15 #include "tlsgnutlsclient.h"
37 gnutls_certificate_free_credentials( m_credentials );
45 if( m_initLib && gnutls_global_init() != 0 )
48 if( gnutls_certificate_allocate_credentials( &m_credentials ) < 0 )
51 if( gnutls_init( m_session, GNUTLS_CLIENT ) != 0 )
53 gnutls_certificate_free_credentials( m_credentials );
57 #if GNUTLS_VERSION_NUMBER >= 0x020600
58 int ret = gnutls_priority_set_direct( *m_session,
"SECURE128:+PFS:+COMP-ALL:+VERS-TLS-ALL:-VERS-SSL3.0:+SIGN-ALL:+CURVE-ALL", 0 );
59 if( ret != GNUTLS_E_SUCCESS )
62 const int protocolPriority[] = {
66 GNUTLS_TLS1_1, GNUTLS_TLS1, 0 };
67 const int kxPriority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, 0 };
68 const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
69 GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
70 const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
71 const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
72 gnutls_protocol_set_priority( *m_session, protocolPriority );
73 gnutls_cipher_set_priority( *m_session, cipherPriority );
74 gnutls_compression_set_priority( *m_session, compPriority );
75 gnutls_kx_set_priority( *m_session, kxPriority );
76 gnutls_mac_set_priority( *m_session, macPriority );
79 gnutls_credentials_set( *m_session, GNUTLS_CRD_CERTIFICATE, m_credentials );
81 gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)
this );
82 gnutls_transport_set_push_function( *m_session, pushFunc );
83 gnutls_transport_set_pull_function( *m_session, pullFunc );
93 StringList::const_iterator it = m_cacerts.begin();
94 for( ; it != m_cacerts.end(); ++it )
95 gnutls_certificate_set_x509_trust_file( m_credentials, (*it).c_str(), GNUTLS_X509_FMT_PEM );
100 m_clientKey = clientKey;
101 m_clientCerts = clientCerts;
103 if( !m_clientKey.empty() && !m_clientCerts.empty() )
105 gnutls_certificate_set_x509_key_file( m_credentials, m_clientCerts.c_str(),
106 m_clientKey.c_str(), GNUTLS_X509_FMT_PEM );
110 void GnuTLSClient::getCertInfo()
115 gnutls_certificate_free_ca_names( m_credentials );
117 if( gnutls_certificate_verify_peers2( *m_session, &status ) < 0 )
121 if( status & GNUTLS_CERT_INVALID )
123 if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
125 if( status & GNUTLS_CERT_REVOKED )
127 if( status & GNUTLS_CERT_SIGNER_NOT_CA )
130 const gnutls_datum_t* certList = 0;
131 unsigned int certListSize = 0;
132 if( !error && ( ( certList = gnutls_certificate_get_peers( *m_session, &certListSize ) ) == 0 ) )
135 unsigned int certListSizeFull = certListSize;
137 gnutls_x509_crt_t* cert =
new gnutls_x509_crt_t[certListSize];
138 for(
unsigned int i=0; !error && ( i<certListSize ); ++i )
140 if( gnutls_x509_crt_init( &cert[i] ) < 0
141 || gnutls_x509_crt_import( cert[i], &certList[i], GNUTLS_X509_FMT_DER ) < 0 )
145 if( certListSize > 1 && ( gnutls_x509_crt_check_issuer( cert[certListSize-1], cert[certListSize-1] ) > 0 ) )
149 for(
unsigned int i=1; !error && ( i<certListSize ); ++i )
151 chain = error = !verifyAgainst( cert[i-1], cert[i] );
155 m_certInfo.
chain = chain;
157 m_certInfo.
chain = verifyAgainstCAs( cert[certListSize-1], 0 , 0 );
159 int t = (int)gnutls_x509_crt_get_activation_time( cert[0] );
162 else if( t > time( 0 ) )
166 t = (
int)gnutls_x509_crt_get_expiration_time( cert[0] );
169 else if( t < time( 0 ) )
174 size_t nameSize =
sizeof( name );
175 gnutls_x509_crt_get_issuer_dn( cert[0], name, &nameSize );
178 nameSize =
sizeof( name );
179 gnutls_x509_crt_get_dn( cert[0], name, &nameSize );
183 info = gnutls_compression_get_name( gnutls_compression_get( *m_session ) );
187 info = gnutls_mac_get_name( gnutls_mac_get( *m_session ) );
189 m_certInfo.
mac = info;
191 info = gnutls_cipher_get_name( gnutls_cipher_get( *m_session ) );
195 info = gnutls_protocol_get_name( gnutls_protocol_get_version( *m_session ) );
199 if( !gnutls_x509_crt_check_hostname( cert[0], m_server.c_str() ) )
202 for(
unsigned int i = 0; i < certListSizeFull; ++i )
203 gnutls_x509_crt_deinit( cert[i] );
210 static bool verifyCert( gnutls_x509_crt_t cert,
unsigned result )
212 return ! ( ( result & GNUTLS_CERT_INVALID )
213 || gnutls_x509_crt_get_expiration_time( cert ) < time( 0 )
214 || gnutls_x509_crt_get_activation_time( cert ) > time( 0 ) );
217 bool GnuTLSClient::verifyAgainst( gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer )
220 gnutls_x509_crt_verify( cert, &issuer, 1, 0, &result );
221 return verifyCert( cert, result );
224 bool GnuTLSClient::verifyAgainstCAs( gnutls_x509_crt_t cert, gnutls_x509_crt_t* CAList,
int CAListSize )
227 gnutls_x509_crt_verify( cert, CAList, CAListSize, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &result );
228 return verifyCert( cert, result );
233 #endif // HAVE_GNUTLS
std::list< std::string > StringList
virtual bool init(const std::string &clientKey=EmptyString, const std::string &clientCerts=EmptyString, const StringList &cacerts=StringList())
The namespace for the gloox library.
This is the common base class for (stream) encryption using GnuTLS.
GnuTLSClient(TLSHandler *th, const std::string &server)
virtual void setCACerts(const StringList &cacerts)
virtual void setClientCert(const std::string &clientKey, const std::string &clientCerts)
An interface that allows for interacting with TLS implementations derived from TLSBase.