]>
Commit | Line | Data |
---|---|---|
2cac65a3 AC |
1 | /* |
2 | * charybdis: an advanced ircd | |
3 | * gnutls.c: GnuTLS support functions. | |
4 | * | |
5 | * Copyright (c) 2008 William Pitcock <nenolod -at- sacredspiral.co.uk> | |
6 | * | |
7 | * Permission to use, copy, modify, and/or distribute this software for any | |
8 | * purpose with or without fee is hereby granted, provided that the above | |
9 | * copyright notice and this permission notice is present in all copies. | |
10 | * | |
11 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
12 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
13 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
14 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
15 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
16 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
17 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
18 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
19 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
20 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
21 | * POSSIBILITY OF SUCH DAMAGE. | |
22 | */ | |
23 | ||
24 | #ifdef GNUTLS | |
25 | ||
26 | #include <stdio.h> | |
27 | #include <stdlib.h> | |
28 | #include <errno.h> | |
29 | #include <sys/types.h> | |
30 | #include <sys/socket.h> | |
31 | #include <arpa/inet.h> | |
32 | #include <netinet/in.h> | |
33 | #include <string.h> | |
34 | #include <unistd.h> | |
35 | #include <gnutls/gnutls.h> | |
36 | #include <gcrypt.h> /* for gcry_control */ | |
37 | ||
38 | #define DH_BITS 1024 | |
39 | ||
40 | static gnutls_certificate_credentials_t x509_cred; | |
41 | static gnutls_priority_t priority_cache; | |
42 | static gnutls_dh_params_t dh_params; | |
43 | ||
44 | void | |
45 | irc_tls_init(void) | |
46 | { | |
47 | /* force use of /dev/urandom. */ | |
48 | gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); | |
49 | ||
50 | gnutls_global_init(); | |
51 | ||
52 | gnutls_certificate_allocate_credentials(&x509_cred); | |
53 | gnutls_certificate_set_x509_trust_file(x509_cred, ETCPATH "/ca.pem", GNUTLS_X509_FMT_PEM); | |
54 | gnutls_certificate_set_x509_crl_file(x509_cred, ETCPATH "/crl.pem", GNUTLS_X509_FMT_PEM); | |
55 | gnutls_certificate_set_x509_key_file(x509_cred, ETCPATH "/cert.pem", ETCPATH "/key.pem", GNUTLS_X509_FMT_PEM); | |
56 | ||
57 | gnutls_dh_params_init(&dh_params); | |
58 | gnutls_dh_params_generate2(dh_params, DH_BITS); | |
59 | ||
60 | gnutls_priority_init(&priority_cache, "NORMAL", NULL); | |
61 | ||
62 | gnutls_certificate_set_dh_params(x509_cred, dh_params); | |
63 | } | |
64 | ||
65 | /* | |
66 | * allocates a new TLS session. | |
67 | */ | |
68 | gnutls_session_t | |
69 | irc_tls_session_new(int fd) | |
70 | { | |
71 | gnutls_session_t session; | |
72 | ||
73 | gnutls_init(&session, GNUTLS_SERVER); | |
74 | gnutls_priority_set(session, priority_cache); | |
75 | gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); | |
76 | ||
77 | /* request client certificate if any. */ | |
78 | gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); | |
79 | ||
80 | gnutls_session_enable_compatibility_mode(session); | |
81 | gnutls_transport_set_ptr(session, (void *) sd); | |
82 | ||
83 | return session; | |
84 | } | |
85 | ||
86 | /* | |
87 | * helper function to handshake or remove the socket from commio. | |
88 | */ | |
89 | int | |
90 | irc_tls_handshake(int fd, gnutls_session_t session) | |
91 | { | |
92 | int ret; | |
93 | ||
94 | ret = gnutls_handshake(session); | |
95 | if (ret < 0) | |
96 | { | |
97 | comm_close(fd); | |
98 | gnutls_deinit(session); | |
99 | return -1; | |
100 | } | |
101 | ||
102 | return 0; | |
103 | } | |
104 | ||
105 | #endif |