*/ | |||||
#ifdef HAVE_CONFIG_H | |||||
#include <config.h> | |||||
#endif | |||||
#include <os/tls.h> | |||||
#include <iomanip> | |||||
#include <stdio.h> | |||||
#include <stdlib.h> | |||||
#include <string.h> | |||||
#include <sstream> | |||||
#include <sys/types.h> | |||||
#include <time.h> | |||||
using namespace std; | |||||
#if defined(HAVE_GNUTLS) && !defined(WIN32) | |||||
#include <gnutls/gnutls.h> | |||||
#include <gnutls/x509.h> | |||||
#ifndef HAVE_GNUTLS_X509_CRT_PRINT | |||||
/* Ancient GNUTLS... */ | |||||
#if !defined(GNUTLS_VERSION_NUMBER) && !defined(LIBGNUTLS_VERSION_NUMBER) | |||||
#define GNUTLS_DIG_SHA1 GNUTLS_DIG_SHA | |||||
#endif | |||||
#define UNKNOWN_SUBJECT(err) \ | |||||
do { \ | |||||
ss << "unknown subject (" << gnutls_strerror(err) << "), "; \ | |||||
} while (0) | |||||
#define UNKNOWN_ISSUER(err) \ | |||||
do { \ | |||||
ss << "unknown issuer (" << gnutls_strerror(err) << "), "; \ | |||||
} while (0) | |||||
static void | |||||
hexprint(ostringstream &ss, const char *data, size_t len) | |||||
{ | |||||
size_t j; | |||||
char tmp[3]; | |||||
if (len == 0) | |||||
ss << "00"; | |||||
else { | |||||
for (j = 0; j < len; j++) { | |||||
snprintf(tmp, sizeof(tmp), "%.2x", (unsigned char) data[j]); | |||||
ss << tmp; | |||||
} | |||||
} | |||||
} | |||||
/* Implementation based on gnutls_x509_crt_print from GNUTLS */ | |||||
int | |||||
gnutls_x509_crt_print(gnutls_x509_crt_t cert, | |||||
gnutls_certificate_print_formats_t format, | |||||
gnutls_datum_t * out) | |||||
{ | |||||
ostringstream ss; | |||||
int err; | |||||
char *dn; | |||||
size_t dn_size = 0; | |||||
/* Subject */ | |||||
err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size); | |||||
if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) | |||||
UNKNOWN_SUBJECT(err); | |||||
else { | |||||
dn = (char *)malloc(dn_size); | |||||
if (dn == NULL) { | |||||
UNKNOWN_SUBJECT(GNUTLS_E_MEMORY_ERROR); | |||||
} else { | |||||
err = gnutls_x509_crt_get_dn(cert, dn, &dn_size); | |||||
if (err < 0) { | |||||
UNKNOWN_SUBJECT(err); | |||||
} else | |||||
ss << "subject `" << dn << "', "; | |||||
free(dn); | |||||
} | |||||
} | |||||
/* Issuer */ | |||||
dn = NULL; | |||||
dn_size = 0; | |||||
err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size); | |||||
if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) | |||||
UNKNOWN_ISSUER(err); | |||||
else { | |||||
dn = (char *)malloc(dn_size); | |||||
if (dn == NULL) { | |||||
UNKNOWN_ISSUER(GNUTLS_E_MEMORY_ERROR); | |||||
} else { | |||||
err = gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size); | |||||
if (err < 0) | |||||
UNKNOWN_ISSUER(err); | |||||
else | |||||
ss << "issuer `" << dn << "', "; | |||||
free(dn); | |||||
} | |||||
} | |||||
/* Key algorithm and size */ | |||||
unsigned int bits; | |||||
const char *name; | |||||
name = gnutls_pk_algorithm_get_name( (gnutls_pk_algorithm_t) | |||||
gnutls_x509_crt_get_pk_algorithm(cert, &bits)); | |||||
if (name == NULL) | |||||
name = "Unknown"; | |||||
ss << name << " key " << bits << " bits, "; | |||||
/* Signature algorithm */ | |||||
err = gnutls_x509_crt_get_signature_algorithm(cert); | |||||
if (err < 0) { | |||||
ss << "unknown signature algorithm (" << gnutls_strerror(err) | |||||
<< "), "; | |||||
} else { | |||||
const char *name; | |||||
name = gnutls_sign_algorithm_get_name((gnutls_sign_algorithm_t)err); | |||||
if (name == NULL) | |||||
name = "Unknown"; | |||||
ss << "signed using " << name; | |||||
if (err == GNUTLS_SIGN_RSA_MD5 || err == GNUTLS_SIGN_RSA_MD2) | |||||
ss << " (broken!)"; | |||||
ss << ", "; | |||||
} | |||||
/* Validity */ | |||||
time_t tim; | |||||
char s[42]; | |||||
size_t max = sizeof(s); | |||||
struct tm t; | |||||
tim = gnutls_x509_crt_get_activation_time(cert); | |||||
if (gmtime_r(&tim, &t) == NULL) | |||||
ss << "unknown activation (" << (unsigned long) tim << ")"; | |||||
else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) | |||||
ss << "failed activation (" << (unsigned long) tim << ")"; | |||||
else | |||||
ss << "activated `" << s << "'"; | |||||
ss << ", "; | |||||
tim = gnutls_x509_crt_get_expiration_time(cert); | |||||
if (gmtime_r(&tim, &t) == NULL) | |||||
ss << "unknown expiry (" << (unsigned long) tim << ")"; | |||||
else if (strftime(s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) | |||||
ss << "failed expiry (" << (unsigned long) tim << ")"; | |||||
else | |||||
ss << "expires `" << s << "'"; | |||||
ss << ", "; | |||||
/* Fingerprint */ | |||||
char buffer[20]; | |||||
size_t size = sizeof(buffer); | |||||
err = gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, buffer, &size); | |||||
if (err < 0) | |||||
ss << "unknown fingerprint (" << gnutls_strerror(err) << ")"; | |||||
else { | |||||
ss << "SHA-1 fingerprint `"; | |||||
hexprint(ss, buffer, size); | |||||
ss << "'"; | |||||
} | |||||
out->data = (unsigned char *) strdup(ss.str().c_str()); | |||||
if (out->data == NULL) | |||||
return GNUTLS_E_MEMORY_ERROR; | |||||
out->size = strlen((char *)out->data); | |||||
return 0; | |||||
} | |||||
#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ | |||||
#endif /* HAVE_GNUTLS */ | |||||
/* Copyright (C) 2011 TightVNC Team. All Rights Reserved. | |||||
* | |||||
* This is free software; you can redistribute it and/or modify | |||||
* it under the terms of the GNU General Public License as published by | |||||
* the Free Software Foundation; either version 2 of the License, or | |||||
* (at your option) any later version. | |||||
* | |||||
* This software is distributed in the hope that it will be useful, | |||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | |||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||||
* GNU General Public License for more details. | |||||
* | |||||
* You should have received a copy of the GNU General Public License | |||||
* along with this software; if not, write to the Free Software | |||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | |||||
* USA. | |||||
*/ | |||||
#ifndef OS_TLS_H | |||||
#define OS_TLS_H | |||||
#ifdef HAVE_CONFIG_H | |||||
#include <config.h> | |||||
#endif | |||||
#if defined(HAVE_GNUTLS) | |||||
#include <gnutls/gnutls.h> | |||||
#ifndef HAVE_GNUTLS_DATUM_T | |||||
typedef gnutls_datum gnutls_datum_t; | |||||
#endif | |||||
#ifndef HAVE_GNUTLS_X509_CRT_T | |||||
typedef gnutls_x509_crt gnutls_x509_crt_t; | |||||
#endif | |||||
#ifndef HAVE_GNUTLS_PK_ALGORITHM_T | |||||
typedef gnutls_pk_algorithm gnutls_pk_algorithm_t; | |||||
#endif | |||||
#ifndef HAVE_GNUTLS_SIGN_ALGORITHM_T | |||||
typedef gnutls_sign_algorithm gnutls_sign_algorithm_t; | |||||
#endif | |||||
#ifndef HAVE_GNUTLS_X509_CRT_PRINT | |||||
typedef enum { | |||||
GNUTLS_CRT_PRINT_ONELINE = 1 | |||||
} gnutls_certificate_print_formats_t; | |||||
/* | |||||
* Prints certificate in human-readable form. | |||||
*/ | |||||
int | |||||
gnutls_x509_crt_print(gnutls_x509_crt_t cert, | |||||
gnutls_certificate_print_formats_t format, | |||||
gnutls_datum_t * out); | |||||
#endif /* HAVE_GNUTLS_X509_CRT_PRINT */ | |||||
#endif /* HAVE_GNUTLS */ | |||||
#endif /* OS_TLS_H */ | |||||
/* Copyright (C) 2012 Pierre Ossman for Cendio AB | |||||
* | |||||
* This is free software; you can redistribute it and/or modify | |||||
* it under the terms of the GNU General Public License as published by | |||||
* the Free Software Foundation; either version 2 of the License, or | |||||
* (at your option) any later version. | |||||
* | |||||
* This software is distributed in the hope that it will be useful, | |||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | |||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||||
* GNU General Public License for more details. | |||||
* | |||||
* You should have received a copy of the GNU General Public License | |||||
* along with this software; if not, write to the Free Software | |||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | |||||
* USA. | |||||
*/ | |||||
#ifndef __RDR_TLSERRNO_H__ | |||||
#define __RDR_TLSERRNO_H__ | |||||
#ifdef HAVE_CONFIG_H | |||||
#include <config.h> | |||||
#endif | |||||
#ifdef HAVE_GNUTLS | |||||
#include <errno.h> | |||||
namespace rdr { | |||||
static inline void gnutls_errno_helper(gnutls_session session, int _errno) | |||||
{ | |||||
#if defined(HAVE_GNUTLS_SET_ERRNO) | |||||
gnutls_transport_set_errno(session, _errno); | |||||
#elif defined(HAVE_GNUTLS_SET_GLOBAL_ERRNO) | |||||
gnutls_transport_set_global_errno(_errno); | |||||
#else | |||||
errno = _errno; | |||||
#endif | |||||
} | |||||
}; | |||||
#endif | |||||
#endif |
#include <rdr/Exception.h> | #include <rdr/Exception.h> | ||||
#include <rdr/TLSException.h> | #include <rdr/TLSException.h> | ||||
#include <rdr/TLSInStream.h> | #include <rdr/TLSInStream.h> | ||||
#include <rdr/TLSErrno.h> | |||||
#include <errno.h> | #include <errno.h> | ||||
#ifdef HAVE_GNUTLS | #ifdef HAVE_GNUTLS | ||||
enum { DEFAULT_BUF_SIZE = 16384 }; | enum { DEFAULT_BUF_SIZE = 16384 }; | ||||
ssize_t TLSInStream::pull(gnutls_transport_ptr str, void* data, size_t size) | |||||
ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size) | |||||
{ | { | ||||
TLSInStream* self= (TLSInStream*) str; | TLSInStream* self= (TLSInStream*) str; | ||||
InStream *in = self->in; | InStream *in = self->in; | ||||
try { | try { | ||||
if (!in->check(1, 1, false)) { | if (!in->check(1, 1, false)) { | ||||
gnutls_errno_helper(self->session, EAGAIN); | |||||
gnutls_transport_set_errno(self->session, EAGAIN); | |||||
return -1; | return -1; | ||||
} | } | ||||
in->readBytes(data, size); | in->readBytes(data, size); | ||||
} catch (Exception& e) { | } catch (Exception& e) { | ||||
gnutls_errno_helper(self->session, EINVAL); | |||||
gnutls_transport_set_errno(self->session, EINVAL); | |||||
return -1; | return -1; | ||||
} | } | ||||
return size; | return size; | ||||
} | } | ||||
TLSInStream::TLSInStream(InStream* _in, gnutls_session _session) | |||||
TLSInStream::TLSInStream(InStream* _in, gnutls_session_t _session) | |||||
: session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0) | : session(_session), in(_in), bufSize(DEFAULT_BUF_SIZE), offset(0) | ||||
{ | { | ||||
gnutls_transport_ptr recv, send; | |||||
gnutls_transport_ptr_t recv, send; | |||||
ptr = end = start = new U8[bufSize]; | ptr = end = start = new U8[bufSize]; | ||||
class TLSInStream : public InStream { | class TLSInStream : public InStream { | ||||
public: | public: | ||||
TLSInStream(InStream* in, gnutls_session session); | |||||
TLSInStream(InStream* in, gnutls_session_t session); | |||||
virtual ~TLSInStream(); | virtual ~TLSInStream(); | ||||
int pos(); | int pos(); | ||||
private: | private: | ||||
int overrun(int itemSize, int nItems, bool wait); | int overrun(int itemSize, int nItems, bool wait); | ||||
int readTLS(U8* buf, int len, bool wait); | int readTLS(U8* buf, int len, bool wait); | ||||
static ssize_t pull(gnutls_transport_ptr str, void* data, size_t size); | |||||
static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size); | |||||
gnutls_session session; | |||||
gnutls_session_t session; | |||||
InStream* in; | InStream* in; | ||||
int bufSize; | int bufSize; | ||||
int offset; | int offset; |
#include <rdr/Exception.h> | #include <rdr/Exception.h> | ||||
#include <rdr/TLSException.h> | #include <rdr/TLSException.h> | ||||
#include <rdr/TLSOutStream.h> | #include <rdr/TLSOutStream.h> | ||||
#include <rdr/TLSErrno.h> | |||||
#include <errno.h> | #include <errno.h> | ||||
#ifdef HAVE_GNUTLS | #ifdef HAVE_GNUTLS | ||||
enum { DEFAULT_BUF_SIZE = 16384 }; | enum { DEFAULT_BUF_SIZE = 16384 }; | ||||
ssize_t TLSOutStream::push(gnutls_transport_ptr str, const void* data, | |||||
ssize_t TLSOutStream::push(gnutls_transport_ptr_t str, const void* data, | |||||
size_t size) | size_t size) | ||||
{ | { | ||||
TLSOutStream* self= (TLSOutStream*) str; | TLSOutStream* self= (TLSOutStream*) str; | ||||
out->writeBytes(data, size); | out->writeBytes(data, size); | ||||
out->flush(); | out->flush(); | ||||
} catch (Exception& e) { | } catch (Exception& e) { | ||||
gnutls_errno_helper(self->session, EINVAL); | |||||
gnutls_transport_set_errno(self->session, EINVAL); | |||||
return -1; | return -1; | ||||
} | } | ||||
return size; | return size; | ||||
} | } | ||||
TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session _session) | |||||
TLSOutStream::TLSOutStream(OutStream* _out, gnutls_session_t _session) | |||||
: session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0) | : session(_session), out(_out), bufSize(DEFAULT_BUF_SIZE), offset(0) | ||||
{ | { | ||||
gnutls_transport_ptr recv, send; | |||||
gnutls_transport_ptr_t recv, send; | |||||
ptr = start = new U8[bufSize]; | ptr = start = new U8[bufSize]; | ||||
end = start + bufSize; | end = start + bufSize; |
class TLSOutStream : public OutStream { | class TLSOutStream : public OutStream { | ||||
public: | public: | ||||
TLSOutStream(OutStream* out, gnutls_session session); | |||||
TLSOutStream(OutStream* out, gnutls_session_t session); | |||||
virtual ~TLSOutStream(); | virtual ~TLSOutStream(); | ||||
void flush(); | void flush(); | ||||
private: | private: | ||||
int writeTLS(const U8* data, int length); | int writeTLS(const U8* data, int length); | ||||
static ssize_t push(gnutls_transport_ptr str, const void* data, size_t size); | |||||
static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size); | |||||
gnutls_session session; | |||||
gnutls_session_t session; | |||||
OutStream* out; | OutStream* out; | ||||
int bufSize; | int bufSize; | ||||
U8* start; | U8* start; |
#include <rdr/TLSInStream.h> | #include <rdr/TLSInStream.h> | ||||
#include <rdr/TLSOutStream.h> | #include <rdr/TLSOutStream.h> | ||||
#include <os/os.h> | #include <os/os.h> | ||||
#include <os/tls.h> | |||||
#include <gnutls/x509.h> | #include <gnutls/x509.h> | ||||
void CSecurityTLS::setParam() | void CSecurityTLS::setParam() | ||||
{ | { | ||||
static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; | |||||
static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, | |||||
GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; | |||||
static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; | |||||
static const char kx_priority[] = "NORMAL"; | |||||
int ret; | |||||
const char *err; | |||||
if (anon) { | if (anon) { | ||||
if (gnutls_kx_set_priority(session, kx_anon_priority) != GNUTLS_E_SUCCESS) | |||||
throw AuthFailureException("gnutls_kx_set_priority failed"); | |||||
ret = gnutls_priority_set_direct(session, kx_anon_priority, &err); | |||||
if (ret != GNUTLS_E_SUCCESS) { | |||||
if (ret == GNUTLS_E_INVALID_REQUEST) | |||||
vlog.error("GnuTLS priority syntax error at: %s", err); | |||||
throw AuthFailureException("gnutls_set_priority_direct failed"); | |||||
} | |||||
if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) | if (gnutls_anon_allocate_client_credentials(&anon_cred) != GNUTLS_E_SUCCESS) | ||||
throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); | throw AuthFailureException("gnutls_anon_allocate_client_credentials failed"); | ||||
vlog.debug("Anonymous session has been set"); | vlog.debug("Anonymous session has been set"); | ||||
} else { | } else { | ||||
if (gnutls_kx_set_priority(session, kx_priority) != GNUTLS_E_SUCCESS) | |||||
throw AuthFailureException("gnutls_kx_set_priority failed"); | |||||
ret = gnutls_priority_set_direct(session, kx_priority, &err); | |||||
if (ret != GNUTLS_E_SUCCESS) { | |||||
if (ret == GNUTLS_E_INVALID_REQUEST) | |||||
vlog.error("GnuTLS priority syntax error at: %s", err); | |||||
throw AuthFailureException("gnutls_set_priority_direct failed"); | |||||
} | |||||
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) | if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS) | ||||
throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); | throw AuthFailureException("gnutls_certificate_allocate_credentials failed"); | ||||
GNUTLS_CERT_SIGNER_NOT_FOUND | | GNUTLS_CERT_SIGNER_NOT_FOUND | | ||||
GNUTLS_CERT_SIGNER_NOT_CA; | GNUTLS_CERT_SIGNER_NOT_CA; | ||||
unsigned int status; | unsigned int status; | ||||
const gnutls_datum *cert_list; | |||||
const gnutls_datum_t *cert_list; | |||||
unsigned int cert_list_size = 0; | unsigned int cert_list_size = 0; | ||||
int err; | int err; | ||||
gnutls_datum info; | |||||
gnutls_datum_t info; | |||||
if (anon) | if (anon) | ||||
return; | return; | ||||
throw AuthFailureException("empty certificate chain"); | throw AuthFailureException("empty certificate chain"); | ||||
/* Process only server's certificate, not issuer's certificate */ | /* Process only server's certificate, not issuer's certificate */ | ||||
gnutls_x509_crt crt; | |||||
gnutls_x509_crt_t crt; | |||||
gnutls_x509_crt_init(&crt); | gnutls_x509_crt_init(&crt); | ||||
if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) | if (gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) |
private: | private: | ||||
static void initGlobal(); | static void initGlobal(); | ||||
gnutls_session session; | |||||
gnutls_anon_client_credentials anon_cred; | |||||
gnutls_certificate_credentials cert_cred; | |||||
gnutls_session_t session; | |||||
gnutls_anon_client_credentials_t anon_cred; | |||||
gnutls_certificate_credentials_t cert_cred; | |||||
bool anon; | bool anon; | ||||
char *cafile, *crlfile; | char *cafile, *crlfile; |
return true; | return true; | ||||
} | } | ||||
void SSecurityTLS::setParams(gnutls_session session) | |||||
void SSecurityTLS::setParams(gnutls_session_t session) | |||||
{ | { | ||||
static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 }; | |||||
static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, | |||||
GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; | |||||
if (gnutls_kx_set_priority(session, anon ? kx_anon_priority : kx_priority) | |||||
!= GNUTLS_E_SUCCESS) | |||||
throw AuthFailureException("gnutls_kx_set_priority failed"); | |||||
static const char kx_anon_priority[] = "NORMAL:+ANON-ECDH:+ANON-DH"; | |||||
static const char kx_priority[] = "NORMAL"; | |||||
int ret; | |||||
const char *err; | |||||
ret = gnutls_priority_set_direct(session, | |||||
anon ? kx_anon_priority : kx_priority, | |||||
&err); | |||||
if (ret != GNUTLS_E_SUCCESS) { | |||||
if (ret == GNUTLS_E_INVALID_REQUEST) | |||||
vlog.error("GnuTLS priority syntax error at: %s", err); | |||||
throw AuthFailureException("gnutls_set_priority_direct failed"); | |||||
} | |||||
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) | if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) | ||||
throw AuthFailureException("gnutls_dh_params_init failed"); | throw AuthFailureException("gnutls_dh_params_init failed"); |
protected: | protected: | ||||
void shutdown(); | void shutdown(); | ||||
void setParams(gnutls_session session); | |||||
void setParams(gnutls_session_t session); | |||||
private: | private: | ||||
static void initGlobal(); | static void initGlobal(); | ||||
gnutls_session session; | |||||
gnutls_dh_params dh_params; | |||||
gnutls_anon_server_credentials anon_cred; | |||||
gnutls_certificate_credentials cert_cred; | |||||
gnutls_session_t session; | |||||
gnutls_dh_params_t dh_params; | |||||
gnutls_anon_server_credentials_t anon_cred; | |||||
gnutls_certificate_credentials_t cert_cred; | |||||
char *keyfile, *certfile; | char *keyfile, *certfile; | ||||
int type; | int type; |
#cmakedefine HAVE_INET_ATON | #cmakedefine HAVE_INET_ATON | ||||
#cmakedefine HAVE_INET_PTON | #cmakedefine HAVE_INET_PTON | ||||
#cmakedefine HAVE_GETADDRINFO | #cmakedefine HAVE_GETADDRINFO | ||||
#cmakedefine HAVE_GNUTLS_SET_GLOBAL_ERRNO | |||||
#cmakedefine HAVE_GNUTLS_SET_ERRNO | |||||
#cmakedefine HAVE_GNUTLS_X509_CRT_PRINT | |||||
#cmakedefine HAVE_GNUTLS_X509_CRT_T | |||||
#cmakedefine HAVE_GNUTLS_DATUM_T | |||||
#cmakedefine HAVE_GNUTLS_PK_ALGORITHM_T | |||||
#cmakedefine HAVE_GNUTLS_SIGN_ALGORITHM_T | |||||
#cmakedefine HAVE_ACTIVE_DESKTOP_H | #cmakedefine HAVE_ACTIVE_DESKTOP_H | ||||
#cmakedefine HAVE_ACTIVE_DESKTOP_L | #cmakedefine HAVE_ACTIVE_DESKTOP_L | ||||
#cmakedefine ENABLE_NLS 1 | #cmakedefine ENABLE_NLS 1 |