6 # include <gnutls/gnutls.h>
7 # include <gnutls/x509.h>
10 # include <openssl/ssl.h>
11 # include <openssl/err.h>
12 # include <openssl/dh.h>
15 #ifdef HAVE_WS2TCPIP_H
16 # include <ws2tcpip.h>
21 #include "ecore_con_private.h"
23 EAPI int ECORE_CON_EVENT_CLIENT_UPGRADE = 0;
24 EAPI int ECORE_CON_EVENT_SERVER_UPGRADE = 0;
26 static int _init_con_ssl_init_count = 0;
29 # ifdef EINA_HAVE_THREADS
30 GCRY_THREAD_OPTION_PTHREAD_IMPL;
33 static int _client_connected = 0;
35 # define SSL_SUFFIX(ssl_func) ssl_func ## _gnutls
36 # define _ECORE_CON_SSL_AVAILABLE 1
40 # define SSL_SUFFIX(ssl_func) ssl_func ## _openssl
41 # define _ECORE_CON_SSL_AVAILABLE 2
44 # define SSL_SUFFIX(ssl_func) ssl_func ## _none
45 # define _ECORE_CON_SSL_AVAILABLE 0
51 _gnutls_print_errors(void *conn, int type, int ret)
57 snprintf(buf, sizeof(buf), "GNUTLS error: %s - %s", gnutls_strerror_name(ret), gnutls_strerror(ret));
58 if (type == ECORE_CON_EVENT_CLIENT_ERROR)
59 ecore_con_event_client_error(conn, buf);
61 ecore_con_event_server_error(conn, buf);
65 _gnutls_print_session(const gnutls_datum_t *cert_list, unsigned int cert_list_size)
68 gnutls_x509_crt_t crt;
71 if (!eina_log_domain_level_check(_ecore_con_log_dom, EINA_LOG_LEVEL_DBG)) return;
72 for (x = 0; x < cert_list_size; x++)
74 gnutls_x509_crt_init(&crt);
75 gnutls_x509_crt_import(crt, &cert_list[x], GNUTLS_X509_FMT_DER);
76 gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, (gnutls_datum_t*)&c);
77 INF("CERTIFICATE:\n%s", c);
79 gnutls_x509_crt_deinit(crt);
86 _gnutls_log_func(int level,
90 strncat(buf, str, strlen(str) - 1);
91 DBG("|<%d>| %s", level, buf);
96 SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_description_t status)
100 case GNUTLS_HANDSHAKE_HELLO_REQUEST:
101 return "Hello request";
103 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
104 return "Client hello";
106 case GNUTLS_HANDSHAKE_SERVER_HELLO:
107 return "Server hello";
109 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
110 return "New session ticket";
112 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
113 return "Certificate packet";
115 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
116 return "Server key exchange";
118 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
119 return "Certificate request";
121 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
122 return "Server hello done";
124 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
125 return "Certificate verify";
127 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
128 return "Client key exchange";
130 case GNUTLS_HANDSHAKE_FINISHED:
133 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
134 return "Supplemental";
142 _openssl_print_verify_error(int error)
150 #ifdef X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
151 ERROR(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT);
153 #ifdef X509_V_ERR_UNABLE_TO_GET_CRL
154 ERROR(X509_V_ERR_UNABLE_TO_GET_CRL);
156 #ifdef X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
157 ERROR(X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE);
159 #ifdef X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
160 ERROR(X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE);
162 #ifdef X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
163 ERROR(X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY);
165 #ifdef X509_V_ERR_CERT_SIGNATURE_FAILURE
166 ERROR(X509_V_ERR_CERT_SIGNATURE_FAILURE);
168 #ifdef X509_V_ERR_CRL_SIGNATURE_FAILURE
169 ERROR(X509_V_ERR_CRL_SIGNATURE_FAILURE);
171 #ifdef X509_V_ERR_CERT_NOT_YET_VALID
172 ERROR(X509_V_ERR_CERT_NOT_YET_VALID);
174 #ifdef X509_V_ERR_CERT_HAS_EXPIRED
175 ERROR(X509_V_ERR_CERT_HAS_EXPIRED);
177 #ifdef X509_V_ERR_CRL_NOT_YET_VALID
178 ERROR(X509_V_ERR_CRL_NOT_YET_VALID);
180 #ifdef X509_V_ERR_CRL_HAS_EXPIRED
181 ERROR(X509_V_ERR_CRL_HAS_EXPIRED);
183 #ifdef X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
184 ERROR(X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD);
186 #ifdef X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
187 ERROR(X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD);
189 #ifdef X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
190 ERROR(X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD);
192 #ifdef X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
193 ERROR(X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
195 #ifdef X509_V_ERR_OUT_OF_MEM
196 ERROR(X509_V_ERR_OUT_OF_MEM);
198 #ifdef X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
199 ERROR(X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
201 #ifdef X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
202 ERROR(X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
204 #ifdef X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
205 ERROR(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
207 #ifdef X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
208 ERROR(X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
210 #ifdef X509_V_ERR_CERT_CHAIN_TOO_LONG
211 ERROR(X509_V_ERR_CERT_CHAIN_TOO_LONG);
213 #ifdef X509_V_ERR_CERT_REVOKED
214 ERROR(X509_V_ERR_CERT_REVOKED);
216 #ifdef X509_V_ERR_INVALID_CA
217 ERROR(X509_V_ERR_INVALID_CA);
219 #ifdef X509_V_ERR_PATH_LENGTH_EXCEEDED
220 ERROR(X509_V_ERR_PATH_LENGTH_EXCEEDED);
222 #ifdef X509_V_ERR_INVALID_PURPOSE
223 ERROR(X509_V_ERR_INVALID_PURPOSE);
225 #ifdef X509_V_ERR_CERT_UNTRUSTED
226 ERROR(X509_V_ERR_CERT_UNTRUSTED);
228 #ifdef X509_V_ERR_CERT_REJECTED
229 ERROR(X509_V_ERR_CERT_REJECTED);
231 /* These are 'informational' when looking for issuer cert */
232 #ifdef X509_V_ERR_SUBJECT_ISSUER_MISMATCH
233 ERROR(X509_V_ERR_SUBJECT_ISSUER_MISMATCH);
235 #ifdef X509_V_ERR_AKID_SKID_MISMATCH
236 ERROR(X509_V_ERR_AKID_SKID_MISMATCH);
238 #ifdef X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
239 ERROR(X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH);
241 #ifdef X509_V_ERR_KEYUSAGE_NO_CERTSIGN
242 ERROR(X509_V_ERR_KEYUSAGE_NO_CERTSIGN);
245 #ifdef X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
246 ERROR(X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER);
248 #ifdef X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
249 ERROR(X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION);
251 #ifdef X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
252 ERROR(X509_V_ERR_KEYUSAGE_NO_CRL_SIGN);
254 #ifdef X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
255 ERROR(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION);
257 #ifdef X509_V_ERR_INVALID_NON_CA
258 ERROR(X509_V_ERR_INVALID_NON_CA);
260 #ifdef X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
261 ERROR(X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED);
263 #ifdef X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
264 ERROR(X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE);
266 #ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
267 ERROR(X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED);
270 #ifdef X509_V_ERR_INVALID_EXTENSION
271 ERROR(X509_V_ERR_INVALID_EXTENSION);
273 #ifdef X509_V_ERR_INVALID_POLICY_EXTENSION
274 ERROR(X509_V_ERR_INVALID_POLICY_EXTENSION);
276 #ifdef X509_V_ERR_NO_EXPLICIT_POLICY
277 ERROR(X509_V_ERR_NO_EXPLICIT_POLICY);
279 #ifdef X509_V_ERR_DIFFERENT_CRL_SCOPE
280 ERROR(X509_V_ERR_DIFFERENT_CRL_SCOPE);
282 #ifdef X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
283 ERROR(X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE);
286 #ifdef X509_V_ERR_UNNESTED_RESOURCE
287 ERROR(X509_V_ERR_UNNESTED_RESOURCE);
290 #ifdef X509_V_ERR_PERMITTED_VIOLATION
291 ERROR(X509_V_ERR_PERMITTED_VIOLATION);
293 #ifdef X509_V_ERR_EXCLUDED_VIOLATION
294 ERROR(X509_V_ERR_EXCLUDED_VIOLATION);
296 #ifdef X509_V_ERR_SUBTREE_MINMAX
297 ERROR(X509_V_ERR_SUBTREE_MINMAX);
299 #ifdef X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
300 ERROR(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE);
302 #ifdef X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
303 ERROR(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX);
305 #ifdef X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
306 ERROR(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX);
308 #ifdef X509_V_ERR_CRL_PATH_VALIDATION_ERROR
309 ERROR(X509_V_ERR_CRL_PATH_VALIDATION_ERROR);
312 /* The application is not happy */
313 #ifdef X509_V_ERR_APPLICATION_VERIFICATION
314 ERROR(X509_V_ERR_APPLICATION_VERIFICATION);
321 _openssl_print_errors(void *conn, int type)
328 err = ERR_get_error();
330 snprintf(buf, sizeof(buf), "OpenSSL error: %s", ERR_reason_error_string(err));
331 if (type == ECORE_CON_EVENT_CLIENT_ERROR)
332 ecore_con_event_client_error(conn, buf);
334 ecore_con_event_server_error(conn, buf);
340 _openssl_name_verify(const char *name, const char *svrname)
344 /* we allow *.domain.TLD with a wildcard, but nothing else */
347 EINA_SAFETY_ON_TRUE_RETURN_VAL((name[1] != '.') || (!name[2]), EINA_FALSE);
348 p = strchr(name + 1, '*');
349 EINA_SAFETY_ON_TRUE_RETURN_VAL(!!p, EINA_FALSE);
350 /* verify that we have a domain of at least *.X.TLD and not *.TLD */
351 p = strchr(name + 2, '.');
352 EINA_SAFETY_ON_TRUE_RETURN_VAL(!p, EINA_FALSE);
353 s = strchr(svrname, '.');
354 EINA_SAFETY_ON_TRUE_RETURN_VAL(!s, EINA_FALSE);
355 /* same as above for the stored name */
356 EINA_SAFETY_ON_TRUE_RETURN_VAL(!strchr(s + 1, '.'), EINA_FALSE);
357 if (strcasecmp(s, name + 1))
359 ERR("%s != %s", s, name + 1);
364 if (strcasecmp(name, svrname))
366 ERR("%s != %s", name, svrname);
373 _openssl_print_session(SSL *ssl)
375 /* print session info into DBG */
382 if (!eina_log_domain_level_check(_ecore_con_log_dom, EINA_LOG_LEVEL_DBG)) return;
384 memset(log, 0, sizeof(log));
385 b = BIO_new(BIO_s_mem());
386 sk = SSL_get_peer_cert_chain(ssl);
389 DBG("CERTIFICATES:");
390 for (x = 0; x < sk_X509_num(sk); x++)
392 p = X509_NAME_oneline(X509_get_subject_name(sk_X509_value(sk, x)), log, sizeof(log));
393 DBG("%2d s:%s", x, p);
394 p = X509_NAME_oneline(X509_get_issuer_name(sk_X509_value(sk, x)), log, sizeof(log));
396 PEM_write_X509(stderr, sk_X509_value(sk, x));
399 s = SSL_get_session(ssl);
400 SSL_SESSION_print(b, s);
401 fprintf(stderr, "\n");
402 while (BIO_read(b, log, sizeof(log)) > 0)
403 fprintf(stderr, "%s", log);
410 #define SSL_ERROR_CHECK_GOTO_ERROR(X) \
415 ERR("Error at %s:%s:%d!", __FILE__, __PRETTY_FUNCTION__, __LINE__); \
421 static Ecore_Con_Ssl_Error
422 SSL_SUFFIX(_ecore_con_ssl_init) (void);
423 static Ecore_Con_Ssl_Error
424 SSL_SUFFIX(_ecore_con_ssl_shutdown) (void);
426 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_cafile_add) (Ecore_Con_Server * svr, const char *ca_file);
427 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_crl_add) (Ecore_Con_Server * svr, const char *crl_file);
428 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_cert_add) (Ecore_Con_Server * svr, const char *cert);
429 static Eina_Bool SSL_SUFFIX(_ecore_con_ssl_server_privkey_add) (Ecore_Con_Server * svr, const char *key_file);
431 static Ecore_Con_Ssl_Error SSL_SUFFIX(_ecore_con_ssl_server_prepare) (Ecore_Con_Server * svr, int ssl_type);
432 static Ecore_Con_Ssl_Error SSL_SUFFIX(_ecore_con_ssl_server_init) (Ecore_Con_Server * svr);
433 static Ecore_Con_Ssl_Error SSL_SUFFIX(_ecore_con_ssl_server_shutdown) (Ecore_Con_Server *svr);
434 static int SSL_SUFFIX(_ecore_con_ssl_server_read) (Ecore_Con_Server *svr, unsigned char *buf, int size);
435 static int SSL_SUFFIX(_ecore_con_ssl_server_write) (Ecore_Con_Server *svr, const unsigned char *buf, int size);
437 static Ecore_Con_Ssl_Error SSL_SUFFIX(_ecore_con_ssl_client_init) (Ecore_Con_Client * cl);
438 static Ecore_Con_Ssl_Error SSL_SUFFIX(_ecore_con_ssl_client_shutdown) (Ecore_Con_Client *cl);
439 static int SSL_SUFFIX(_ecore_con_ssl_client_read) (Ecore_Con_Client * cl,
440 unsigned char *buf, int size);
441 static int SSL_SUFFIX(_ecore_con_ssl_client_write) (Ecore_Con_Client * cl,
442 const unsigned char *buf, int size);
449 ecore_con_ssl_init(void)
451 if (!_init_con_ssl_init_count++)
453 SSL_SUFFIX(_ecore_con_ssl_init) ();
454 #if _ECORE_CON_SSL_AVAILABLE != 0
455 ECORE_CON_EVENT_CLIENT_UPGRADE = ecore_event_type_new();
456 ECORE_CON_EVENT_SERVER_UPGRADE = ecore_event_type_new();
460 return _init_con_ssl_init_count;
464 ecore_con_ssl_shutdown(void)
466 if (!--_init_con_ssl_init_count)
467 SSL_SUFFIX(_ecore_con_ssl_shutdown) ();
469 return _init_con_ssl_init_count;
473 ecore_con_ssl_server_prepare(Ecore_Con_Server *svr,
477 return ECORE_CON_SSL_ERROR_NONE;
478 return SSL_SUFFIX(_ecore_con_ssl_server_prepare) (svr, ssl_type);
482 ecore_con_ssl_server_init(Ecore_Con_Server *svr)
484 if (!(svr->type & ECORE_CON_SSL))
485 return ECORE_CON_SSL_ERROR_NONE;
486 return SSL_SUFFIX(_ecore_con_ssl_server_init) (svr);
490 ecore_con_ssl_server_shutdown(Ecore_Con_Server *svr)
492 if (!(svr->type & ECORE_CON_SSL))
493 return ECORE_CON_SSL_ERROR_NONE;
494 return SSL_SUFFIX(_ecore_con_ssl_server_shutdown) (svr);
498 ecore_con_ssl_server_read(Ecore_Con_Server *svr,
502 return SSL_SUFFIX(_ecore_con_ssl_server_read) (svr, buf, size);
506 ecore_con_ssl_server_write(Ecore_Con_Server *svr,
507 const unsigned char *buf,
510 return SSL_SUFFIX(_ecore_con_ssl_server_write) (svr, buf, size);
514 ecore_con_ssl_client_init(Ecore_Con_Client *cl)
516 if (!(cl->host_server->type & ECORE_CON_SSL))
517 return ECORE_CON_SSL_ERROR_NONE;
518 return SSL_SUFFIX(_ecore_con_ssl_client_init) (cl);
522 ecore_con_ssl_client_shutdown(Ecore_Con_Client *cl)
524 if (!(cl->host_server->type & ECORE_CON_SSL))
525 return ECORE_CON_SSL_ERROR_NONE;
526 return SSL_SUFFIX(_ecore_con_ssl_client_shutdown) (cl);
530 ecore_con_ssl_client_read(Ecore_Con_Client *cl,
534 return SSL_SUFFIX(_ecore_con_ssl_client_read) (cl, buf, size);
538 ecore_con_ssl_client_write(Ecore_Con_Client *cl,
539 const unsigned char *buf,
542 return SSL_SUFFIX(_ecore_con_ssl_client_write) (cl, buf, size);
546 * Returns if SSL support is available
547 * @return 1 if SSL is available and provided by gnutls, 2 if provided by openssl,
548 * 0 if it is not available.
549 * @ingroup Ecore_Con_Client_Group
552 ecore_con_ssl_available_get(void)
554 return _ECORE_CON_SSL_AVAILABLE;
558 * @addtogroup Ecore_Con_SSL_Group Ecore Connection SSL Functions
560 * Functions that operate on Ecore connection objects pertaining to SSL.
566 * @brief Enable certificate verification on a server object
568 * Call this function on a server object before main loop has started
569 * to enable verification of certificates against loaded certificates.
570 * @param svr The server object
573 ecore_con_ssl_server_verify(Ecore_Con_Server *svr)
575 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
577 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_verify");
580 svr->verify = EINA_TRUE;
584 * @brief Enable hostname-based certificate verification on a server object
586 * Call this function on a server object before main loop has started
587 * to enable verification of certificates using ONLY their hostnames.
588 * @param svr The server object
589 * @note This function has no effect when used on a listening server created by
590 * ecore_con_server_add
594 ecore_con_ssl_server_verify_basic(Ecore_Con_Server *svr)
596 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
598 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, __func__);
601 svr->verify_basic = EINA_TRUE;
605 * @brief Set the hostname to verify against in certificate verification
607 * Sometimes the certificate hostname will not match the hostname that you are
608 * connecting to, and will instead match a different name. An example of this is
609 * that if you connect to talk.google.com to use Google Talk, you receive Google's
610 * certificate for gmail.com. This certificate should be trusted, and so you must call
611 * this function with "gmail.com" as @p name.
612 * See RFC2818 for more details.
613 * @param svr The server object
614 * @param name The hostname to verify against
618 ecore_con_ssl_server_verify_name_set(Ecore_Con_Server *svr, const char *name)
620 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
622 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, __func__);
625 eina_stringshare_replace(&svr->verify_name, name);
629 * @brief Get the hostname to verify against in certificate verification
631 * This function returns the name which will be used to validate the SSL certificate
632 * common name (CN) or alt name (subjectAltName). It will default to the @p name
633 * param in ecore_con_server_connect(), but can be changed with ecore_con_ssl_server_verify_name_set().
634 * @param svr The server object
635 * @return The hostname which will be used
639 ecore_con_ssl_server_verify_name_get(Ecore_Con_Server *svr)
641 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
643 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, __func__);
646 return svr->verify_name ?: svr->name;
650 * @brief Add an ssl certificate for use in ecore_con functions.
652 * Use this function to add a SSL PEM certificate.
653 * Simply specify the cert here to use it in the server object for connecting or listening.
654 * If there is an error loading the certificate, an error will automatically be logged.
655 * @param svr The server object
656 * @param cert The path to the certificate.
657 * @return @c EINA_FALSE if the file cannot be loaded, otherwise @c EINA_TRUE.
661 ecore_con_ssl_server_cert_add(Ecore_Con_Server *svr,
664 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
666 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_cert_add");
670 if (!svr->ssl_prepared)
672 svr->use_cert = EINA_TRUE;
673 svr->type |= ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT;
674 if (ecore_con_ssl_server_prepare(svr, svr->type & ECORE_CON_SSL))
678 return SSL_SUFFIX(_ecore_con_ssl_server_cert_add) (svr, cert);
682 * @brief Add an ssl CA file for use in ecore_con functions.
684 * Use this function to add a SSL PEM CA file.
685 * Simply specify the file here to use it in the server object for connecting or listening.
686 * If there is an error loading the CAs, an error will automatically be logged.
687 * @param svr The server object
688 * @param ca_file The path to the CA file.
689 * @return @c EINA_FALSE if the file cannot be loaded, otherwise @c EINA_TRUE.
690 * @note since 1.2, this function can load directores
694 ecore_con_ssl_server_cafile_add(Ecore_Con_Server *svr,
697 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
699 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_cafile_add");
703 if (!svr->ssl_prepared)
705 svr->use_cert = EINA_TRUE;
706 svr->type |= ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT;
707 if (ecore_con_ssl_server_prepare(svr, svr->type & ECORE_CON_SSL))
711 return SSL_SUFFIX(_ecore_con_ssl_server_cafile_add) (svr, ca_file);
715 * @brief Add an ssl private key for use in ecore_con functions.
717 * Use this function to add a SSL PEM private key
718 * Simply specify the key file here to use it in the server object for connecting or listening.
719 * If there is an error loading the key, an error will automatically be logged.
720 * @param svr The server object
721 * @param key_file The path to the key file.
722 * @return @c EINA_FALSE if the file cannot be loaded, otherwise @c EINA_TRUE.
726 ecore_con_ssl_server_privkey_add(Ecore_Con_Server *svr,
727 const char *key_file)
729 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
731 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_privkey_add");
735 if (!svr->ssl_prepared)
737 svr->use_cert = EINA_TRUE;
738 svr->type |= ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT;
739 if (ecore_con_ssl_server_prepare(svr, svr->type & ECORE_CON_SSL))
743 return SSL_SUFFIX(_ecore_con_ssl_server_privkey_add) (svr, key_file);
747 * @brief Add an ssl CRL for use in ecore_con functions.
749 * Use this function to add a SSL PEM CRL file
750 * Simply specify the CRL file here to use it in the server object for connecting or listening.
751 * If there is an error loading the CRL, an error will automatically be logged.
752 * @param svr The server object
753 * @param crl_file The path to the CRL file.
754 * @return @c EINA_FALSE if the file cannot be loaded, otherwise @c EINA_TRUE.
758 ecore_con_ssl_server_crl_add(Ecore_Con_Server *svr,
759 const char *crl_file)
761 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
763 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, "ecore_con_ssl_server_crl_add");
767 if (!svr->ssl_prepared)
769 svr->use_cert = EINA_TRUE;
770 svr->type |= ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT;
771 if (ecore_con_ssl_server_prepare(svr, svr->type & ECORE_CON_SSL))
775 return SSL_SUFFIX(_ecore_con_ssl_server_crl_add) (svr, crl_file);
779 * @brief Upgrade a connection to a specified level of encryption
781 * Use this function to begin an SSL handshake on a connection (STARTTLS or similar).
782 * Once the upgrade has been completed, an ECORE_CON_EVENT_SERVER_UPGRADE event will be emitted.
783 * The connection should be treated as disconnected until the next event.
784 * @param svr The server object
785 * @param ssl_type The SSL connection type (ONLY).
786 * @return @c EINA_FALSE if the connection cannot be upgraded, otherwise @c EINA_TRUE.
787 * @note This function is NEVER to be used on a server object created with ecore_con_server_add
788 * @warning Setting a wrong value for @p compl_type WILL mess up your program.
793 ecore_con_ssl_server_upgrade(Ecore_Con_Server *svr, Ecore_Con_Type ssl_type)
795 if (!ECORE_MAGIC_CHECK(svr, ECORE_MAGIC_CON_SERVER))
797 ECORE_MAGIC_FAIL(svr, ECORE_MAGIC_CON_SERVER, __func__);
800 #if _ECORE_CON_SSL_AVAILABLE == 0
804 if (!svr->ssl_prepared)
806 if (ecore_con_ssl_server_prepare(svr, ssl_type))
810 svr->type |= ssl_type;
811 svr->upgrade = EINA_TRUE;
812 svr->handshaking = EINA_TRUE;
813 svr->ssl_state = ECORE_CON_SSL_STATE_INIT;
814 return !SSL_SUFFIX(_ecore_con_ssl_server_init) (svr);
818 * @brief Upgrade a connection to a specified level of encryption
820 * Use this function to begin an SSL handshake on a connection (STARTTLS or similar).
821 * Once the upgrade has been completed, an ECORE_CON_EVENT_CLIENT_UPGRADE event will be emitted.
822 * The connection should be treated as disconnected until the next event.
823 * @param cl The client object
824 * @param ssl_type The SSL connection type (ONLY).
825 * @return @c EINA_FALSE if the connection cannot be upgraded, otherwise @c EINA_TRUE.
826 * @warning Setting a wrong value for @p compl_type WILL mess up your program.
831 ecore_con_ssl_client_upgrade(Ecore_Con_Client *cl, Ecore_Con_Type ssl_type)
833 if (!ECORE_MAGIC_CHECK(cl, ECORE_MAGIC_CON_CLIENT))
835 ECORE_MAGIC_FAIL(cl, ECORE_MAGIC_CON_CLIENT, __func__);
838 #if _ECORE_CON_SSL_AVAILABLE == 0
842 if (!cl->host_server->ssl_prepared)
844 if (ecore_con_ssl_server_prepare(cl->host_server, ssl_type))
847 if (!cl->host_server->use_cert)
848 cl->host_server->type |= ssl_type;
849 cl->upgrade = EINA_TRUE;
850 cl->host_server->upgrade = EINA_TRUE;
851 cl->handshaking = EINA_TRUE;
852 cl->ssl_state = ECORE_CON_SSL_STATE_INIT;
853 return SSL_SUFFIX(_ecore_con_ssl_client_init) (cl);
866 static Ecore_Con_Ssl_Error
867 _ecore_con_ssl_init_gnutls(void)
869 #ifdef EINA_HAVE_THREADS
870 if (gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread))
871 WRN("YOU ARE USING PTHREADS, BUT I CANNOT INITIALIZE THREADSAFE GCRYPT OPERATIONS!");
873 if (gnutls_global_init())
874 return ECORE_CON_SSL_ERROR_INIT_FAILED;
877 if (eina_log_domain_level_check(_ecore_con_log_dom, EINA_LOG_LEVEL_DBG))
879 gnutls_global_set_log_level(9);
880 gnutls_global_set_log_function(_gnutls_log_func);
883 return ECORE_CON_SSL_ERROR_NONE;
886 static Ecore_Con_Ssl_Error
887 _ecore_con_ssl_shutdown_gnutls(void)
889 gnutls_global_deinit();
891 return ECORE_CON_SSL_ERROR_NONE;
894 static Ecore_Con_Ssl_Error
895 _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr,
900 if (ssl_type & ECORE_CON_USE_SSL2)
901 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
905 case ECORE_CON_USE_SSL3:
906 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
907 case ECORE_CON_USE_TLS:
908 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
909 case ECORE_CON_USE_MIXED:
910 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
914 return ECORE_CON_SSL_ERROR_NONE;
917 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert));
923 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params));
924 INF("Generating DH params");
925 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024));
927 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s));
928 /* TODO: implement PSK */
929 // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s));
931 gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params);
932 gnutls_certificate_set_dh_params(svr->cert, svr->dh_params);
933 //gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params);
934 INF("DH params successfully generated and applied!");
938 //SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c));
939 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c));
943 svr->ssl_prepared = EINA_TRUE;
944 return ECORE_CON_SSL_ERROR_NONE;
947 _gnutls_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR, ret);
948 _ecore_con_ssl_server_shutdown_gnutls(svr);
949 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
953 static Ecore_Con_Ssl_Error
954 _ecore_con_ssl_server_init_gnutls(Ecore_Con_Server *svr)
956 const gnutls_datum_t *cert_list;
957 unsigned int iter, cert_list_size;
958 gnutls_x509_crt_t cert = NULL;
959 const char *priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
962 switch (svr->ssl_state)
964 case ECORE_CON_SSL_STATE_DONE:
965 return ECORE_CON_SSL_ERROR_NONE;
967 case ECORE_CON_SSL_STATE_INIT:
968 if (svr->type & ECORE_CON_USE_SSL2) /* not supported because of security issues */
969 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
971 switch (svr->type & ECORE_CON_SSL)
973 case ECORE_CON_USE_SSL3:
974 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
975 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-TLS1.0:!VERS-TLS1.1";
978 case ECORE_CON_USE_TLS:
979 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
980 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-SSL3.0";
983 case ECORE_CON_USE_MIXED:
984 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
988 return ECORE_CON_SSL_ERROR_NONE;
991 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_init(&svr->session, GNUTLS_CLIENT));
992 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_enable_client(svr->session));
993 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_server_name_set(svr->session, GNUTLS_NAME_DNS, svr->name, strlen(svr->name)));
994 INF("Applying priority string: %s", priority);
995 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_priority_set_direct(svr->session, priority, NULL));
996 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session, GNUTLS_CRD_CERTIFICATE, svr->cert));
997 // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session, GNUTLS_CRD_PSK, svr->pskcred_c));
999 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session, GNUTLS_CRD_ANON, svr->anoncred_c));
1001 gnutls_dh_set_prime_bits(svr->session, 512);
1002 gnutls_transport_set_ptr(svr->session, (gnutls_transport_ptr_t)((intptr_t)svr->fd));
1003 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1005 case ECORE_CON_SSL_STATE_HANDSHAKING:
1008 DBG("Server was previously lost, going to error condition");
1011 ret = gnutls_handshake(svr->session);
1012 DBG("calling gnutls_handshake(): returned with '%s'", gnutls_strerror_name(ret));
1013 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_error_is_fatal(ret));
1016 svr->handshaking = EINA_FALSE;
1017 svr->ssl_state = ECORE_CON_SSL_STATE_DONE;
1021 if (gnutls_record_get_direction(svr->session))
1022 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
1024 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
1025 return ECORE_CON_SSL_ERROR_NONE;
1032 if ((!svr->verify) && (!svr->verify_basic))
1033 /* not verifying certificates, so we're done! */
1034 return ECORE_CON_SSL_ERROR_NONE;
1037 /* use CRL/CA lists to verify */
1038 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_verify_peers2(svr->session, &iter));
1039 if (iter & GNUTLS_CERT_INVALID)
1040 ERR("The certificate is not trusted.");
1041 else if (iter & GNUTLS_CERT_SIGNER_NOT_FOUND)
1042 ERR("The certificate hasn't got a known issuer.");
1043 else if (iter & GNUTLS_CERT_REVOKED)
1044 ERR("The certificate has been revoked.");
1045 else if (iter & GNUTLS_CERT_EXPIRED)
1046 ERR("The certificate has expired");
1047 else if (iter & GNUTLS_CERT_NOT_ACTIVATED)
1048 ERR("The certificate is not yet activated");
1053 if (gnutls_certificate_type_get(svr->session) != GNUTLS_CRT_X509)
1055 ERR("Warning: PGP certificates are not yet supported!");
1059 SSL_ERROR_CHECK_GOTO_ERROR(!(cert_list = gnutls_certificate_get_peers(svr->session, &cert_list_size)));
1060 SSL_ERROR_CHECK_GOTO_ERROR(!cert_list_size);
1062 _gnutls_print_session(cert_list, cert_list_size);
1064 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_init(&cert));
1065 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER));
1067 SSL_ERROR_CHECK_GOTO_ERROR(!gnutls_x509_crt_check_hostname(cert, svr->verify_name ?: svr->name));
1068 gnutls_x509_crt_deinit(cert);
1069 DBG("SSL certificate verification succeeded!");
1070 return ECORE_CON_SSL_ERROR_NONE;
1073 _gnutls_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR, ret);
1074 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) || (ret == GNUTLS_E_FATAL_ALERT_RECEIVED))
1075 ERR("Also received alert: %s", gnutls_alert_get_name(gnutls_alert_get(svr->session)));
1076 if (svr->session && (svr->ssl_state != ECORE_CON_SSL_STATE_DONE))
1078 ERR("last out: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_out(svr->session)));
1079 ERR("last in: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_in(svr->session)));
1082 gnutls_x509_crt_deinit(cert);
1083 _ecore_con_ssl_server_shutdown_gnutls(svr);
1084 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1088 _ecore_con_ssl_server_cafile_add_gnutls(Ecore_Con_Server *svr,
1089 const char *ca_file)
1094 Eina_Bool error = EINA_FALSE;
1096 if (stat(ca_file, &st)) return EINA_FALSE;
1097 if (S_ISDIR(st.st_mode))
1099 it = eina_file_ls(ca_file);
1100 SSL_ERROR_CHECK_GOTO_ERROR(!it);
1101 EINA_ITERATOR_FOREACH(it, file)
1105 if (gnutls_certificate_set_x509_trust_file(svr->cert, file, GNUTLS_X509_FMT_PEM) < 1)
1108 eina_stringshare_del(file);
1110 eina_iterator_free(it);
1113 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_trust_file(svr->cert, ca_file,
1114 GNUTLS_X509_FMT_PEM) < 1);
1118 ERR("Could not load CA file!");
1123 _ecore_con_ssl_server_crl_add_gnutls(Ecore_Con_Server *svr,
1124 const char *crl_file)
1126 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_crl_file(svr->cert, crl_file,
1127 GNUTLS_X509_FMT_PEM) < 1);
1131 ERR("Could not load CRL file!");
1136 _ecore_con_ssl_server_privkey_add_gnutls(Ecore_Con_Server *svr,
1137 const char *key_file)
1139 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_key_file(svr->cert, svr->cert_file, key_file,
1140 GNUTLS_X509_FMT_PEM));
1144 ERR("Could not load certificate/key file!");
1149 _ecore_con_ssl_server_cert_add_gnutls(Ecore_Con_Server *svr,
1150 const char *cert_file)
1152 if (!(svr->cert_file = strdup(cert_file)))
1158 static Ecore_Con_Ssl_Error
1159 _ecore_con_ssl_server_shutdown_gnutls(Ecore_Con_Server *svr)
1163 gnutls_bye(svr->session, GNUTLS_SHUT_RDWR);
1164 gnutls_deinit(svr->session);
1167 free(svr->cert_file);
1168 svr->cert_file = NULL;
1170 gnutls_certificate_free_credentials(svr->cert);
1173 if ((svr->type & ECORE_CON_SSL) && svr->created)
1177 gnutls_dh_params_deinit(svr->dh_params);
1178 svr->dh_params = NULL;
1180 if (svr->anoncred_s)
1181 gnutls_anon_free_server_credentials(svr->anoncred_s);
1182 // if (svr->pskcred_s)
1183 // gnutls_psk_free_server_credentials(svr->pskcred_s);
1185 svr->anoncred_s = NULL;
1186 svr->pskcred_s = NULL;
1188 else if (svr->type & ECORE_CON_SSL)
1190 if (svr->anoncred_c)
1191 gnutls_anon_free_client_credentials(svr->anoncred_c);
1192 // if (svr->pskcred_c)
1193 // gnutls_psk_free_client_credentials(svr->pskcred_c);
1195 svr->anoncred_c = NULL;
1196 svr->pskcred_c = NULL;
1199 svr->session = NULL;
1201 return ECORE_CON_SSL_ERROR_NONE;
1205 _ecore_con_ssl_server_read_gnutls(Ecore_Con_Server *svr,
1211 if (svr->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
1213 DBG("Continuing gnutls handshake");
1214 if (!_ecore_con_ssl_server_init_gnutls(svr))
1219 num = gnutls_record_recv(svr->session, buf, size);
1223 if (num == GNUTLS_E_REHANDSHAKE)
1225 WRN("Rehandshake request ignored");
1228 svr->handshaking = EINA_TRUE;
1229 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1230 if (!_ecore_con_ssl_server_init_gnutls(svr))
1233 else if ((!gnutls_error_is_fatal(num)) && (num != GNUTLS_E_SUCCESS))
1240 _ecore_con_ssl_server_write_gnutls(Ecore_Con_Server *svr,
1241 const unsigned char *buf,
1246 if (svr->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
1248 DBG("Continuing gnutls handshake");
1249 if (!_ecore_con_ssl_server_init_gnutls(svr))
1254 num = gnutls_record_send(svr->session, buf, size);
1258 if (num == GNUTLS_E_REHANDSHAKE)
1260 WRN("Rehandshake request ignored");
1262 /* this is only partly functional I think? */
1263 svr->handshaking = EINA_TRUE;
1264 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1265 if (!_ecore_con_ssl_server_init_gnutls(svr))
1268 else if (!gnutls_error_is_fatal(num))
1274 static Ecore_Con_Ssl_Error
1275 _ecore_con_ssl_client_init_gnutls(Ecore_Con_Client *cl)
1277 const gnutls_datum_t *cert_list;
1278 unsigned int iter, cert_list_size;
1279 const char *priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
1282 switch (cl->ssl_state)
1284 case ECORE_CON_SSL_STATE_DONE:
1285 return ECORE_CON_SSL_ERROR_NONE;
1287 case ECORE_CON_SSL_STATE_INIT:
1288 if (cl->host_server->type & ECORE_CON_USE_SSL2) /* not supported because of security issues */
1289 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
1291 switch (cl->host_server->type & ECORE_CON_SSL)
1293 case ECORE_CON_USE_SSL3:
1294 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
1295 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-TLS1.0:!VERS-TLS1.1";
1298 case ECORE_CON_USE_TLS:
1299 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
1300 priority = "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:!VERS-SSL3.0";
1303 case ECORE_CON_USE_MIXED:
1304 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
1308 return ECORE_CON_SSL_ERROR_NONE;
1311 _client_connected++;
1313 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_init(&cl->session, GNUTLS_SERVER));
1314 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_key_generate(&cl->session_ticket));
1315 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_session_ticket_enable_server(cl->session, &cl->session_ticket));
1316 INF("Applying priority string: %s", priority);
1317 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_priority_set_direct(cl->session, priority, NULL));
1318 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_CERTIFICATE, cl->host_server->cert));
1319 // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_PSK, cl->host_server->pskcred_s));
1320 if (!cl->host_server->use_cert)
1321 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(cl->session, GNUTLS_CRD_ANON, cl->host_server->anoncred_s));
1323 gnutls_certificate_server_set_request(cl->session, GNUTLS_CERT_REQUEST);
1325 gnutls_dh_set_prime_bits(cl->session, 2048);
1326 gnutls_transport_set_ptr(cl->session, (gnutls_transport_ptr_t)((intptr_t)cl->fd));
1327 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1329 case ECORE_CON_SSL_STATE_HANDSHAKING:
1332 DBG("Client was previously lost, going to error condition");
1335 DBG("calling gnutls_handshake()");
1336 ret = gnutls_handshake(cl->session);
1337 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_error_is_fatal(ret));
1341 cl->handshaking = EINA_FALSE;
1342 cl->ssl_state = ECORE_CON_SSL_STATE_DONE;
1346 if (gnutls_record_get_direction(cl->session))
1347 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
1349 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
1350 return ECORE_CON_SSL_ERROR_NONE;
1357 if (!cl->host_server->verify)
1358 /* not verifying certificates, so we're done! */
1359 return ECORE_CON_SSL_ERROR_NONE;
1360 /* use CRL/CA lists to verify */
1361 SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_verify_peers2(cl->session, &iter));
1362 if (iter & GNUTLS_CERT_INVALID)
1363 ERR("The certificate is not trusted.");
1364 else if (iter & GNUTLS_CERT_SIGNER_NOT_FOUND)
1365 ERR("The certificate hasn't got a known issuer.");
1366 else if (iter & GNUTLS_CERT_REVOKED)
1367 ERR("The certificate has been revoked.");
1368 else if (iter & GNUTLS_CERT_EXPIRED)
1369 ERR("The certificate has expired");
1370 else if (iter & GNUTLS_CERT_NOT_ACTIVATED)
1371 ERR("The certificate is not yet activated");
1375 if (gnutls_certificate_type_get(cl->session) != GNUTLS_CRT_X509)
1377 ERR("Warning: PGP certificates are not yet supported!");
1381 SSL_ERROR_CHECK_GOTO_ERROR(!(cert_list = gnutls_certificate_get_peers(cl->session, &cert_list_size)));
1382 SSL_ERROR_CHECK_GOTO_ERROR(!cert_list_size);
1384 _gnutls_print_session(cert_list, cert_list_size);
1386 gnutls_x509_crt_t cert = NULL;
1387 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_init(&cert));
1388 SSL_ERROR_CHECK_GOTO_ERROR(gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER));
1390 SSL_ERROR_CHECK_GOTO_ERROR(!gnutls_x509_crt_check_hostname(cert, cl->host_server->name));
1391 gnutls_x509_crt_deinit(cert);
1393 DBG("SSL certificate verification succeeded!");
1394 return ECORE_CON_SSL_ERROR_NONE;
1397 _gnutls_print_errors(cl, ECORE_CON_EVENT_CLIENT_ERROR, ret);
1398 if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) || (ret == GNUTLS_E_FATAL_ALERT_RECEIVED))
1399 ERR("Also received alert: %s", gnutls_alert_get_name(gnutls_alert_get(cl->session)));
1400 if (cl->session && (cl->ssl_state != ECORE_CON_SSL_STATE_DONE))
1402 ERR("last out: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_out(cl->session)));
1403 ERR("last in: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_in(cl->session)));
1407 gnutls_x509_crt_deinit(cert);
1409 _ecore_con_ssl_client_shutdown_gnutls(cl);
1410 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1413 static Ecore_Con_Ssl_Error
1414 _ecore_con_ssl_client_shutdown_gnutls(Ecore_Con_Client *cl)
1418 gnutls_bye(cl->session, GNUTLS_SHUT_RDWR);
1419 gnutls_deinit(cl->session);
1420 gnutls_free(cl->session_ticket.data);
1421 cl->session_ticket.data = NULL;
1426 return ECORE_CON_SSL_ERROR_NONE;
1430 _ecore_con_ssl_client_read_gnutls(Ecore_Con_Client *cl,
1436 if (cl->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
1438 if (!_ecore_con_ssl_client_init_gnutls(cl))
1443 num = gnutls_record_recv(cl->session, buf, size);
1447 if (num == GNUTLS_E_REHANDSHAKE)
1449 WRN("Rehandshake request ignored");
1451 cl->handshaking = EINA_TRUE;
1452 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1453 if (!_ecore_con_ssl_client_init_gnutls(cl))
1455 WRN("Rehandshake request ignored");
1458 else if ((!gnutls_error_is_fatal(num)) && (num != GNUTLS_E_SUCCESS))
1465 _ecore_con_ssl_client_write_gnutls(Ecore_Con_Client *cl,
1466 const unsigned char *buf,
1471 if (cl->ssl_state == ECORE_CON_SSL_STATE_HANDSHAKING)
1473 if (!_ecore_con_ssl_client_init_gnutls(cl))
1478 num = gnutls_record_send(cl->session, buf, size);
1482 if (num == GNUTLS_E_REHANDSHAKE)
1484 WRN("Rehandshake request ignored");
1486 cl->handshaking = EINA_TRUE;
1487 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1488 if (!_ecore_con_ssl_client_init_gnutls(cl))
1491 else if (!gnutls_error_is_fatal(num))
1497 #elif USE_OPENSSL && !USE_GNUTLS
1503 static Ecore_Con_Ssl_Error
1504 _ecore_con_ssl_init_openssl(void)
1507 SSL_load_error_strings();
1508 OpenSSL_add_all_algorithms();
1510 return ECORE_CON_SSL_ERROR_NONE;
1513 static Ecore_Con_Ssl_Error
1514 _ecore_con_ssl_shutdown_openssl(void)
1518 return ECORE_CON_SSL_ERROR_NONE;
1521 static Ecore_Con_Ssl_Error
1522 _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server *svr,
1528 if (ssl_type & ECORE_CON_USE_SSL2)
1529 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
1533 case ECORE_CON_USE_SSL3:
1534 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
1536 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_client_method())));
1538 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_server_method())));
1541 case ECORE_CON_USE_TLS:
1542 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
1544 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(TLSv1_client_method())));
1546 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(TLSv1_server_method())));
1549 case ECORE_CON_USE_MIXED:
1550 case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
1552 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv23_client_method())));
1554 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv23_server_method())));
1555 options = SSL_CTX_get_options(svr->ssl_ctx);
1556 SSL_CTX_set_options(svr->ssl_ctx, options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
1560 svr->ssl_prepared = EINA_TRUE;
1561 return ECORE_CON_SSL_ERROR_NONE;
1564 if ((!svr->use_cert) && svr->created)
1567 INF("Generating DH params");
1568 SSL_ERROR_CHECK_GOTO_ERROR(!(dh_params = DH_new()));
1569 SSL_ERROR_CHECK_GOTO_ERROR(!DH_generate_parameters_ex(dh_params, 1024, DH_GENERATOR_5, NULL));
1570 SSL_ERROR_CHECK_GOTO_ERROR(!DH_check(dh_params, &dh));
1571 SSL_ERROR_CHECK_GOTO_ERROR((dh & DH_CHECK_P_NOT_PRIME) || (dh & DH_CHECK_P_NOT_SAFE_PRIME));
1572 SSL_ERROR_CHECK_GOTO_ERROR(!DH_generate_key(dh_params));
1573 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_tmp_dh(svr->ssl_ctx, dh_params));
1575 INF("DH params successfully generated and applied!");
1576 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH"));
1578 else if (!svr->use_cert)
1579 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_set_cipher_list(svr->ssl_ctx, "aNULL:!eNULL:!LOW:!EXPORT:!ECDH:RSA:AES:!PSK:@STRENGTH"));
1581 svr->ssl_prepared = EINA_TRUE;
1582 return ECORE_CON_SSL_ERROR_NONE;
1587 if (dh & DH_CHECK_P_NOT_PRIME)
1588 ERR("openssl error: dh_params could not generate a prime!");
1590 ERR("openssl error: dh_params could not generate a safe prime!");
1593 _openssl_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR);
1594 _ecore_con_ssl_server_shutdown_openssl(svr);
1595 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1598 static Ecore_Con_Ssl_Error
1599 _ecore_con_ssl_server_init_openssl(Ecore_Con_Server *svr)
1603 switch (svr->ssl_state)
1605 case ECORE_CON_SSL_STATE_DONE:
1606 return ECORE_CON_SSL_ERROR_NONE;
1608 case ECORE_CON_SSL_STATE_INIT:
1609 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl = SSL_new(svr->ssl_ctx)));
1611 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_set_fd(svr->ssl, svr->fd));
1612 SSL_set_connect_state(svr->ssl);
1613 svr->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1615 case ECORE_CON_SSL_STATE_HANDSHAKING:
1618 DBG("Server was previously lost, going to error condition");
1621 ret = SSL_do_handshake(svr->ssl);
1622 svr->ssl_err = SSL_get_error(svr->ssl, ret);
1623 SSL_ERROR_CHECK_GOTO_ERROR((svr->ssl_err == SSL_ERROR_SYSCALL) || (svr->ssl_err == SSL_ERROR_SSL));
1627 svr->handshaking = EINA_FALSE;
1628 svr->ssl_state = ECORE_CON_SSL_STATE_DONE;
1632 if (svr->ssl_err == SSL_ERROR_WANT_READ)
1633 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
1634 else if (svr->ssl_err == SSL_ERROR_WANT_WRITE)
1635 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
1636 return ECORE_CON_SSL_ERROR_NONE;
1643 _openssl_print_session(svr->ssl);
1644 if ((!svr->verify) && (!svr->verify_basic))
1645 /* not verifying certificates, so we're done! */
1646 return ECORE_CON_SSL_ERROR_NONE;
1650 SSL_set_verify(svr->ssl, SSL_VERIFY_PEER, NULL);
1651 /* use CRL/CA lists to verify */
1652 cert = SSL_get_peer_certificate(svr->ssl);
1663 err = SSL_get_verify_result(svr->ssl);
1664 _openssl_print_verify_error(err);
1665 SSL_ERROR_CHECK_GOTO_ERROR(err);
1667 clen = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_subject_alt_name, NULL, 0);
1669 name = NID_subject_alt_name;
1671 clen = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, NULL, 0);
1672 SSL_ERROR_CHECK_GOTO_ERROR(clen < 1);
1673 if (!name) name = NID_commonName;
1675 X509_NAME_get_text_by_NID(X509_get_subject_name(cert), name, c, clen);
1676 INF("CERT NAME: %s\n", c);
1677 SSL_ERROR_CHECK_GOTO_ERROR(!_openssl_name_verify(c, svr->verify_name ?: svr->name));
1681 DBG("SSL certificate verification succeeded!");
1683 return ECORE_CON_SSL_ERROR_NONE;
1686 _openssl_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR);
1687 _ecore_con_ssl_server_shutdown_openssl(svr);
1688 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1692 _ecore_con_ssl_server_cafile_add_openssl(Ecore_Con_Server *svr,
1693 const char *ca_file)
1697 if (stat(ca_file, &st)) return EINA_FALSE;
1698 if (S_ISDIR(st.st_mode))
1699 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_load_verify_locations(svr->ssl_ctx, NULL, ca_file));
1701 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_CTX_load_verify_locations(svr->ssl_ctx, ca_file, NULL));
1705 _openssl_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR);
1710 _ecore_con_ssl_server_crl_add_openssl(Ecore_Con_Server *svr,
1711 const char *crl_file)
1715 static Eina_Bool flag = EINA_FALSE;
1717 SSL_ERROR_CHECK_GOTO_ERROR(!(st = SSL_CTX_get_cert_store(svr->ssl_ctx)));
1718 SSL_ERROR_CHECK_GOTO_ERROR(!(lu = X509_STORE_add_lookup(st, X509_LOOKUP_file())));
1719 SSL_ERROR_CHECK_GOTO_ERROR(X509_load_crl_file(lu, crl_file, X509_FILETYPE_PEM) < 1);
1722 X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1729 _openssl_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR);
1734 _ecore_con_ssl_server_privkey_add_openssl(Ecore_Con_Server *svr,
1735 const char *key_file)
1738 EVP_PKEY *privkey = NULL;
1740 if (!(fp = fopen(key_file, "r")))
1743 SSL_ERROR_CHECK_GOTO_ERROR(!(privkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL)));
1747 SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_use_PrivateKey(svr->ssl_ctx, privkey) < 1);
1748 SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_check_private_key(svr->ssl_ctx) < 1);
1755 _openssl_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR);
1760 _ecore_con_ssl_server_cert_add_openssl(Ecore_Con_Server *svr,
1761 const char *cert_file)
1766 if (!(fp = fopen(cert_file, "r")))
1769 SSL_ERROR_CHECK_GOTO_ERROR(!(cert = PEM_read_X509(fp, NULL, NULL, NULL)));
1773 SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_use_certificate(svr->ssl_ctx, cert) < 1);
1780 _openssl_print_errors(svr, ECORE_CON_EVENT_SERVER_ERROR);
1784 static Ecore_Con_Ssl_Error
1785 _ecore_con_ssl_server_shutdown_openssl(Ecore_Con_Server *svr)
1789 if (!SSL_shutdown(svr->ssl))
1790 SSL_shutdown(svr->ssl);
1796 SSL_CTX_free(svr->ssl_ctx);
1799 svr->ssl_ctx = NULL;
1800 svr->ssl_err = SSL_ERROR_NONE;
1802 return ECORE_CON_SSL_ERROR_NONE;
1806 _ecore_con_ssl_server_read_openssl(Ecore_Con_Server *svr,
1812 if (!svr->ssl) return -1;
1813 num = SSL_read(svr->ssl, buf, size);
1814 svr->ssl_err = SSL_get_error(svr->ssl, num);
1816 if (svr->fd_handler)
1818 if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_READ)
1819 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
1820 else if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_WRITE)
1821 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
1824 if ((svr->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1825 (svr->ssl_err == SSL_ERROR_SYSCALL) ||
1826 (svr->ssl_err == SSL_ERROR_SSL))
1836 _ecore_con_ssl_server_write_openssl(Ecore_Con_Server *svr,
1837 const unsigned char *buf,
1842 num = SSL_write(svr->ssl, buf, size);
1843 svr->ssl_err = SSL_get_error(svr->ssl, num);
1845 if (svr->fd_handler)
1847 if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_READ)
1848 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_READ);
1849 else if (svr->ssl && svr->ssl_err == SSL_ERROR_WANT_WRITE)
1850 ecore_main_fd_handler_active_set(svr->fd_handler, ECORE_FD_WRITE);
1853 if ((svr->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1854 (svr->ssl_err == SSL_ERROR_SYSCALL) ||
1855 (svr->ssl_err == SSL_ERROR_SSL))
1864 static Ecore_Con_Ssl_Error
1865 _ecore_con_ssl_client_init_openssl(Ecore_Con_Client *cl)
1868 switch (cl->ssl_state)
1870 case ECORE_CON_SSL_STATE_DONE:
1871 return ECORE_CON_SSL_ERROR_NONE;
1873 case ECORE_CON_SSL_STATE_INIT:
1874 SSL_ERROR_CHECK_GOTO_ERROR(!(cl->ssl = SSL_new(cl->host_server->ssl_ctx)));
1876 SSL_ERROR_CHECK_GOTO_ERROR(!SSL_set_fd(cl->ssl, cl->fd));
1877 SSL_set_accept_state(cl->ssl);
1878 cl->ssl_state = ECORE_CON_SSL_STATE_HANDSHAKING;
1880 case ECORE_CON_SSL_STATE_HANDSHAKING:
1883 DBG("Client was previously lost, going to error condition");
1886 ret = SSL_do_handshake(cl->ssl);
1887 cl->ssl_err = SSL_get_error(cl->ssl, ret);
1888 SSL_ERROR_CHECK_GOTO_ERROR((cl->ssl_err == SSL_ERROR_SYSCALL) || (cl->ssl_err == SSL_ERROR_SSL));
1891 cl->handshaking = EINA_FALSE;
1892 cl->ssl_state = ECORE_CON_SSL_STATE_DONE;
1896 if (cl->ssl_err == SSL_ERROR_WANT_READ)
1897 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
1898 else if (cl->ssl_err == SSL_ERROR_WANT_WRITE)
1899 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
1900 return ECORE_CON_SSL_ERROR_NONE;
1907 _openssl_print_session(cl->ssl);
1908 if (!cl->host_server->verify)
1909 /* not verifying certificates, so we're done! */
1910 return ECORE_CON_SSL_ERROR_NONE;
1911 SSL_set_verify(cl->ssl, SSL_VERIFY_PEER, NULL);
1912 /* use CRL/CA lists to verify */
1913 if (SSL_get_peer_certificate(cl->ssl))
1917 err = SSL_get_verify_result(cl->ssl);
1918 _openssl_print_verify_error(err);
1919 SSL_ERROR_CHECK_GOTO_ERROR(err);
1922 return ECORE_CON_SSL_ERROR_NONE;
1925 _openssl_print_errors(cl, ECORE_CON_EVENT_CLIENT_ERROR);
1926 _ecore_con_ssl_client_shutdown_openssl(cl);
1927 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
1930 static Ecore_Con_Ssl_Error
1931 _ecore_con_ssl_client_shutdown_openssl(Ecore_Con_Client *cl)
1935 if (!SSL_shutdown(cl->ssl))
1936 SSL_shutdown(cl->ssl);
1942 cl->ssl_err = SSL_ERROR_NONE;
1944 return ECORE_CON_SSL_ERROR_NONE;
1948 _ecore_con_ssl_client_read_openssl(Ecore_Con_Client *cl,
1954 if (!cl->ssl) return -1;
1955 num = SSL_read(cl->ssl, buf, size);
1956 cl->ssl_err = SSL_get_error(cl->ssl, num);
1960 if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_READ)
1961 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
1962 else if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_WRITE)
1963 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
1966 if ((cl->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1967 (cl->ssl_err == SSL_ERROR_SYSCALL) ||
1968 (cl->ssl_err == SSL_ERROR_SSL))
1978 _ecore_con_ssl_client_write_openssl(Ecore_Con_Client *cl,
1979 const unsigned char *buf,
1984 num = SSL_write(cl->ssl, buf, size);
1985 cl->ssl_err = SSL_get_error(cl->ssl, num);
1989 if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_READ)
1990 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_READ);
1991 else if (cl->ssl && cl->ssl_err == SSL_ERROR_WANT_WRITE)
1992 ecore_main_fd_handler_active_set(cl->fd_handler, ECORE_FD_WRITE);
1995 if ((cl->ssl_err == SSL_ERROR_ZERO_RETURN) ||
1996 (cl->ssl_err == SSL_ERROR_SYSCALL) ||
1997 (cl->ssl_err == SSL_ERROR_SSL))
2012 static Ecore_Con_Ssl_Error
2013 _ecore_con_ssl_init_none(void)
2015 return ECORE_CON_SSL_ERROR_NONE;
2018 static Ecore_Con_Ssl_Error
2019 _ecore_con_ssl_shutdown_none(void)
2021 return ECORE_CON_SSL_ERROR_NONE;
2024 static Ecore_Con_Ssl_Error
2025 _ecore_con_ssl_server_prepare_none(Ecore_Con_Server *svr __UNUSED__,
2026 int ssl_type __UNUSED__)
2028 return ECORE_CON_SSL_ERROR_NONE;
2031 static Ecore_Con_Ssl_Error
2032 _ecore_con_ssl_server_init_none(Ecore_Con_Server *svr __UNUSED__)
2034 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
2038 _ecore_con_ssl_server_cafile_add_none(Ecore_Con_Server *svr __UNUSED__,
2039 const char *ca_file __UNUSED__)
2045 _ecore_con_ssl_server_cert_add_none(Ecore_Con_Server *svr __UNUSED__,
2046 const char *cert_file __UNUSED__)
2052 _ecore_con_ssl_server_privkey_add_none(Ecore_Con_Server *svr __UNUSED__,
2053 const char *key_file __UNUSED__)
2059 _ecore_con_ssl_server_crl_add_none(Ecore_Con_Server *svr __UNUSED__,
2060 const char *crl_file __UNUSED__)
2065 static Ecore_Con_Ssl_Error
2066 _ecore_con_ssl_server_shutdown_none(Ecore_Con_Server *svr __UNUSED__)
2068 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
2072 _ecore_con_ssl_server_read_none(Ecore_Con_Server *svr __UNUSED__,
2073 unsigned char *buf __UNUSED__,
2074 int size __UNUSED__)
2080 _ecore_con_ssl_server_write_none(Ecore_Con_Server *svr __UNUSED__,
2081 const unsigned char *buf __UNUSED__,
2082 int size __UNUSED__)
2087 static Ecore_Con_Ssl_Error
2088 _ecore_con_ssl_client_init_none(Ecore_Con_Client *cl __UNUSED__)
2090 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
2093 static Ecore_Con_Ssl_Error
2094 _ecore_con_ssl_client_shutdown_none(Ecore_Con_Client *cl __UNUSED__)
2096 return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
2100 _ecore_con_ssl_client_read_none(Ecore_Con_Client *cl __UNUSED__,
2101 unsigned char *buf __UNUSED__,
2102 int size __UNUSED__)
2108 _ecore_con_ssl_client_write_none(Ecore_Con_Client *cl __UNUSED__,
2109 const unsigned char *buf __UNUSED__,
2110 int size __UNUSED__)