gloox  1.0.20
tlsgnutlsserver.cpp
1 /*
2  Copyright (c) 2005-2017 by Jakob Schröter <js@camaya.net>
3  This file is part of the gloox library. http://camaya.net/gloox
4 
5  This software is distributed under a license. The full license
6  agreement can be found in the file LICENSE in this distribution.
7  This software may not be copied, modified, sold or distributed
8  other than expressed in the named license agreement.
9 
10  This software is distributed without any warranty.
11 */
12 
13 
14 
15 #include "tlsgnutlsserver.h"
16 
17 #ifdef HAVE_GNUTLS
18 
19 #include <errno.h>
20 
21 namespace gloox
22 {
23 
25  : GnuTLSBase( th ), m_dhBits( 1024 )
26  {
27  }
28 
30  {
31  gnutls_certificate_free_credentials( m_x509cred );
32  gnutls_dh_params_deinit( m_dhParams );
33  }
34 
36  {
38  init();
39  }
40 
41  bool GnuTLSServer::init( const std::string& clientKey,
42  const std::string& clientCerts,
43  const StringList& cacerts )
44  {
45  if( m_initLib && gnutls_global_init() != 0 )
46  return false;
47 
48  if( gnutls_certificate_allocate_credentials( &m_x509cred ) < 0 )
49  return false;
50 
51  setClientCert( clientKey, clientCerts );
52  setCACerts( cacerts );
53 
54  generateDH();
55  gnutls_certificate_set_dh_params( m_x509cred, m_dhParams );
56  gnutls_certificate_set_rsa_export_params( m_x509cred, m_rsaParams);
57 // gnutls_priority_init( &m_priorityCache, "NORMAL", 0 );
58 
59  if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 )
60  return false;
61 
62 #if GNUTLS_VERSION_NUMBER >= 0x020600
63  int ret = gnutls_priority_set_direct( *m_session, "SECURE128:+PFS:+COMP-ALL:+VERS-TLS-ALL:-VERS-SSL3.0:+SIGN-ALL:+CURVE-ALL", 0 );
64  if( ret != GNUTLS_E_SUCCESS )
65  return false;
66 #else
67  const int protocolPriority[] = {
68 #ifdef GNUTLS_TLS1_2
69  GNUTLS_TLS1_2,
70 #endif
71  GNUTLS_TLS1_1, GNUTLS_TLS1, 0 };
72  const int kxPriority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, 0 };
73  const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
74  GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
75  const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
76  const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
77  gnutls_protocol_set_priority( *m_session, protocolPriority );
78  gnutls_cipher_set_priority( *m_session, cipherPriority );
79  gnutls_compression_set_priority( *m_session, compPriority );
80  gnutls_kx_set_priority( *m_session, kxPriority );
81  gnutls_mac_set_priority( *m_session, macPriority );
82 #endif
83 
84  gnutls_credentials_set( *m_session, GNUTLS_CRD_CERTIFICATE, m_x509cred );
85 
86  gnutls_certificate_server_set_request( *m_session, GNUTLS_CERT_REQUEST );
87 
88  gnutls_dh_set_prime_bits( *m_session, m_dhBits );
89 
90  gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this );
91  gnutls_transport_set_push_function( *m_session, pushFunc );
92  gnutls_transport_set_pull_function( *m_session, pullFunc );
93 
94  m_valid = true;
95  return true;
96  }
97 
98  void GnuTLSServer::setCACerts( const StringList& cacerts )
99  {
100  m_cacerts = cacerts;
101 
102  StringList::const_iterator it = m_cacerts.begin();
103  for( ; it != m_cacerts.end(); ++it )
104  gnutls_certificate_set_x509_trust_file( m_x509cred, (*it).c_str(), GNUTLS_X509_FMT_PEM );
105  }
106 
107  void GnuTLSServer::setClientCert( const std::string& clientKey, const std::string& clientCerts )
108  {
109  m_clientKey = clientKey;
110  m_clientCerts = clientCerts;
111 
112  if( !m_clientKey.empty() && !m_clientCerts.empty() )
113  {
114  gnutls_certificate_set_x509_key_file( m_x509cred,
115  m_clientCerts.c_str(),
116  m_clientKey.c_str(),
117  GNUTLS_X509_FMT_PEM );
118  }
119  }
120 
121 
122  void GnuTLSServer::generateDH()
123  {
124  gnutls_dh_params_init( &m_dhParams );
125  gnutls_dh_params_generate2( m_dhParams, m_dhBits );
126  gnutls_rsa_params_init( &m_rsaParams );
127  gnutls_rsa_params_generate2( m_rsaParams, 512 );
128  }
129 
130  void GnuTLSServer::getCertInfo()
131  {
132  m_certInfo.status = CertOk;
133 
134  const char* info;
135  info = gnutls_compression_get_name( gnutls_compression_get( *m_session ) );
136  if( info )
137  m_certInfo.compression = info;
138 
139  info = gnutls_mac_get_name( gnutls_mac_get( *m_session ) );
140  if( info )
141  m_certInfo.mac = info;
142 
143  info = gnutls_cipher_get_name( gnutls_cipher_get( *m_session ) );
144  if( info )
145  m_certInfo.cipher = info;
146 
147  info = gnutls_protocol_get_name( gnutls_protocol_get_version( *m_session ) );
148  if( info )
149  m_certInfo.protocol = info;
150 
151  m_valid = true;
152  }
153 
154 }
155 
156 #endif // HAVE_GNUTLS
virtual bool init(const std::string &clientKey=EmptyString, const std::string &clientCerts=EmptyString, const StringList &cacerts=StringList())
std::list< std::string > StringList
Definition: gloox.h:1251
virtual void cleanup()
virtual void cleanup()
std::string cipher
Definition: gloox.h:1002
GnuTLSServer(TLSHandler *th)
std::string mac
Definition: gloox.h:1003
The namespace for the gloox library.
Definition: adhoc.cpp:27
This is the common base class for (stream) encryption using GnuTLS.
Definition: tlsgnutlsbase.h:38
std::string protocol
Definition: gloox.h:1001
An interface that allows for interacting with TLS implementations derived from TLSBase.
Definition: tlshandler.h:34
std::string compression
Definition: gloox.h:1004