29 #define DISABLE_DEBUGLOG
34 #include "syncio_tls_p.h"
37 #include <gwenhywfar/misc.h>
38 #include <gwenhywfar/debug.h>
39 #include <gwenhywfar/gui.h>
40 #include <gwenhywfar/gui.h>
41 #include <gwenhywfar/pathmanager.h>
42 #include <gwenhywfar/directory.h>
43 #include <gwenhywfar/gwenhywfar.h>
44 #include <gwenhywfar/text.h>
50 #include <gnutls/gnutls.h>
51 #include <gnutls/x509.h>
80 xio=(GWEN_SYNCIO_TLS*) p;
93 return xio->localCertFile;
105 free(xio->localCertFile);
106 if (s) xio->localCertFile=strdup(s);
107 else xio->localCertFile=
NULL;
113 GWEN_SYNCIO_TLS *xio;
119 return xio->localKeyFile;
125 GWEN_SYNCIO_TLS *xio;
131 free(xio->localKeyFile);
132 if (s) xio->localKeyFile=strdup(s);
133 else xio->localKeyFile=
NULL;
139 GWEN_SYNCIO_TLS *xio;
145 return xio->localTrustFile;
151 GWEN_SYNCIO_TLS *xio;
157 free(xio->localTrustFile);
158 if (s) xio->localTrustFile=strdup(s);
159 else xio->localTrustFile=
NULL;
165 GWEN_SYNCIO_TLS *xio;
171 return xio->dhParamFile;
177 GWEN_SYNCIO_TLS *xio;
183 free(xio->dhParamFile);
184 if (s) xio->dhParamFile=strdup(s);
185 else xio->dhParamFile=
NULL;
191 GWEN_SYNCIO_TLS *xio;
197 return xio->hostName;
203 GWEN_SYNCIO_TLS *xio;
210 if (s) xio->hostName=strdup(s);
211 else xio->hostName=
NULL;
217 GWEN_SYNCIO_TLS *xio;
223 return xio->peerCertDescr;
259 GWEN_SYNCIO_TLS *xio;
273 rv=gnutls_init(&xio->session, GNUTLS_SERVER);
277 rv=gnutls_init(&xio->session, GNUTLS_CLIENT);
285 rv=gnutls_set_default_priority(xio->session);
288 gnutls_deinit(xio->session);
294 const int proto_prio[2] = { GNUTLS_SSL3, 0 };
297 rv=gnutls_protocol_set_priority(xio->session, proto_prio);
300 gnutls_deinit(xio->session);
306 gnutls_handshake_set_max_packet_length(xio->session, 64*1024);
309 if ((lflags & GWEN_SYNCIO_FLAGS_PASSIVE) &&
311 gnutls_certificate_server_set_request(xio->session, GNUTLS_CERT_REQUIRE);
314 rv=gnutls_certificate_allocate_credentials(&xio->credentials);
317 gnutls_deinit(xio->session);
322 if (xio->localCertFile && xio->localKeyFile) {
323 rv=gnutls_certificate_set_x509_key_file(xio->credentials,
326 GNUTLS_X509_FMT_PEM);
330 gnutls_certificate_free_credentials(xio->credentials);
331 gnutls_deinit(xio->session);
344 if (trustFileSet==0) {
353 "ca-certificates.crt",
358 "Using default ca-bundle from [%s]",
367 if (trustFileSet==0) {
382 "Using default ca-bundle from [%s]",
391 if (trustFileSet==0) {
397 if (xio->localTrustFile) {
398 rv=gnutls_certificate_set_x509_trust_file(xio->credentials,
400 GNUTLS_X509_FMT_PEM);
403 "gnutls_certificate_set_x509_trust_file(%s): %d (%s)",
404 (xio->localTrustFile)?(xio->localTrustFile):
"-none-",
405 rv, gnutls_strerror(rv));
406 gnutls_certificate_free_credentials(xio->credentials);
407 gnutls_deinit(xio->session);
412 "Added %d trusted certs", rv);
417 if (xio->dhParamFile) {
425 gnutls_certificate_free_credentials(xio->credentials);
426 gnutls_deinit(xio->session);
431 gnutls_dh_params dh_params=
NULL;
433 rv=gnutls_dh_params_init(&dh_params);
437 gnutls_certificate_free_credentials(xio->credentials);
438 gnutls_deinit(xio->session);
445 rv=gnutls_dh_params_import_pkcs3(dh_params, &d, GNUTLS_X509_FMT_PEM);
449 gnutls_certificate_free_credentials(xio->credentials);
450 gnutls_deinit(xio->session);
455 gnutls_certificate_set_dh_params(xio->credentials, dh_params);
460 rv=gnutls_credentials_set(xio->session, GNUTLS_CRD_CERTIFICATE, xio->credentials);
463 gnutls_certificate_free_credentials(xio->credentials);
464 gnutls_deinit(xio->session);
469 gnutls_transport_set_ptr(xio->session, (gnutls_transport_ptr_t)sio);
472 #if GNUTLS_VERSION_NUMBER < 0x030003
473 gnutls_transport_set_lowat(xio->session, 0);
484 GWEN_SYNCIO_TLS *xio;
491 gnutls_certificate_free_credentials(xio->credentials);
492 gnutls_deinit(xio->session);
500 GWEN_SYNCIO_TLS *xio;
501 const gnutls_datum_t *cert_list;
502 unsigned int cert_list_size;
520 if (xio->peerCertDescr) {
522 xio->peerCertDescr=
NULL;
524 xio->peerCertFlags=0;
537 gnutls_certificate_set_verify_flags(xio->credentials,
538 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
540 rv=gnutls_certificate_verify_peers2(xio->session, &status);
547 if (gnutls_certificate_type_get(xio->session)!=GNUTLS_CRT_X509) {
554 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
557 I18N(
"Signer not found"));
561 if (status & GNUTLS_CERT_INVALID) {
564 I18N(
"Certificate is not trusted"));
568 if (status & GNUTLS_CERT_REVOKED) {
571 I18N(
"Certificate has been revoked"));
575 cert_list=gnutls_certificate_get_peers(xio->session, &cert_list_size);
576 if (cert_list==
NULL || cert_list_size==0) {
581 for (i=0; i<cert_list_size; i++) {
582 gnutls_x509_crt_t cert;
585 rv=gnutls_x509_crt_init(&cert);
591 rv=gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
594 gnutls_x509_crt_deinit(cert);
601 rv=gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, buffer1, &size);
605 gnutls_x509_crt_deinit(cert);
613 size, dbuf, 2,
':', 0)) {
615 "Could not convert fingerprint to hex");
625 if (!gnutls_x509_crt_check_hostname(cert, xio->hostName)) {
627 "Certificate was not issued for this host");
629 I18N(
"Certificate was not issued for this host"));
638 "Hostname is not set, unable to verify the sender");
640 I18N(
"No hostname to verify the sender!"));
646 t=gnutls_x509_crt_get_activation_time(cert);
667 t=gnutls_x509_crt_get_expiration_time(cert);
689 size=
sizeof(buffer1)-1;
690 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, buffer1, &size);
693 if (xio->hostName && strcasecmp(xio->hostName, buffer1)!=0) {
699 size=
sizeof(buffer1)-1;
700 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, buffer1, &size);
704 size=
sizeof(buffer1)-1;
705 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, buffer1, &size);
709 size=
sizeof(buffer1)-1;
710 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, buffer1, &size);
714 size=
sizeof(buffer1)-1;
715 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, buffer1, &size);
719 size=
sizeof(buffer1)-1;
720 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, buffer1, &size);
725 gnutls_x509_crt_deinit(cert);
794 xio->peerCertDescr=certDescr;
795 xio->peerCertFlags=errFlags;
804 GWEN_SYNCIO_TLS *xio;
820 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
821 gnutls_transport_set_errno(xio->session, errno);
826 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
827 gnutls_transport_set_errno(xio->session, 0);
840 GWEN_SYNCIO_TLS *xio;
856 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
857 gnutls_transport_set_errno(xio->session, errno);
862 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
863 gnutls_transport_set_errno(xio->session, 0);
873 GWEN_SYNCIO_TLS *xio;
908 rv=gnutls_handshake(xio->session);
909 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
913 rv, gnutls_strerror(rv), gnutls_error_is_fatal(rv)?
"fatal":
"non-fatal");
914 if (rv==GNUTLS_E_UNEXPECTED_PACKET_LENGTH) {
917 I18N(
"A TLS handshake error occurred. "
918 "If you are using AqBanking you should "
919 "consider enabling the option "
920 "\"force SSLv3\" in the user settings "
926 I18N(
"TLS Handshake Error: %d (%s)"),
928 gnutls_strerror(rv));
976 GWEN_SYNCIO_TLS *xio;
995 rv=gnutls_bye(xio->session, GNUTLS_SHUT_RDWR);
996 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
1002 I18N(
"Error on gnutls_bye: %d (%s)"),
1004 gnutls_strerror(rv));
1022 GWEN_SYNCIO_TLS *xio;
1041 rv=gnutls_record_recv(xio->session, buffer, size);
1042 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
1049 I18N(
"Error on gnutls_record_recv: %d (%s)"),
1051 gnutls_strerror(rv));
1059 #ifdef GWEN_TLS_DEBUG
1070 const uint8_t *buffer,
1072 GWEN_SYNCIO_TLS *xio;
1080 #ifdef GWEN_TLS_DEBUG
1096 rv=gnutls_record_send(xio->session, buffer, size);
1097 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
1103 I18N(
"Error on gnutls_record_send: %d (%s)"),
1105 gnutls_strerror(rv));