2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 * Copyright (c) 2002 Andrew McDonald <andrew@mcdonald.org.uk>
5 * This file is part of GnuTLS-EXTRA.
7 * GnuTLS-extra is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuTLS-extra is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include <gnutls/gnutls.h>
24 #include <openssl_compat.h>
28 #include "../lib/gnutls_int.h"
29 #include "../lib/random.h"
30 #include "../lib/gnutls_hash_int.h"
32 /* In win32 X509_NAME is defined in wincrypt.h.
33 * undefine it to avoid the conflict with openssl.h.
38 #include <gnutls/openssl.h>
40 /* Gnulib re-defines shutdown on mingw. We only use it as a variable
41 name, so restore the original name. */
44 /* XXX: See lib/gnutls_int.h. */
45 #define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
46 #define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
48 /* WARNING: Error functions aren't currently thread-safe */
50 static int last_error = 0;
52 /* Library initialisation functions */
55 SSL_library_init (void)
57 gnutls_global_init ();
58 /* NB: we haven't got anywhere to call gnutls_global_deinit() */
63 OpenSSL_add_all_algorithms (void)
68 /* SSL_CTX structure handling */
71 SSL_CTX_new (SSL_METHOD * method)
75 ctx = (SSL_CTX *) calloc (1, sizeof (SSL_CTX));
82 SSL_CTX_free (SSL_CTX * ctx)
89 SSL_CTX_set_default_verify_paths (SSL_CTX * ctx)
95 SSL_CTX_use_certificate_file (SSL_CTX * ctx, const char *certfile, int type)
97 ctx->certfile = (char *) calloc (1, strlen (certfile) + 1);
100 memcpy (ctx->certfile, certfile, strlen (certfile));
102 ctx->certfile_type = type;
108 SSL_CTX_use_PrivateKey_file (SSL_CTX * ctx, const char *keyfile, int type)
110 ctx->keyfile = (char *) calloc (1, strlen (keyfile) + 1);
113 memcpy (ctx->keyfile, keyfile, strlen (keyfile));
115 ctx->keyfile_type = type;
122 SSL_CTX_set_verify (SSL_CTX * ctx, int verify_mode,
123 int (*verify_callback) (int, X509_STORE_CTX *))
125 ctx->verify_mode = verify_mode;
126 ctx->verify_callback = verify_callback;
130 SSL_CTX_set_options (SSL_CTX * ctx, unsigned long options)
132 return (ctx->options |= options);
136 SSL_CTX_set_mode (SSL_CTX * ctx, long mode)
142 SSL_CTX_set_cipher_list (SSL_CTX * ctx, const char *list)
144 /* FIXME: ignore this for the moment */
145 /* We're going to have to parse the "list" string to do this */
146 /* It is a string, which in its simplest form is something like
147 "DES-CBC3-SHA:IDEA-CBC-MD5", but can be rather more complicated
148 (see OpenSSL's ciphers(1) manpage for details) */
154 /* SSL_CTX statistics */
157 SSL_CTX_sess_number (SSL_CTX * ctx)
163 SSL_CTX_sess_connect (SSL_CTX * ctx)
169 SSL_CTX_sess_connect_good (SSL_CTX * ctx)
175 SSL_CTX_sess_connect_renegotiate (SSL_CTX * ctx)
181 SSL_CTX_sess_accept (SSL_CTX * ctx)
187 SSL_CTX_sess_accept_good (SSL_CTX * ctx)
193 SSL_CTX_sess_accept_renegotiate (SSL_CTX * ctx)
199 SSL_CTX_sess_hits (SSL_CTX * ctx)
205 SSL_CTX_sess_misses (SSL_CTX * ctx)
211 SSL_CTX_sess_timeouts (SSL_CTX * ctx)
218 /* SSL structure handling */
221 SSL_new (SSL_CTX * ctx)
226 ssl = (SSL *) calloc (1, sizeof (SSL));
230 err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred);
238 gnutls_init (&ssl->gnutls_state, ctx->method->connend);
240 gnutls_priority_set_direct (ssl->gnutls_state,
241 ctx->method->priority_string, NULL);
243 gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE,
246 gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred,
250 gnutls_certificate_set_x509_key_file (ssl->gnutls_cred,
251 ctx->certfile, ctx->keyfile,
254 ssl->verify_mode = ctx->verify_mode;
255 ssl->verify_callback = ctx->verify_callback;
257 ssl->options = ctx->options;
259 ssl->rfd = (gnutls_transport_ptr_t) - 1;
260 ssl->wfd = (gnutls_transport_ptr_t) - 1;
268 gnutls_certificate_free_credentials (ssl->gnutls_cred);
269 gnutls_deinit (ssl->gnutls_state);
274 SSL_load_error_strings (void)
279 SSL_get_error (SSL * ssl, int ret)
282 return SSL_ERROR_NONE;
284 return SSL_ERROR_ZERO_RETURN;
288 SSL_set_fd (SSL * ssl, int fd)
290 gnutls_transport_set_ptr (ssl->gnutls_state, GNUTLS_INT_TO_POINTER (fd));
295 SSL_set_rfd (SSL * ssl, int fd)
297 ssl->rfd = GNUTLS_INT_TO_POINTER (fd);
299 if (ssl->wfd != (gnutls_transport_ptr_t) - 1)
300 gnutls_transport_set_ptr2 (ssl->gnutls_state, ssl->rfd, ssl->wfd);
306 SSL_set_wfd (SSL * ssl, int fd)
308 ssl->wfd = GNUTLS_INT_TO_POINTER (fd);
310 if (ssl->rfd != (gnutls_transport_ptr_t) - 1)
311 gnutls_transport_set_ptr2 (ssl->gnutls_state, ssl->rfd, ssl->wfd);
317 SSL_set_bio (SSL * ssl, BIO * rbio, BIO * wbio)
319 gnutls_transport_set_ptr2 (ssl->gnutls_state, rbio->fd, wbio->fd);
324 SSL_set_connect_state (SSL * ssl)
329 SSL_pending (SSL * ssl)
331 return gnutls_record_check_pending (ssl->gnutls_state);
335 SSL_set_verify (SSL * ssl, int verify_mode,
336 int (*verify_callback) (int, X509_STORE_CTX *))
338 ssl->verify_mode = verify_mode;
339 ssl->verify_callback = verify_callback;
343 SSL_get_peer_certificate (SSL * ssl)
345 const gnutls_datum_t *cert_list;
346 unsigned int cert_list_size = 0;
348 cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
354 /* SSL connection open/close/read/write functions */
357 SSL_connect (SSL * ssl)
359 X509_STORE_CTX *store;
360 unsigned int cert_list_size = 0;
362 char x_priority[256];
363 /* take options into account before connecting */
365 memset (x_priority, 0, sizeof (x_priority));
366 if (ssl->options & SSL_OP_NO_TLSv1)
368 snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string);
369 err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL);
377 err = gnutls_handshake (ssl->gnutls_state);
378 ssl->last_error = err;
386 store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX));
388 store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
391 if (ssl->verify_callback)
393 ssl->verify_callback (1 /*FIXME*/, store);
395 ssl->state = SSL_ST_OK;
400 /* FIXME: deal with error from callback */
406 SSL_accept (SSL * ssl)
408 X509_STORE_CTX *store;
409 unsigned int cert_list_size = 0;
411 char x_priority[256];
412 /* take options into account before connecting */
414 memset (x_priority, 0, sizeof (x_priority));
415 if (ssl->options & SSL_OP_NO_TLSv1)
417 snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string);
418 err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL);
426 /* FIXME: dh params, do we want client cert? */
428 err = gnutls_handshake (ssl->gnutls_state);
429 ssl->last_error = err;
437 store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX));
439 store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
442 if (ssl->verify_callback)
444 ssl->verify_callback (1 /*FIXME*/, store);
446 ssl->state = SSL_ST_OK;
451 /* FIXME: deal with error from callback */
457 SSL_shutdown (SSL * ssl)
461 gnutls_bye (ssl->gnutls_state, GNUTLS_SHUT_WR);
466 gnutls_bye (ssl->gnutls_state, GNUTLS_SHUT_RDWR);
475 SSL_read (SSL * ssl, void *buf, int len)
479 ret = gnutls_record_recv (ssl->gnutls_state, buf, len);
480 ssl->last_error = ret;
492 SSL_write (SSL * ssl, const void *buf, int len)
496 ret = gnutls_record_send (ssl->gnutls_state, buf, len);
497 ssl->last_error = ret;
515 /* SSL_METHOD functions */
518 SSLv23_client_method (void)
521 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
525 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
527 m->connend = GNUTLS_CLIENT;
533 SSLv23_server_method (void)
536 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
540 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
541 m->connend = GNUTLS_SERVER;
547 SSLv3_client_method (void)
550 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
554 strcpy(m->priority_string, "NONE:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
555 m->connend = GNUTLS_CLIENT;
561 SSLv3_server_method (void)
564 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
568 strcpy(m->priority_string, "NONE:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
569 m->connend = GNUTLS_SERVER;
575 TLSv1_client_method (void)
578 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
582 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
583 m->connend = GNUTLS_CLIENT;
589 TLSv1_server_method (void)
592 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
596 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
597 m->connend = GNUTLS_SERVER;
603 /* SSL_CIPHER functions */
606 SSL_get_current_cipher (SSL * ssl)
611 ssl->ciphersuite.version = gnutls_protocol_get_version (ssl->gnutls_state);
612 ssl->ciphersuite.cipher = gnutls_cipher_get (ssl->gnutls_state);
613 ssl->ciphersuite.kx = gnutls_kx_get (ssl->gnutls_state);
614 ssl->ciphersuite.mac = gnutls_mac_get (ssl->gnutls_state);
615 ssl->ciphersuite.compression = gnutls_compression_get (ssl->gnutls_state);
616 ssl->ciphersuite.cert = gnutls_certificate_type_get (ssl->gnutls_state);
618 return &(ssl->ciphersuite);
622 SSL_CIPHER_get_name (SSL_CIPHER * cipher)
627 return gnutls_cipher_suite_get_name (cipher->kx,
628 cipher->cipher, cipher->mac);
632 SSL_CIPHER_get_bits (SSL_CIPHER * cipher, int *bits)
639 bit_result = (8 * gnutls_cipher_get_key_size (cipher->cipher));
648 SSL_CIPHER_get_version (SSL_CIPHER * cipher)
655 ret = gnutls_protocol_get_name (cipher->version);
663 SSL_CIPHER_description (SSL_CIPHER * cipher, char *buf, int size)
677 tmpbuf = (char *) malloc (128);
682 if (snprintf (tmpbuf, tmpsize, "%s %s %s %s",
683 gnutls_protocol_get_name (cipher->version),
684 gnutls_kx_get_name (cipher->kx),
685 gnutls_cipher_get_name (cipher->cipher),
686 gnutls_mac_get_name (cipher->mac)) == -1)
690 return (char *) "Buffer too small";
700 X509_get_subject_name (const X509 * cert)
703 dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn));
704 if (gnutls_x509_extract_certificate_dn (cert, dn) < 0)
713 X509_get_issuer_name (const X509 * cert)
716 dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn));
717 if (gnutls_x509_extract_certificate_issuer_dn (cert, dn) < 0)
726 X509_NAME_oneline (gnutls_x509_dn * name, char *buf, int len)
728 /* XXX openssl allocates buffer if buf == NULL */
731 memset (buf, 0, len);
733 snprintf (buf, len - 1,
734 "C=%s, ST=%s, L=%s, O=%s, OU=%s, CN=%s/Email=%s",
735 name->country, name->state_or_province_name,
736 name->locality_name, name->organization,
737 name->organizational_unit_name, name->common_name, name->email);
742 X509_free (const X509 * cert)
744 /* only get certificates as const items */
751 BIO_get_fd (gnutls_session_t gnutls_state, int *fd)
753 gnutls_transport_ptr_t tmp = gnutls_transport_get_ptr (gnutls_state);
754 *fd = GNUTLS_POINTER_TO_INT (tmp);
758 BIO_new_socket (int sock, int close_flag)
762 bio = (BIO *) malloc (sizeof (BIO));
766 bio->fd = GNUTLS_INT_TO_POINTER (sock);
779 ret = -1 * last_error;
786 ERR_error_string (unsigned long e, char *buf)
788 return gnutls_strerror (-1 * e);
801 RAND_seed (const void *buf, int num)
806 RAND_bytes (unsigned char *buf, int num)
808 gnutls_rnd (GNUTLS_RND_RANDOM, buf, num);
813 RAND_pseudo_bytes (unsigned char *buf, int num)
815 gnutls_rnd (GNUTLS_RND_NONCE, buf, num);
820 RAND_file_name (char *buf, size_t len)
826 RAND_load_file (const char *name, long maxbytes)
832 RAND_write_file (const char *name)
838 RAND_egd_bytes (const char *path, int bytes)
845 /* message digest functions */
848 MD5_Init (MD5_CTX * ctx)
850 ctx->handle = gnutls_malloc (sizeof (digest_hd_st));
853 _gnutls_hash_init (ctx->handle, GNUTLS_DIG_MD5);
857 MD5_Update (MD5_CTX * ctx, const void *buf, int len)
859 _gnutls_hash (ctx->handle, buf, len);
863 MD5_Final (unsigned char *md, MD5_CTX * ctx)
865 _gnutls_hash_deinit (ctx->handle, md);
866 gnutls_free (ctx->handle);
870 MD5 (const unsigned char *buf, unsigned long len, unsigned char *md)
875 _gnutls_hash_fast (GNUTLS_DIG_MD5, buf, len, md);
881 RIPEMD160_Init (RIPEMD160_CTX * ctx)
883 ctx->handle = gnutls_malloc (sizeof (digest_hd_st));
886 _gnutls_hash_init (ctx->handle, GNUTLS_DIG_RMD160);
890 RIPEMD160_Update (RIPEMD160_CTX * ctx, const void *buf, int len)
892 _gnutls_hash (ctx->handle, buf, len);
896 RIPEMD160_Final (unsigned char *md, RIPEMD160_CTX * ctx)
898 _gnutls_hash_deinit (ctx->handle, md);
899 gnutls_free (ctx->handle);
903 RIPEMD160 (const unsigned char *buf, unsigned long len, unsigned char *md)
908 _gnutls_hash_fast (GNUTLS_DIG_RMD160, buf, len, md);