]>
Commit | Line | Data |
---|---|---|
2cac65a3 AC |
1 | /* |
2 | * charybdis: an advanced ircd | |
3 | * gnutls.c: GnuTLS support functions. | |
4 | * | |
5 | * Copyright (c) 2008 William Pitcock <nenolod -at- sacredspiral.co.uk> | |
6 | * | |
7 | * Permission to use, copy, modify, and/or distribute this software for any | |
8 | * purpose with or without fee is hereby granted, provided that the above | |
9 | * copyright notice and this permission notice is present in all copies. | |
10 | * | |
11 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
12 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
13 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
14 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
15 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
16 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
17 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
18 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
19 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
20 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
21 | * POSSIBILITY OF SUCH DAMAGE. | |
22 | */ | |
23 | ||
24 | #ifdef GNUTLS | |
25 | ||
5893220f AC |
26 | #include "stdinc.h" |
27 | #include "config.h" | |
2cac65a3 AC |
28 | #include <gnutls/gnutls.h> |
29 | #include <gcrypt.h> /* for gcry_control */ | |
30 | ||
31 | #define DH_BITS 1024 | |
32 | ||
33 | static gnutls_certificate_credentials_t x509_cred; | |
34 | static gnutls_priority_t priority_cache; | |
35 | static gnutls_dh_params_t dh_params; | |
36 | ||
37 | void | |
38 | irc_tls_init(void) | |
39 | { | |
40 | /* force use of /dev/urandom. */ | |
41 | gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); | |
42 | ||
43 | gnutls_global_init(); | |
44 | ||
45 | gnutls_certificate_allocate_credentials(&x509_cred); | |
46 | gnutls_certificate_set_x509_trust_file(x509_cred, ETCPATH "/ca.pem", GNUTLS_X509_FMT_PEM); | |
47 | gnutls_certificate_set_x509_crl_file(x509_cred, ETCPATH "/crl.pem", GNUTLS_X509_FMT_PEM); | |
48 | gnutls_certificate_set_x509_key_file(x509_cred, ETCPATH "/cert.pem", ETCPATH "/key.pem", GNUTLS_X509_FMT_PEM); | |
49 | ||
50 | gnutls_dh_params_init(&dh_params); | |
51 | gnutls_dh_params_generate2(dh_params, DH_BITS); | |
52 | ||
53 | gnutls_priority_init(&priority_cache, "NORMAL", NULL); | |
54 | ||
55 | gnutls_certificate_set_dh_params(x509_cred, dh_params); | |
56 | } | |
57 | ||
58 | /* | |
59 | * allocates a new TLS session. | |
60 | */ | |
61 | gnutls_session_t | |
62 | irc_tls_session_new(int fd) | |
63 | { | |
64 | gnutls_session_t session; | |
65 | ||
66 | gnutls_init(&session, GNUTLS_SERVER); | |
67 | gnutls_priority_set(session, priority_cache); | |
68 | gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); | |
69 | ||
70 | /* request client certificate if any. */ | |
71 | gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); | |
72 | ||
73 | gnutls_session_enable_compatibility_mode(session); | |
74 | gnutls_transport_set_ptr(session, (void *) sd); | |
75 | ||
76 | return session; | |
77 | } | |
78 | ||
79 | /* | |
80 | * helper function to handshake or remove the socket from commio. | |
81 | */ | |
82 | int | |
83 | irc_tls_handshake(int fd, gnutls_session_t session) | |
84 | { | |
85 | int ret; | |
86 | ||
87 | ret = gnutls_handshake(session); | |
88 | if (ret < 0) | |
89 | { | |
b2f0da88 | 90 | rb_close(fd); |
2cac65a3 AC |
91 | gnutls_deinit(session); |
92 | return -1; | |
93 | } | |
94 | ||
95 | return 0; | |
96 | } | |
97 | ||
98 | #endif |