6 # include <gnutls/gnutls.h>
7 # include <gnutls/x509.h>
10 # include <openssl/ssl.h>
11 # include <openssl/err.h>
12 # include <openssl/dh.h>
15 #ifdef HAVE_WS2TCPIP_H
16 # include <ws2tcpip.h>
20 #include "ecore_con_private.h"
24 static int _init_con_ssl_init_count = 0;
27 # ifdef EFL_HAVE_PTHREAD
29 GCRY_THREAD_OPTION_PTHREAD_IMPL;
32 static int _client_connected = 0;
33 # define SSL_SUFFIX(ssl_func) ssl_func ## _gnutls
34 # define _ECORE_CON_SSL_AVAILABLE 1
38 # define SSL_SUFFIX(ssl_func) ssl_func ## _openssl
39 # define _ECORE_CON_SSL_AVAILABLE 2
42 # define SSL_SUFFIX(ssl_func) ssl_func ## _none
43 # define _ECORE_CON_SSL_AVAILABLE 0
49 _gnutls_print_errors(int ret)
52 ERR("gnutls returned with error: %s - %s", gnutls_strerror_name(ret), gnutls_strerror(ret));
56 _gnutls_log_func(int level,
59 DBG("|<%d>| %s", level, str);
63 SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_description_t status)
67 case GNUTLS_HANDSHAKE_HELLO_REQUEST:
68 return "Hello request";
70 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
71 return "Client hello";
73 case GNUTLS_HANDSHAKE_SERVER_HELLO:
74 return "Server hello";
76 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
77 return "New session ticket";
79 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
80 return "Certificate packet";
82 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
83 return "Server key exchange";
85 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
86 return "Certificate request";
88 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
89 return "Server hello done";
91 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
92 return "Certificate verify";
94 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
95 return "Client key exchange";
97 case GNUTLS_HANDSHAKE_FINISHED:
100 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
101 return "Supplemental";
109 _openssl_print_errors(void)
115 err = ERR_get_error();
117 ERR("openssl error: %s", ERR_reason_error_string(err));
123 #define SSL_ERROR_CHECK_GOTO_ERROR(X) \
128 ERR("Error at %s:%s:%d!", __FILE__, __PRETTY_FUNCTION__, __LINE__); \
134 static Ecore_Con_Ssl_Error
135 SSL_SUFFIX(_ecore_con_ssl_init) (void);
136 static Ecore_Con_Ssl_Error
137 SSL_SUFFIX(_ecore_con_ssl_shutdown) (void);
139 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_cafile_add) (Ecore_Con_Server * svr, const char *ca_file);
140 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_crl_add) (Ecore_Con_Server * svr, const char *crl_file);
141 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_cert_add) (Ecore_Con_Server * svr, const char *cert);
142 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_privkey_add) (Ecore_Con_Server * svr, const char *key_file);
144 static Ecore_Con_Ssl_Error SSL_SUFFIX(_ecore_con_ssl_server_prepare) (Ecore_Con_Server * svr, int ssl_type);
145 static Ecore_Con_Ssl_Error
146 SSL_SUFFIX(_ecore_con_ssl_server_init) (Ecore_Con_Server * svr);
147 static Ecore_Con_Ssl_Error
148 SSL_SUFFIX(_ecore_con_ssl_server_shutdown) (Ecore_Con_Server *
151 SSL_SUFFIX(_ecore_con_ssl_server_read) (Ecore_Con_Server * svr,
152 unsigned char *buf, int size);
154 SSL_SUFFIX(_ecore_con_ssl_server_write) (Ecore_Con_Server *
156 unsigned char *buf, int size);
158 static Ecore_Con_Ssl_Error
159 SSL_SUFFIX(_ecore_con_ssl_client_init) (Ecore_Con_Client * cl);
160 static Ecore_Con_Ssl_Error
161 SSL_SUFFIX(_ecore_con_ssl_client_shutdown) (Ecore_Con_Client *
164 SSL_SUFFIX(_ecore_con_ssl_client_read) (Ecore_Con_Client * cl,
165 unsigned char *buf, int size);
167 SSL_SUFFIX(_ecore_con_ssl_client_write) (Ecore_Con_Client * cl,
168 unsigned char *buf, int size);
175 ecore_con_ssl_init(void)
177 if (!_init_con_ssl_init_count++)
178 SSL_SUFFIX(_ecore_con_ssl_init) ();
180 return _init_con_ssl_init_count;
184 ecore_con_ssl_shutdown(void)
186 if (!--_init_con_ssl_init_count)
187 SSL_SUFFIX(_ecore_con_ssl_shutdown) ();
189 return _init_con_ssl_init_count;
193 ecore_con_ssl_server_prepare(Ecore_Con_Server *svr,
197 return ECORE_CON_SSL_ERROR_NONE;
198 return SSL_SUFFIX(_ecore_con_ssl_server_prepare) (svr, ssl_type);
202 ecore_con_ssl_server_init(Ecore_Con_Server *svr)
204 if (!(svr->type & ECORE_CON_SSL))
205 return ECORE_CON_SSL_ERROR_NONE;
206 return SSL_SUFFIX(_ecore_con_ssl_server_init) (svr);
210 ecore_con_ssl_server_shutdown(Ecore_Con_Server *svr)
212 if (!(svr->type & ECORE_CON_SSL))
213 return ECORE_CON_SSL_ERROR_NONE;
214 return SSL_SUFFIX(_ecore_con_ssl_server_shutdown) (svr);
218 ecore_con_ssl_server_read(Ecore_Con_Server *svr,
222 return SSL_SUFFIX(_ecore_con_ssl_server_read) (svr, buf, size);
226 ecore_con_ssl_server_write(Ecore_Con_Server *svr,
230 return SSL_SUFFIX(_ecore_con_ssl_server_write) (svr, buf, size);
234 ecore_con_ssl_client_init(Ecore_Con_Client *cl)
236 if (!(cl->host_server->type & ECORE_CON_SSL))
237 return ECORE_CON_SSL_ERROR_NONE;
238 return SSL_SUFFIX(_ecore_con_ssl_client_init) (cl);
242 ecore_con_ssl_client_shutdown(Ecore_Con_Client *cl)
244 if (!(cl->host_server->type & ECORE_CON_SSL))
245 return ECORE_CON_SSL_ERROR_NONE;
246 return SSL_SUFFIX(_ecore_con_ssl_client_shutdown) (cl);
250 ecore_con_ssl_client_read(Ecore_Con_Client *cl,
254 return SSL_SUFFIX(_ecore_con_ssl_client_read) (cl, buf, size);
258 ecore_con_ssl_client_write(Ecore_Con_Client *cl,
262 return SSL_SUFFIX(_ecore_con_ssl_client_write) (cl, buf, size);
266 * Returns if SSL support is available
267 * @return 1 if SSL is available and provided by gnutls, 2 if provided by openssl,
268 * 0 if it is not available.
269 * @ingroup Ecore_Con_Client_Group
272 ecore_con_ssl_available_get(void)
274 return _ECORE_CON_SSL_AVAILABLE;
278 * @addtogroup Ecore_Con_SSL_Group Ecore Connection SSL Functions
280 * Functions that operate on Ecore connection objects pertaining to SSL.
286 * @brief Enable certificate verification on a server object
288 * Call this function on a server object before main loop has started
289 * to enable verification of certificates against loaded certificates.
290 * @param svr The server object
293 ecore_con_ssl_server_verify(Ecore_Con_Server *svr)
295 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
297 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_verify");
300 svr->verify = EINA_TRUE;
304 * @brief Add an ssl certificate for use in ecore_con functions.
306 * Use this function to add a SSL PEM certificate.
307 * Simply specify the cert here to use it in the server object for connecting or listening.
308 * If there is an error loading the certificate, an error will automatically be logged.
309 * @param cert The path to the certificate.
310 * @return EINA_FALSE if the file cannot be loaded, otherwise EINA_TRUE.
314 ecore_con_ssl_server_cert_add(Ecore_Con_Server *svr,
317 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
319 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_cert_add");
323 return SSL_SUFFIX(_ecore_con_ssl_server_cert_add) (svr, cert);
327 * @brief Add an ssl CA file for use in ecore_con functions.
329 * Use this function to add a SSL PEM CA file.
330 * Simply specify the file here to use it in the server object for connecting or listening.
331 * If there is an error loading the CAs, an error will automatically be logged.
332 * @param ca_file The path to the CA file.
333 * @return EINA_FALSE if the file cannot be loaded, otherwise EINA_TRUE.
337 ecore_con_ssl_server_cafile_add(Ecore_Con_Server *svr,
340 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
342 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_cafile_add");
346 return SSL_SUFFIX(_ecore_con_ssl_server_cafile_add) (svr, ca_file);
350 * @brief Add an ssl private key for use in ecore_con functions.
352 * Use this function to add a SSL PEM private key
353 * Simply specify the key file here to use it in the server object for connecting or listening.
354 * If there is an error loading the key, an error will automatically be logged.
355 * @param key_file The path to the key file.
356 * @return EINA_FALSE if the file cannot be loaded,
357 * otherwise EINA_TRUE.
361 ecore_con_ssl_server_privkey_add(Ecore_Con_Server *svr,
362 const char *key_file)
364 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
366 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_privkey_add");
370 return SSL_SUFFIX(_ecore_con_ssl_server_privkey_add) (svr, key_file);
374 * @brief Add an ssl CRL for use in ecore_con functions.
376 * Use this function to add a SSL PEM CRL file
377 * Simply specify the CRL file here to use it in the server object for connecting or listening.
378 * If there is an error loading the CRL, an error will automatically be logged.
379 * @param crl_file The path to the CRL file.
380 * @return EINA_FALSE if the file cannot be loaded,
381 * otherwise EINA_TRUE.
385 ecore_con_ssl_server_crl_add(Ecore_Con_Server *svr,
386 const char *crl_file)
388 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
390 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_crl_add");
394 return SSL_SUFFIX(_ecore_con_ssl_server_crl_add) (svr, crl_file);
407 static Ecore_Con_Ssl_Error
408 _ecore_con_ssl_init_gnutls(void)
410 #ifdef EFL_HAVE_PTHREAD
411 if (gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread))
412 WRN("YOU ARE USING PTHREADS, BUT I CANNOT INITIALIZE THREADSAFE GCRYPT OPERATIONS!");
414 if (gnutls_global_init())
415 return ECORE_CON_SSL_ERROR_INIT_FAILED;
416 gnutls_global_set_log_level(9);
417 gnutls_global_set_log_function(_gnutls_log_func);
419 return ECORE_CON_SSL_ERROR_NONE;
422 static Ecore_Con_Ssl_Error
423 _ecore_con_ssl_shutdown_gnutls(void)
425 gnutls_global_deinit();
427 return ECORE_CON_SSL_ERROR_NONE;
430 static Ecore_Con_Ssl_Error
431 _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr,
436 if (ssl_type & ECORE_CON_USE_SSL2)
437 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
441 case ECORE_CON_USE_SSL3:
442 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
443 case ECORE_CON_USE_TLS:
444 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
445 case ECORE_CON_USE_MIXED:
446 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
450 return ECORE_CON_SSL_ERROR_NONE;
453 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert));
455 if ((!svr->use_cert) && svr->created)
457 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params));
458 INF("Generating DH params");
459 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024));
461 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s));
462 /* TODO: implement PSK */
463 // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s));
465 gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params);
466 gnutls_certificate_set_dh_params(svr->cert, svr->dh_params);
467 //gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params);
468 INF("DH params successfully generated and applied!");
470 else if (!svr->use_cert)
472 //SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c));
473 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c));
476 return ECORE_CON_SSL_ERROR_NONE;
479 _gnutls_print_errors(ret);
480 _ecore_con_ssl_server_shutdown_gnutls(svr);
481 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
484 static Ecore_Con_Ssl_Error
485 _ecore_con_ssl_server_init_gnutls(Ecore_Con_Server *svr)
487 const gnutls_datum_t *cert_list;
488 unsigned int iter, cert_list_size;
489 gnutls_x509_crt_t cert = NULL;
490 const char *priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
493 switch (svr->ssl_state)
495 case ECORE_CON_SSL_STATE_DONE:
496 return ECORE_CON_SSL_ERROR_NONE;
498 case ECORE_CON_SSL_STATE_INIT:
499 if (svr->type & ECORE_CON_USE_SSL2) /* not supported because of security issues */
500 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
502 switch (svr->type & ECORE_CON_SSL)
504 case ECORE_CON_USE_SSL3:
505 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
506 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-TLS1.0:!VERS-TLS1.1";
509 case ECORE_CON_USE_TLS:
510 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
511 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-SSL3.0";
514 case ECORE_CON_USE_MIXED:
515 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
519 return ECORE_CON_SSL_ERROR_NONE;
522 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_init(&svr->session, GNUTLS_CLIENT));
523 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_enable_client(svr->session));
524 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_server_name_set(svr->session, GNUTLS_NAME_DNS, svr->name, strlen(svr->name)));
525 INF("Applying priority string: %s", priority);
526 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_priority_set_direct(svr->session, priority, NULL));
527 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session, GNUTLS_CRD_CERTIFICATE, svr->cert));
528 // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session, GNUTLS_CRD_PSK, svr->pskcred_c));
530 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session, GNUTLS_CRD_ANON, svr->anoncred_c));
532 gnutls_dh_set_prime_bits(svr->session, 512);
533 gnutls_transport_set_ptr(svr->session, (gnutls_transport_ptr_t)svr->fd);
534 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
536 case ECORE_CON_SSL_STATE_HANDSHAKING:
539 DBG("Server was previously lost, going to error condition");
542 ret = gnutls_handshake(svr->session);
543 DBG("calling gnutls_handshake(): returned with '%s'", gnutls_strerror_name(ret));
544 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_error_is_fatal(ret));
547 svr->handshaking = EINA_FALSE;
548 svr->ssl_state = ECORE_CON_SSL_STATE_DONE;
552 if (gnutls_record_get_direction(svr->session))
553 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
555 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
556 return ECORE_CON_SSL_ERROR_NONE;
564 /* not verifying certificates, so we're done! */
565 return ECORE_CON_SSL_ERROR_NONE;
567 /* use CRL/CA lists to verify */
568 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_verify_peers2(svr->session, &iter));
569 if (iter & GNUTLS_CERT_INVALID)
570 ERR("The certificate is not trusted.");
571 else if (iter & GNUTLS_CERT_SIGNER_NOT_FOUND)
572 ERR("The certificate hasn't got a known issuer.");
573 else if (iter & GNUTLS_CERT_REVOKED)
574 ERR("The certificate has been revoked.");
575 else if (iter & GNUTLS_CERT_EXPIRED)
576 ERR("The certificate has expired");
577 else if (iter & GNUTLS_CERT_NOT_ACTIVATED)
578 ERR("The certificate is not yet activated");
583 if (gnutls_certificate_type_get(svr->session) != GNUTLS_CRT_X509)
585 ERR("Warning: PGP certificates are not yet supported!");
589 SSL_ERROR_CHECK_GOTO_ERROR(!(cert_list = gnutls_certificate_get_peers(svr->session, &cert_list_size)));
590 SSL_ERROR_CHECK_GOTO_ERROR(!cert_list_size);
592 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_init(&cert));
593 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER));
595 SSL_ERROR_CHECK_GOTO_ERROR(!gnutls_x509_crt_check_hostname(cert, svr->name));
596 gnutls_x509_crt_deinit(cert);
597 DBG("SSL certificate verification succeeded!");
598 return ECORE_CON_SSL_ERROR_NONE;
601 _gnutls_print_errors(ret);
602 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) || (ret == GNUTLS_E_FATAL_ALERT_RECEIVED))
603 ERR("Also received alert: %s", gnutls_alert_get_name(gnutls_alert_get(svr->session)));
604 if (svr->session && (svr->ssl_state != ECORE_CON_SSL_STATE_DONE))
606 ERR("last out: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_out(svr->session)));
607 ERR("last in: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_in(svr->session)));
610 gnutls_x509_crt_deinit(cert);
611 _ecore_con_ssl_server_shutdown_gnutls(svr);
612 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
616 _ecore_con_ssl_server_cafile_add_gnutls(Ecore_Con_Server *svr,
619 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_trust_file(svr->cert, ca_file,
620 GNUTLS_X509_FMT_PEM) < 1);
624 ERR("Could not load CA file!");
629 _ecore_con_ssl_server_crl_add_gnutls(Ecore_Con_Server *svr,
630 const char *crl_file)
632 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_crl_file(svr->cert, crl_file,
633 GNUTLS_X509_FMT_PEM) < 1);
637 ERR("Could not load CRL file!");
642 _ecore_con_ssl_server_privkey_add_gnutls(Ecore_Con_Server *svr,
643 const char *key_file)
645 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_key_file(svr->cert, svr->cert_file, key_file,
646 GNUTLS_X509_FMT_PEM));
650 ERR("Could not load certificate/key file!");
655 _ecore_con_ssl_server_cert_add_gnutls(Ecore_Con_Server *svr,
656 const char *cert_file)
658 if (!(svr->cert_file = strdup(cert_file)))
664 static Ecore_Con_Ssl_Error
665 _ecore_con_ssl_server_shutdown_gnutls(Ecore_Con_Server *svr)
669 gnutls_bye(svr->session, GNUTLS_SHUT_RDWR);
670 gnutls_deinit(svr->session);
674 free(svr->cert_file);
675 svr->cert_file = NULL;
677 gnutls_certificate_free_credentials(svr->cert);
680 if ((svr->type & ECORE_CON_SSL) && svr->created)
684 gnutls_dh_params_deinit(svr->dh_params);
685 svr->dh_params = NULL;
688 gnutls_anon_free_server_credentials(svr->anoncred_s);
689 // if (svr->pskcred_s)
690 // gnutls_psk_free_server_credentials(svr->pskcred_s);
692 svr->anoncred_s = NULL;
693 svr->pskcred_s = NULL;
695 else if (svr->type & ECORE_CON_SSL)
698 gnutls_anon_free_client_credentials(svr->anoncred_c);
699 // if (svr->pskcred_c)
700 // gnutls_psk_free_client_credentials(svr->pskcred_c);
702 svr->anoncred_c = NULL;
703 svr->pskcred_c = NULL;
708 return ECORE_CON_SSL_ERROR_NONE;
712 _ecore_con_ssl_server_read_gnutls(Ecore_Con_Server *svr,
718 if (svr->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
720 DBG("Continuing gnutls handshake");
721 if (!_ecore_con_ssl_server_init_gnutls(svr))
726 num = gnutls_record_recv(svr->session, buf, size);
730 if (num == GNUTLS_E_REHANDSHAKE)
732 WRN("Rehandshake request ignored");
735 svr->handshaking = EINA_TRUE;
736 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
737 if (!_ecore_con_ssl_server_init_gnutls(svr))
740 else if (!gnutls_error_is_fatal(num))
747 _ecore_con_ssl_server_write_gnutls(Ecore_Con_Server *svr,
753 if (svr->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
755 DBG("Continuing gnutls handshake");
756 if (!_ecore_con_ssl_server_init_gnutls(svr))
761 num = gnutls_record_send(svr->session, buf, size);
765 if (num == GNUTLS_E_REHANDSHAKE)
767 WRN("Rehandshake request ignored");
769 /* this is only partly functional I think? */
770 svr->handshaking = EINA_TRUE;
771 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
772 if (!_ecore_con_ssl_server_init_gnutls(svr))
775 else if (!gnutls_error_is_fatal(num))
781 static Ecore_Con_Ssl_Error
782 _ecore_con_ssl_client_init_gnutls(Ecore_Con_Client *cl)
784 const gnutls_datum_t *cert_list;
785 unsigned int iter, cert_list_size;
786 gnutls_x509_crt_t cert = NULL;
787 const char *priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
790 switch (cl->ssl_state)
792 case ECORE_CON_SSL_STATE_DONE:
793 return ECORE_CON_SSL_ERROR_NONE;
795 case ECORE_CON_SSL_STATE_INIT:
796 if (cl->host_server->type & ECORE_CON_USE_SSL2) /* not supported because of security issues */
797 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
799 switch (cl->host_server->type & ECORE_CON_SSL)
801 case ECORE_CON_USE_SSL3:
802 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
803 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-TLS1.0:!VERS-TLS1.1";
806 case ECORE_CON_USE_TLS:
807 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
808 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-SSL3.0";
811 case ECORE_CON_USE_MIXED:
812 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
816 return ECORE_CON_SSL_ERROR_NONE;
821 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_init(&cl->session, GNUTLS_SERVER));
822 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_key_generate(&cl->session_ticket));
823 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_enable_server(cl->session, &cl->session_ticket));
824 INF("Applying priority string: %s", priority);
825 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_priority_set_direct(cl->session, priority, NULL));
826 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_CERTIFICATE, cl->host_server->cert));
827 // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_PSK, cl->host_server->pskcred_s));
828 if (!cl->host_server->use_cert)
829 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_ANON, cl->host_server->anoncred_s));
831 gnutls_certificate_server_set_request(cl->session, GNUTLS_CERT_REQUEST);
833 gnutls_dh_set_prime_bits(cl->session, 2048);
834 gnutls_transport_set_ptr(cl->session, (gnutls_transport_ptr_t)cl->fd);
835 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
837 case ECORE_CON_SSL_STATE_HANDSHAKING:
840 DBG("Client was previously lost, going to error condition");
843 DBG("calling gnutls_handshake()");
844 ret = gnutls_handshake(cl->session);
845 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_error_is_fatal(ret));
849 cl->handshaking = EINA_FALSE;
850 cl->ssl_state = ECORE_CON_SSL_STATE_DONE;
854 if (gnutls_record_get_direction(cl->session))
855 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
857 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
858 return ECORE_CON_SSL_ERROR_NONE;
865 if (!cl->host_server->verify)
866 /* not verifying certificates, so we're done! */
867 return ECORE_CON_SSL_ERROR_NONE;
869 /* use CRL/CA lists to verify */
870 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_verify_peers2(cl->session, &iter));
871 if (iter & GNUTLS_CERT_INVALID)
872 ERR("The certificate is not trusted.");
873 else if (iter & GNUTLS_CERT_SIGNER_NOT_FOUND)
874 ERR("The certificate hasn't got a known issuer.");
875 else if (iter & GNUTLS_CERT_REVOKED)
876 ERR("The certificate has been revoked.");
877 else if (iter & GNUTLS_CERT_EXPIRED)
878 ERR("The certificate has expired");
879 else if (iter & GNUTLS_CERT_NOT_ACTIVATED)
880 ERR("The certificate is not yet activated");
885 if (gnutls_certificate_type_get(cl->session) != GNUTLS_CRT_X509)
887 ERR("Warning: PGP certificates are not yet supported!");
891 SSL_ERROR_CHECK_GOTO_ERROR(!(cert_list = gnutls_certificate_get_peers(cl->session, &cert_list_size)));
892 SSL_ERROR_CHECK_GOTO_ERROR(!cert_list_size);
894 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_init(&cert));
895 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER));
897 SSL_ERROR_CHECK_GOTO_ERROR(!gnutls_x509_crt_check_hostname(cert, cl->host_server->name));
898 gnutls_x509_crt_deinit(cert);
899 DBG("SSL certificate verification succeeded!");
900 return ECORE_CON_SSL_ERROR_NONE;
903 _gnutls_print_errors(ret);
904 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) || (ret == GNUTLS_E_FATAL_ALERT_RECEIVED))
905 ERR("Also received alert: %s", gnutls_alert_get_name(gnutls_alert_get(cl->session)));
906 if (cl->session && (cl->ssl_state != ECORE_CON_SSL_STATE_DONE))
908 ERR("last out: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_out(cl->session)));
909 ERR("last in: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_in(cl->session)));
912 gnutls_x509_crt_deinit(cert);
913 _ecore_con_ssl_client_shutdown_gnutls(cl);
914 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
917 static Ecore_Con_Ssl_Error
918 _ecore_con_ssl_client_shutdown_gnutls(Ecore_Con_Client *cl)
922 gnutls_bye(cl->session, GNUTLS_SHUT_RDWR);
923 gnutls_deinit(cl->session);
924 gnutls_free(cl->session_ticket.data);
925 cl->session_ticket.data = NULL;
930 return ECORE_CON_SSL_ERROR_NONE;
934 _ecore_con_ssl_client_read_gnutls(Ecore_Con_Client *cl,
940 if (cl->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
942 if (!_ecore_con_ssl_client_init_gnutls(cl))
947 num = gnutls_record_recv(cl->session, buf, size);
951 if (num == GNUTLS_E_REHANDSHAKE)
953 WRN("Rehandshake request ignored");
955 cl->handshaking = EINA_TRUE;
956 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
957 if (!_ecore_con_ssl_client_init_gnutls(cl))
959 WRN("Rehandshake request ignored");
962 else if (!gnutls_error_is_fatal(num))
969 _ecore_con_ssl_client_write_gnutls(Ecore_Con_Client *cl,
975 if (cl->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
977 if (!_ecore_con_ssl_client_init_gnutls(cl))
982 num = gnutls_record_send(cl->session, buf, size);
986 if (num == GNUTLS_E_REHANDSHAKE)
988 WRN("Rehandshake request ignored");
990 cl->handshaking = EINA_TRUE;
991 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
992 if (!_ecore_con_ssl_client_init_gnutls(cl))
995 else if (!gnutls_error_is_fatal(num))
1001 #elif USE_OPENSSL && !USE_GNUTLS
1007 static Ecore_Con_Ssl_Error
1008 _ecore_con_ssl_init_openssl(void)
1011 SSL_load_error_strings();
1012 OpenSSL_add_all_algorithms();
1014 return ECORE_CON_SSL_ERROR_NONE;
1017 static Ecore_Con_Ssl_Error
1018 _ecore_con_ssl_shutdown_openssl(void)
1022 return ECORE_CON_SSL_ERROR_NONE;
1025 static Ecore_Con_Ssl_Error
1026 _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server *svr,
1032 if (ssl_type & ECORE_CON_USE_SSL2)
1033 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
1037 case ECORE_CON_USE_SSL3:
1038 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
1040 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_client_method())));
1042 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_server_method())));
1045 case ECORE_CON_USE_TLS:
1046 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
1048 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(TLSv1_client_method())));
1050 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(TLSv1_server_method())));
1053 case ECORE_CON_USE_MIXED:
1054 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
1056 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv23_client_method())));
1058 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv23_server_method())));
1059 options = SSL_CTX_get_options(svr->ssl_ctx);
1060 SSL_CTX_set_options(svr->ssl_ctx, options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
1064 return ECORE_CON_SSL_ERROR_NONE;
1067 if ((!svr->use_cert) && svr->created)
1070 INF("Generating DH params");
1071 SSL_ERROR_CHECK_GOTO_ERROR(!(dh_params = DH_new()));
1072 SSL_ERROR_CHECK_GOTO_ERROR(!DH_generate_parameters_ex(dh_params, 1024, DH_GENERATOR_5, NULL));
1073 SSL_ERROR_CHECK_GOTO_ERROR(!DH_check(dh_params, &dh));
1074 SSL_ERROR_CHECK_GOTO_ERROR((dh & DH_CHECK_P_NOT_PRIME) || (dh & DH_CHECK_P_NOT_SAFE_PRIME));
1075 SSL_ERROR_CHECK_GOTO_ERROR(!DH_generate_key(dh_params));
1076 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_tmp_dh(svr->ssl_ctx, dh_params));
1078 INF("DH params successfully generated and applied!");
1079 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH"));
1081 else if (!svr->use_cert)
1082 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:!ECDH:RSA:AES:!PSK:@STRENGTH"));
1084 return ECORE_CON_SSL_ERROR_NONE;
1089 if (dh & DH_CHECK_P_NOT_PRIME)
1090 ERR("openssl error: dh_params could not generate a prime!");
1092 ERR("openssl error: dh_params could not generate a safe prime!");
1095 _openssl_print_errors();
1096 _ecore_con_ssl_server_shutdown_openssl(svr);
1097 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1100 static Ecore_Con_Ssl_Error
1101 _ecore_con_ssl_server_init_openssl(Ecore_Con_Server *svr)
1105 switch (svr->ssl_state)
1107 case ECORE_CON_SSL_STATE_DONE:
1108 return ECORE_CON_SSL_ERROR_NONE;
1110 case ECORE_CON_SSL_STATE_INIT:
1111 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl = SSL_new(svr->ssl_ctx)));
1113 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_set_fd(svr->ssl, svr->fd));
1114 SSL_set_connect_state(svr->ssl);
1115 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1117 case ECORE_CON_SSL_STATE_HANDSHAKING:
1120 DBG("Server was previously lost, going to error condition");
1123 ret = SSL_do_handshake(svr->ssl);
1124 svr->ssl_err = SSL_get_error(svr->ssl, ret);
1125 SSL_ERROR_CHECK_GOTO_ERROR((svr->ssl_err == SSL_ERROR_SYSCALL) || (svr->ssl_err == SSL_ERROR_SSL));
1129 svr->handshaking = EINA_FALSE;
1130 svr->ssl_state = ECORE_CON_SSL_STATE_DONE;
1134 if (svr->ssl_err == SSL_ERROR_WANT_READ)
1135 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
1136 else if (svr->ssl_err == SSL_ERROR_WANT_WRITE)
1137 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
1138 return ECORE_CON_SSL_ERROR_NONE;
1146 /* print session info into DBG */
1151 memset(log, 0, sizeof(log));
1152 s = SSL_get_session(svr->ssl);
1153 b = BIO_new(BIO_s_mem());
1154 SSL_SESSION_print(b, s);
1155 while (BIO_read(b, log, sizeof(log)) > 0)
1162 /* not verifying certificates, so we're done! */
1163 return ECORE_CON_SSL_ERROR_NONE;
1165 SSL_set_verify(svr->ssl, SSL_VERIFY_PEER, NULL);
1166 /* use CRL/CA lists to verify */
1167 if (SSL_get_peer_certificate(svr->ssl))
1168 SSL_ERROR_CHECK_GOTO_ERROR(SSL_get_verify_result(svr->ssl));
1169 DBG("SSL certificate verification succeeded!");
1171 return ECORE_CON_SSL_ERROR_NONE;
1174 _openssl_print_errors();
1175 _ecore_con_ssl_server_shutdown_openssl(svr);
1176 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1180 _ecore_con_ssl_server_cafile_add_openssl(Ecore_Con_Server *svr,
1181 const char *ca_file)
1183 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_load_verify_locations(svr->ssl_ctx, ca_file, NULL));
1187 _openssl_print_errors();
1192 _ecore_con_ssl_server_crl_add_openssl(Ecore_Con_Server *svr,
1193 const char *crl_file)
1197 static Eina_Bool flag = EINA_FALSE;
1199 SSL_ERROR_CHECK_GOTO_ERROR(!(st = SSL_CTX_get_cert_store(svr->ssl_ctx)));
1200 SSL_ERROR_CHECK_GOTO_ERROR(!(lu = X509_STORE_add_lookup(st, X509_LOOKUP_file())));
1201 SSL_ERROR_CHECK_GOTO_ERROR(X509_load_crl_file(lu, crl_file, X509_FILETYPE_PEM) < 1);
1204 X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1211 _openssl_print_errors();
1216 _ecore_con_ssl_server_privkey_add_openssl(Ecore_Con_Server *svr,
1217 const char *key_file)
1220 EVP_PKEY *privkey = NULL;
1222 if (!(fp = fopen(key_file, "r")))
1225 SSL_ERROR_CHECK_GOTO_ERROR(!(privkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL)));
1228 SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_use_PrivateKey(svr->ssl_ctx, privkey) < 1);
1229 SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_check_private_key(svr->ssl_ctx) < 1);
1236 _openssl_print_errors();
1241 _ecore_con_ssl_server_cert_add_openssl(Ecore_Con_Server *svr,
1242 const char *cert_file)
1247 if (!(fp = fopen(cert_file, "r")))
1250 SSL_ERROR_CHECK_GOTO_ERROR(!(cert = PEM_read_X509(fp, NULL, NULL, NULL)));
1254 SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_use_certificate(svr->ssl_ctx, cert) < 1);
1261 _openssl_print_errors();
1265 static Ecore_Con_Ssl_Error
1266 _ecore_con_ssl_server_shutdown_openssl(Ecore_Con_Server *svr)
1270 if (!SSL_shutdown(svr->ssl))
1271 SSL_shutdown(svr->ssl);
1277 SSL_CTX_free(svr->ssl_ctx);
1280 svr->ssl_ctx = NULL;
1281 svr->ssl_err = SSL_ERROR_NONE;
1283 return ECORE_CON_SSL_ERROR_NONE;
1287 _ecore_con_ssl_server_read_openssl(Ecore_Con_Server *svr,
1293 num = SSL_read(svr->ssl, buf, size);
1294 svr->ssl_err = SSL_get_error(svr->ssl, num);
1296 if (svr->fd_handler)
1298 if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_READ)
1299 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
1300 else if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_WRITE)
1301 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
1304 if ((svr->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1305 (svr->ssl_err == SSL_ERROR_SYSCALL) ||
1306 (svr->ssl_err == SSL_ERROR_SSL))
1316 _ecore_con_ssl_server_write_openssl(Ecore_Con_Server *svr,
1322 num = SSL_write(svr->ssl, buf, size);
1323 svr->ssl_err = SSL_get_error(svr->ssl, num);
1325 if (svr->fd_handler)
1327 if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_READ)
1328 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
1329 else if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_WRITE)
1330 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
1333 if ((svr->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1334 (svr->ssl_err == SSL_ERROR_SYSCALL) ||
1335 (svr->ssl_err == SSL_ERROR_SSL))
1344 static Ecore_Con_Ssl_Error
1345 _ecore_con_ssl_client_init_openssl(Ecore_Con_Client *cl)
1348 switch (cl->ssl_state)
1350 case ECORE_CON_SSL_STATE_DONE:
1351 return ECORE_CON_SSL_ERROR_NONE;
1353 case ECORE_CON_SSL_STATE_INIT:
1354 SSL_ERROR_CHECK_GOTO_ERROR(!(cl->ssl = SSL_new(cl->host_server->ssl_ctx)));
1356 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_set_fd(cl->ssl, cl->fd));
1357 SSL_set_accept_state(cl->ssl);
1358 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1360 case ECORE_CON_SSL_STATE_HANDSHAKING:
1363 DBG("Client was previously lost, going to error condition");
1366 ret = SSL_do_handshake(cl->ssl);
1367 cl->ssl_err = SSL_get_error(cl->ssl, ret);
1368 SSL_ERROR_CHECK_GOTO_ERROR((cl->ssl_err == SSL_ERROR_SYSCALL) || (cl->ssl_err == SSL_ERROR_SSL));
1371 cl->handshaking = EINA_FALSE;
1372 cl->ssl_state = ECORE_CON_SSL_STATE_DONE;
1376 if (cl->ssl_err == SSL_ERROR_WANT_READ)
1377 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
1378 else if (cl->ssl_err == SSL_ERROR_WANT_WRITE)
1379 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
1380 return ECORE_CON_SSL_ERROR_NONE;
1388 /* print session info into DBG */
1393 memset(log, 0, sizeof(log));
1394 s = SSL_get_session(cl->ssl);
1395 b = BIO_new(BIO_s_mem());
1396 SSL_SESSION_print(b, s);
1397 while (BIO_read(b, log, sizeof(log)) > 0)
1403 if (!cl->host_server->verify)
1404 /* not verifying certificates, so we're done! */
1405 return ECORE_CON_SSL_ERROR_NONE;
1406 SSL_set_verify(cl->ssl, SSL_VERIFY_PEER, NULL);
1407 /* use CRL/CA lists to verify */
1408 if (SSL_get_peer_certificate(cl->ssl))
1409 SSL_ERROR_CHECK_GOTO_ERROR(SSL_get_verify_result(cl->ssl));
1411 return ECORE_CON_SSL_ERROR_NONE;
1414 _openssl_print_errors();
1415 _ecore_con_ssl_client_shutdown_openssl(cl);
1416 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1419 static Ecore_Con_Ssl_Error
1420 _ecore_con_ssl_client_shutdown_openssl(Ecore_Con_Client *cl)
1424 if (!SSL_shutdown(cl->ssl))
1425 SSL_shutdown(cl->ssl);
1431 cl->ssl_err = SSL_ERROR_NONE;
1433 return ECORE_CON_SSL_ERROR_NONE;
1437 _ecore_con_ssl_client_read_openssl(Ecore_Con_Client *cl,
1443 num = SSL_read(cl->ssl, buf, size);
1444 cl->ssl_err = SSL_get_error(cl->ssl, num);
1448 if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_READ)
1449 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
1450 else if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_WRITE)
1451 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
1454 if ((cl->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1455 (cl->ssl_err == SSL_ERROR_SYSCALL) ||
1456 (cl->ssl_err == SSL_ERROR_SSL))
1466 _ecore_con_ssl_client_write_openssl(Ecore_Con_Client *cl,
1472 num = SSL_write(cl->ssl, buf, size);
1473 cl->ssl_err = SSL_get_error(cl->ssl, num);
1477 if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_READ)
1478 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
1479 else if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_WRITE)
1480 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
1483 if ((cl->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1484 (cl->ssl_err == SSL_ERROR_SYSCALL) ||
1485 (cl->ssl_err == SSL_ERROR_SSL))
1500 static Ecore_Con_Ssl_Error
1501 _ecore_con_ssl_init_none(void)
1503 return ECORE_CON_SSL_ERROR_NONE;
1506 static Ecore_Con_Ssl_Error
1507 _ecore_con_ssl_shutdown_none(void)
1509 return ECORE_CON_SSL_ERROR_NONE;
1512 static Ecore_Con_Ssl_Error
1513 _ecore_con_ssl_server_prepare_none(Ecore_Con_Server *svr __UNUSED__,
1514 int ssl_type __UNUSED__)
1516 return ECORE_CON_SSL_ERROR_NONE;
1519 static Ecore_Con_Ssl_Error
1520 _ecore_con_ssl_server_init_none(Ecore_Con_Server *svr __UNUSED__)
1522 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
1526 _ecore_con_ssl_server_cafile_add_none(Ecore_Con_Server *svr __UNUSED__,
1527 const char *ca_file __UNUSED__)
1533 _ecore_con_ssl_server_cert_add_none(Ecore_Con_Server *svr __UNUSED__,
1534 const char *cert_file __UNUSED__)
1540 _ecore_con_ssl_server_privkey_add_none(Ecore_Con_Server *svr __UNUSED__,
1541 const char *key_file __UNUSED__)
1547 _ecore_con_ssl_server_crl_add_none(Ecore_Con_Server *svr __UNUSED__,
1548 const char *crl_file __UNUSED__)
1553 static Ecore_Con_Ssl_Error
1554 _ecore_con_ssl_server_shutdown_none(Ecore_Con_Server *svr __UNUSED__)
1556 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
1560 _ecore_con_ssl_server_read_none(Ecore_Con_Server *svr __UNUSED__,
1561 unsigned char *buf __UNUSED__,
1562 int size __UNUSED__)
1568 _ecore_con_ssl_server_write_none(Ecore_Con_Server *svr __UNUSED__,
1569 unsigned char *buf __UNUSED__,
1570 int size __UNUSED__)
1575 static Ecore_Con_Ssl_Error
1576 _ecore_con_ssl_client_init_none(Ecore_Con_Client *cl __UNUSED__)
1578 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
1581 static Ecore_Con_Ssl_Error
1582 _ecore_con_ssl_client_shutdown_none(Ecore_Con_Client *cl __UNUSED__)
1584 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
1588 _ecore_con_ssl_client_read_none(Ecore_Con_Client *cl __UNUSED__,
1589 unsigned char *buf __UNUSED__,
1590 int size __UNUSED__)
1596 _ecore_con_ssl_client_write_none(Ecore_Con_Client *cl __UNUSED__,
1597 unsigned char *buf __UNUSED__,
1598 int size __UNUSED__)