29 #define DISABLE_DEBUGLOG
34 #include "syncio_tls_p.h"
37 #include <gwenhywfar/misc.h>
38 #include <gwenhywfar/debug.h>
39 #include <gwenhywfar/gui.h>
40 #include <gwenhywfar/gui.h>
41 #include <gwenhywfar/pathmanager.h>
42 #include <gwenhywfar/directory.h>
43 #include <gwenhywfar/gwenhywfar.h>
44 #include <gwenhywfar/text.h>
50 #include <gnutls/gnutls.h>
51 #include <gnutls/x509.h>
81 xio=(GWEN_SYNCIO_TLS*) p;
94 return xio->localCertFile;
100 GWEN_SYNCIO_TLS *xio;
106 free(xio->localCertFile);
107 if (s) xio->localCertFile=strdup(s);
108 else xio->localCertFile=
NULL;
114 GWEN_SYNCIO_TLS *xio;
120 return xio->localKeyFile;
126 GWEN_SYNCIO_TLS *xio;
132 free(xio->localKeyFile);
133 if (s) xio->localKeyFile=strdup(s);
134 else xio->localKeyFile=
NULL;
140 GWEN_SYNCIO_TLS *xio;
146 return xio->localTrustFile;
152 GWEN_SYNCIO_TLS *xio;
158 free(xio->localTrustFile);
159 if (s) xio->localTrustFile=strdup(s);
160 else xio->localTrustFile=
NULL;
166 GWEN_SYNCIO_TLS *xio;
172 return xio->dhParamFile;
178 GWEN_SYNCIO_TLS *xio;
184 free(xio->dhParamFile);
185 if (s) xio->dhParamFile=strdup(s);
186 else xio->dhParamFile=
NULL;
192 GWEN_SYNCIO_TLS *xio;
198 return xio->hostName;
204 GWEN_SYNCIO_TLS *xio;
211 if (s) xio->hostName=strdup(s);
212 else xio->hostName=
NULL;
218 GWEN_SYNCIO_TLS *xio;
224 return xio->peerCertDescr;
260 GWEN_SYNCIO_TLS *xio;
274 rv=gnutls_init(&xio->session, GNUTLS_SERVER);
278 rv=gnutls_init(&xio->session, GNUTLS_CLIENT);
286 rv=gnutls_set_default_priority(xio->session);
289 gnutls_deinit(xio->session);
295 const int proto_prio[2] = { GNUTLS_SSL3, 0 };
298 rv=gnutls_protocol_set_priority(xio->session, proto_prio);
301 gnutls_deinit(xio->session);
307 gnutls_handshake_set_max_packet_length(xio->session, 64*1024);
310 if ((lflags & GWEN_SYNCIO_FLAGS_PASSIVE) &&
312 gnutls_certificate_server_set_request(xio->session, GNUTLS_CERT_REQUIRE);
315 rv=gnutls_certificate_allocate_credentials(&xio->credentials);
318 gnutls_deinit(xio->session);
323 if (xio->localCertFile && xio->localKeyFile) {
324 rv=gnutls_certificate_set_x509_key_file(xio->credentials,
327 GNUTLS_X509_FMT_PEM);
331 gnutls_certificate_free_credentials(xio->credentials);
332 gnutls_deinit(xio->session);
345 if (trustFileSet==0) {
354 "ca-certificates.crt",
359 "Using default ca-bundle from [%s]",
368 if (trustFileSet==0) {
383 "Using default ca-bundle from [%s]",
392 if (trustFileSet==0) {
398 if (xio->localTrustFile) {
399 rv=gnutls_certificate_set_x509_trust_file(xio->credentials,
401 GNUTLS_X509_FMT_PEM);
404 "gnutls_certificate_set_x509_trust_file(%s): %d (%s)",
405 (xio->localTrustFile)?(xio->localTrustFile):
"-none-",
406 rv, gnutls_strerror(rv));
407 gnutls_certificate_free_credentials(xio->credentials);
408 gnutls_deinit(xio->session);
413 "Added %d trusted certs", rv);
418 if (xio->dhParamFile) {
426 gnutls_certificate_free_credentials(xio->credentials);
427 gnutls_deinit(xio->session);
432 gnutls_dh_params dh_params=
NULL;
434 rv=gnutls_dh_params_init(&dh_params);
438 gnutls_certificate_free_credentials(xio->credentials);
439 gnutls_deinit(xio->session);
446 rv=gnutls_dh_params_import_pkcs3(dh_params, &d, GNUTLS_X509_FMT_PEM);
450 gnutls_certificate_free_credentials(xio->credentials);
451 gnutls_deinit(xio->session);
456 gnutls_certificate_set_dh_params(xio->credentials, dh_params);
461 rv=gnutls_credentials_set(xio->session, GNUTLS_CRD_CERTIFICATE, xio->credentials);
464 gnutls_certificate_free_credentials(xio->credentials);
465 gnutls_deinit(xio->session);
470 gnutls_transport_set_ptr(xio->session, (gnutls_transport_ptr_t)sio);
473 #if GNUTLS_VERSION_NUMBER < 0x030003
474 gnutls_transport_set_lowat(xio->session, 0);
485 GWEN_SYNCIO_TLS *xio;
492 gnutls_certificate_free_credentials(xio->credentials);
493 gnutls_deinit(xio->session);
501 GWEN_SYNCIO_TLS *xio;
502 const gnutls_datum_t *cert_list;
503 unsigned int cert_list_size;
521 if (xio->peerCertDescr) {
523 xio->peerCertDescr=
NULL;
525 xio->peerCertFlags=0;
538 gnutls_certificate_set_verify_flags(xio->credentials,
539 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
541 rv=gnutls_certificate_verify_peers2(xio->session, &status);
548 if (gnutls_certificate_type_get(xio->session)!=GNUTLS_CRT_X509) {
555 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
558 I18N(
"Signer not found"));
562 if (status & GNUTLS_CERT_INVALID) {
565 I18N(
"Certificate is not trusted"));
569 if (status & GNUTLS_CERT_REVOKED) {
572 I18N(
"Certificate has been revoked"));
576 cert_list=gnutls_certificate_get_peers(xio->session, &cert_list_size);
577 if (cert_list==
NULL || cert_list_size==0) {
582 for (i=0; i<cert_list_size; i++) {
583 gnutls_x509_crt_t cert;
586 rv=gnutls_x509_crt_init(&cert);
592 rv=gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
595 gnutls_x509_crt_deinit(cert);
600 gnutls_datum_t n={
NULL, 0};
601 gnutls_datum_t e={
NULL, 0};
604 rv=gnutls_x509_crt_get_pk_rsa_raw(cert, &n, &e);
616 if (n.data && n.size) {
623 if (e.data && e.size) {
639 rv=gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, buffer1, &size);
643 gnutls_x509_crt_deinit(cert);
651 size, dbuf, 2,
':', 0)) {
653 "Could not convert fingerprint to hex");
663 if (!gnutls_x509_crt_check_hostname(cert, xio->hostName)) {
665 "Certificate was not issued for this host");
667 I18N(
"Certificate was not issued for this host"));
676 "Hostname is not set, unable to verify the sender");
678 I18N(
"No hostname to verify the sender!"));
684 t=gnutls_x509_crt_get_activation_time(cert);
705 t=gnutls_x509_crt_get_expiration_time(cert);
727 size=
sizeof(buffer1)-1;
728 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, buffer1, &size);
731 if (xio->hostName && strcasecmp(xio->hostName, buffer1)!=0) {
737 size=
sizeof(buffer1)-1;
738 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, buffer1, &size);
742 size=
sizeof(buffer1)-1;
743 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, buffer1, &size);
747 size=
sizeof(buffer1)-1;
748 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, buffer1, &size);
752 size=
sizeof(buffer1)-1;
753 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, buffer1, &size);
757 size=
sizeof(buffer1)-1;
758 rv=gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, buffer1, &size);
763 gnutls_x509_crt_deinit(cert);
843 xio->peerCertDescr=certDescr;
844 xio->peerCertFlags=errFlags;
853 GWEN_SYNCIO_TLS *xio;
869 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
870 gnutls_transport_set_errno(xio->session, errno);
875 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
876 gnutls_transport_set_errno(xio->session, 0);
889 GWEN_SYNCIO_TLS *xio;
905 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
906 gnutls_transport_set_errno(xio->session, errno);
911 #ifdef HAVE_GNUTLS_TRANSPORT_SET_ERRNO
912 gnutls_transport_set_errno(xio->session, 0);
922 GWEN_SYNCIO_TLS *xio;
957 rv=gnutls_handshake(xio->session);
958 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
962 rv, gnutls_strerror(rv), gnutls_error_is_fatal(rv)?
"fatal":
"non-fatal");
963 if (rv==GNUTLS_E_UNEXPECTED_PACKET_LENGTH) {
966 I18N(
"A TLS handshake error occurred. "
967 "If you are using AqBanking you should "
968 "consider enabling the option "
969 "\"force SSLv3\" in the user settings "
975 I18N(
"TLS Handshake Error: %d (%s)"),
977 gnutls_strerror(rv));
1025 GWEN_SYNCIO_TLS *xio;
1044 rv=gnutls_bye(xio->session, GNUTLS_SHUT_RDWR);
1045 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
1051 I18N(
"Error on gnutls_bye: %d (%s)"),
1053 gnutls_strerror(rv));
1071 GWEN_SYNCIO_TLS *xio;
1090 rv=gnutls_record_recv(xio->session, buffer, size);
1091 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
1098 I18N(
"Error on gnutls_record_recv: %d (%s)"),
1100 gnutls_strerror(rv));
1108 #ifdef GWEN_TLS_DEBUG
1119 const uint8_t *buffer,
1121 GWEN_SYNCIO_TLS *xio;
1129 #ifdef GWEN_TLS_DEBUG
1145 rv=gnutls_record_send(xio->session, buffer, size);
1146 }
while (rv==GNUTLS_E_AGAIN && rv==GNUTLS_E_INTERRUPTED);
1152 I18N(
"Error on gnutls_record_send: %d (%s)"),
1154 gnutls_strerror(rv));