gloox  1.0
tlsgnutlsclient.cpp
1 /*
2  Copyright (c) 2005-2009 by Jakob Schroeter <js@camaya.net>
3  This file is part of the gloox library. http://camaya.net/gloox
4 
5  This software is distributed under a license. The full license
6  agreement can be found in the file LICENSE in this distribution.
7  This software may not be copied, modified, sold or distributed
8  other than expressed in the named license agreement.
9 
10  This software is distributed without any warranty.
11 */
12 
13 
14 
15 #include "tlsgnutlsclient.h"
16 
17 #ifdef HAVE_GNUTLS
18 
19 #include <errno.h>
20 
21 namespace gloox
22 {
23 
24  GnuTLSClient::GnuTLSClient( TLSHandler* th, const std::string& server )
25  : GnuTLSBase( th, server )
26  {
27  }
28 
29  GnuTLSClient::~GnuTLSClient()
30  {
31  }
32 
33  void GnuTLSClient::cleanup()
34  {
35  GnuTLSBase::cleanup();
36  init();
37  }
38 
39  bool GnuTLSClient::init( const std::string& clientKey,
40  const std::string& clientCerts,
41  const StringList& cacerts )
42  {
43  const int protocolPriority[] = {
44 #ifdef GNUTLS_TLS1_2
45  GNUTLS_TLS1_2,
46 #endif
47  GNUTLS_TLS1_1, GNUTLS_TLS1, 0 };
48  const int kxPriority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, 0 };
49  const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
50  GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
51  const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
52  const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
53 
54  if( m_initLib && gnutls_global_init() != 0 )
55  return false;
56 
57  if( gnutls_certificate_allocate_credentials( &m_credentials ) < 0 )
58  return false;
59 
60  if( gnutls_init( m_session, GNUTLS_CLIENT ) != 0 )
61  {
62  gnutls_certificate_free_credentials( m_credentials );
63  return false;
64  }
65 
66  gnutls_protocol_set_priority( *m_session, protocolPriority );
67  gnutls_cipher_set_priority( *m_session, cipherPriority );
68  gnutls_compression_set_priority( *m_session, compPriority );
69  gnutls_kx_set_priority( *m_session, kxPriority );
70  gnutls_mac_set_priority( *m_session, macPriority );
71  gnutls_credentials_set( *m_session, GNUTLS_CRD_CERTIFICATE, m_credentials );
72 
73  gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this );
74  gnutls_transport_set_push_function( *m_session, pushFunc );
75  gnutls_transport_set_pull_function( *m_session, pullFunc );
76 
77  m_valid = true;
78  return true;
79  }
80 
81  void GnuTLSClient::setCACerts( const StringList& cacerts )
82  {
83  m_cacerts = cacerts;
84 
85  StringList::const_iterator it = m_cacerts.begin();
86  for( ; it != m_cacerts.end(); ++it )
87  gnutls_certificate_set_x509_trust_file( m_credentials, (*it).c_str(), GNUTLS_X509_FMT_PEM );
88  }
89 
90  void GnuTLSClient::setClientCert( const std::string& clientKey, const std::string& clientCerts )
91  {
92  m_clientKey = clientKey;
93  m_clientCerts = clientCerts;
94 
95  if( !m_clientKey.empty() && !m_clientCerts.empty() )
96  {
97  gnutls_certificate_set_x509_key_file( m_credentials, m_clientCerts.c_str(),
98  m_clientKey.c_str(), GNUTLS_X509_FMT_PEM );
99  }
100  }
101 
102  void GnuTLSClient::getCertInfo()
103  {
104  unsigned int status;
105  bool error = false;
106 
107  gnutls_certificate_free_ca_names( m_credentials );
108 
109  if( gnutls_certificate_verify_peers2( *m_session, &status ) < 0 )
110  error = true;
111 
112  m_certInfo.status = 0;
113  if( status & GNUTLS_CERT_INVALID )
114  m_certInfo.status |= CertInvalid;
115  if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
116  m_certInfo.status |= CertSignerUnknown;
117  if( status & GNUTLS_CERT_REVOKED )
118  m_certInfo.status |= CertRevoked;
119  if( status & GNUTLS_CERT_SIGNER_NOT_CA )
120  m_certInfo.status |= CertSignerNotCa;
121  const gnutls_datum_t* certList = 0;
122  unsigned int certListSize;
123  if( !error && ( ( certList = gnutls_certificate_get_peers( *m_session, &certListSize ) ) == 0 ) )
124  error = true;
125 
126  gnutls_x509_crt_t* cert = new gnutls_x509_crt_t[certListSize+1];
127  for( unsigned int i=0; !error && ( i<certListSize ); ++i )
128  {
129  if( gnutls_x509_crt_init( &cert[i] ) < 0
130  || gnutls_x509_crt_import( cert[i], &certList[i], GNUTLS_X509_FMT_DER ) < 0 )
131  error = true;
132  }
133 
134  if( ( gnutls_x509_crt_check_issuer( cert[certListSize-1], cert[certListSize-1] ) > 0 )
135  && certListSize > 0 )
136  certListSize--;
137 
138  bool chain = true;
139  for( unsigned int i=1; !error && ( i<certListSize ); ++i )
140  {
141  chain = error = !verifyAgainst( cert[i-1], cert[i] );
142  }
143  if( !chain )
144  m_certInfo.status |= CertInvalid;
145  m_certInfo.chain = chain;
146 
147  m_certInfo.chain = verifyAgainstCAs( cert[certListSize], 0 /*CAList*/, 0 /*CAListSize*/ );
148 
149  int t = (int)gnutls_x509_crt_get_activation_time( cert[0] );
150  if( t == -1 )
151  error = true;
152  else if( t > time( 0 ) )
153  m_certInfo.status |= CertNotActive;
154  m_certInfo.date_from = t;
155 
156  t = (int)gnutls_x509_crt_get_expiration_time( cert[0] );
157  if( t == -1 )
158  error = true;
159  else if( t < time( 0 ) )
160  m_certInfo.status |= CertExpired;
161  m_certInfo.date_to = t;
162 
163  char name[64];
164  size_t nameSize = sizeof( name );
165  gnutls_x509_crt_get_issuer_dn( cert[0], name, &nameSize );
166  m_certInfo.issuer = name;
167 
168  nameSize = sizeof( name );
169  gnutls_x509_crt_get_dn( cert[0], name, &nameSize );
170  m_certInfo.server = name;
171 
172  const char* info;
173  info = gnutls_compression_get_name( gnutls_compression_get( *m_session ) );
174  if( info )
175  m_certInfo.compression = info;
176 
177  info = gnutls_mac_get_name( gnutls_mac_get( *m_session ) );
178  if( info )
179  m_certInfo.mac = info;
180 
181  info = gnutls_cipher_get_name( gnutls_cipher_get( *m_session ) );
182  if( info )
183  m_certInfo.cipher = info;
184 
185  info = gnutls_protocol_get_name( gnutls_protocol_get_version( *m_session ) );
186  if( info )
187  m_certInfo.protocol = info;
188 
189  if( !gnutls_x509_crt_check_hostname( cert[0], m_server.c_str() ) )
190  m_certInfo.status |= CertWrongPeer;
191 
192  for( unsigned int i = 0; i < certListSize; ++i )
193  gnutls_x509_crt_deinit( cert[i] );
194 
195  delete[] cert;
196 
197  m_valid = true;
198  }
199 
200  static bool verifyCert( gnutls_x509_crt_t cert, unsigned result )
201  {
202  return ! ( ( result & GNUTLS_CERT_INVALID )
203  || gnutls_x509_crt_get_expiration_time( cert ) < time( 0 )
204  || gnutls_x509_crt_get_activation_time( cert ) > time( 0 ) );
205  }
206 
207  bool GnuTLSClient::verifyAgainst( gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer )
208  {
209  unsigned int result;
210  gnutls_x509_crt_verify( cert, &issuer, 1, 0, &result );
211  return verifyCert( cert, result );
212  }
213 
214  bool GnuTLSClient::verifyAgainstCAs( gnutls_x509_crt_t cert, gnutls_x509_crt_t* CAList, int CAListSize )
215  {
216  unsigned int result;
217  gnutls_x509_crt_verify( cert, CAList, CAListSize, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &result );
218  return verifyCert( cert, result );
219  }
220 
221 }
222 
223 #endif // HAVE_GNUTLS
Generated on Thu Jun 27 2013 13:02:36 for gloox by   doxygen 1.8.1.2