mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
162 lines
5.6 KiB
C
162 lines
5.6 KiB
C
/*
|
|
* Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
*
|
|
* Author: Nikos Mavrogiannopoulos
|
|
*
|
|
* This file is part of ocserv.
|
|
*
|
|
* The GnuTLS is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public License
|
|
* as published by the Free Software Foundation; either version 2.1 of
|
|
* the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
*/
|
|
#ifndef TLSLIB_H
|
|
#define TLSLIB_H
|
|
|
|
#include <gnutls/gnutls.h>
|
|
#include <gnutls/pkcs11.h>
|
|
#include <vpn.h>
|
|
#include <ccan/htable/htable.h>
|
|
#include <errno.h>
|
|
|
|
typedef struct
|
|
{
|
|
struct htable *ht;
|
|
unsigned int entries;
|
|
} tls_sess_db_st;
|
|
|
|
#if 0
|
|
#define tls_puts(s, str) tls_send(s, str, sizeof(str)-1)
|
|
|
|
int __attribute__ ((format(printf, 2, 3)))
|
|
tls_printf(gnutls_session_t session, const char *fmt, ...);
|
|
|
|
#define tls_recv_nb gnutls_record_recv
|
|
ssize_t tls_recv(gnutls_session_t session, void *data, size_t data_size);
|
|
ssize_t tls_send(gnutls_session_t session, const void *data,
|
|
size_t data_size);
|
|
ssize_t tls_send_nb(gnutls_session_t session, const void *data,
|
|
size_t data_size);
|
|
|
|
void tls_cork(gnutls_session_t session);
|
|
int tls_uncork(gnutls_session_t session);
|
|
|
|
ssize_t tls_send_file(gnutls_session_t session, const char *file);
|
|
#endif
|
|
|
|
typedef struct tls_st {
|
|
gnutls_certificate_credentials_t xcred;
|
|
gnutls_priority_t cprio;
|
|
gnutls_dh_params_t dh_params;
|
|
} tls_st;
|
|
|
|
void tls_reload_crl(struct main_server_st* s, struct tls_st *creds);
|
|
void tls_global_init(struct tls_st *creds);
|
|
void tls_global_deinit(struct tls_st *creds);
|
|
void tls_load_certs(struct main_server_st* s, struct tls_st *creds);
|
|
|
|
size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac_algorithm_t);
|
|
|
|
#define GNUTLS_FATAL_ERR_CMD(x, CMD) \
|
|
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
|
|
if (syslog_open) \
|
|
syslog(LOG_ERR, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
|
|
else \
|
|
fprintf(stderr, "GnuTLS error (at %s:%d): %s\n", __FILE__, __LINE__, gnutls_strerror(x)); \
|
|
CMD; \
|
|
}
|
|
|
|
#define GNUTLS_FATAL_ERR(x) GNUTLS_FATAL_ERR_CMD(x, exit(1))
|
|
|
|
#define FATAL_ERR_CMD(ws, x, CMD) \
|
|
if (ws->session != NULL) { \
|
|
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
|
|
if (syslog_open) \
|
|
syslog(LOG_ERR, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
|
|
else \
|
|
fprintf(stderr, "GnuTLS error (at %s:%d): %s\n", __FILE__, __LINE__, gnutls_strerror(x)); \
|
|
CMD; \
|
|
} \
|
|
} else { \
|
|
if (x < 0 && errno != EINTR && errno != EAGAIN) { \
|
|
if (syslog_open) \
|
|
syslog(LOG_ERR, "socket error (at %s:%d): %s", __FILE__, __LINE__, strerror(errno)); \
|
|
else \
|
|
fprintf(stderr, "socket error (at %s:%d): %s\n", __FILE__, __LINE__, strerror(errno)); \
|
|
CMD; \
|
|
} \
|
|
}
|
|
|
|
#define FATAL_ERR(ws, x) FATAL_ERR_CMD(ws, x, exit(1))
|
|
|
|
#define GNUTLS_S_FATAL_ERR(session, x) \
|
|
if (x < 0 && gnutls_error_is_fatal (x) != 0) { \
|
|
if (syslog_open) { \
|
|
if (ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { \
|
|
syslog(LOG_ERR, "GnuTLS error (at %s:%d): %s: %s", __FILE__, __LINE__, gnutls_strerror(x), gnutls_alert_get_name(gnutls_alert_get(session))); \
|
|
} else { \
|
|
syslog(LOG_ERR, "GnuTLS error (at %s:%d): %s", __FILE__, __LINE__, gnutls_strerror(x)); \
|
|
} \
|
|
} else \
|
|
fprintf(stderr, "GnuTLS error (at %s:%d): %s\n", __FILE__, __LINE__, gnutls_strerror(x)); \
|
|
exit(1); \
|
|
}
|
|
|
|
void tls_close(gnutls_session_t session);
|
|
|
|
unsigned tls_has_session_cert(struct worker_st * ws);
|
|
|
|
void tls_fatal_close(gnutls_session_t session,
|
|
gnutls_alert_description_t a);
|
|
|
|
typedef struct
|
|
{
|
|
/* does not allow resumption from different address
|
|
* than the original */
|
|
struct sockaddr_storage remote_addr;
|
|
socklen_t remote_addr_len;
|
|
|
|
char session_id[GNUTLS_MAX_SESSION_ID];
|
|
unsigned int session_id_size;
|
|
|
|
char session_data[MAX_SESSION_DATA_SIZE];
|
|
unsigned int session_data_size;
|
|
} tls_cache_st;
|
|
|
|
#define TLS_SESSION_EXPIRATION_TIME(config) ((config)->cookie_timeout)
|
|
#define DEFAULT_MAX_CACHED_TLS_SESSIONS 64
|
|
|
|
void tls_cache_init(void *pool, tls_sess_db_st* db);
|
|
void tls_cache_deinit(tls_sess_db_st* db);
|
|
void *calc_sha1_hash(void *pool, char* file, unsigned cert);
|
|
|
|
/* TLS API */
|
|
int __attribute__ ((format(printf, 2, 3)))
|
|
cstp_printf(struct worker_st *ws, const char *fmt, ...);
|
|
void cstp_close(struct worker_st *ws);
|
|
void cstp_fatal_close(struct worker_st *ws,
|
|
gnutls_alert_description_t a);
|
|
ssize_t cstp_recv(struct worker_st *ws, void *data, size_t data_size);
|
|
ssize_t cstp_recv_nb(struct worker_st *ws, void *data, size_t data_size);
|
|
ssize_t cstp_send_file(struct worker_st *ws, const char *file);
|
|
ssize_t cstp_send(struct worker_st *ws, const void *data,
|
|
size_t data_size);
|
|
#define cstp_puts(s, str) cstp_send(s, str, sizeof(str)-1)
|
|
|
|
void cstp_cork(struct worker_st *ws);
|
|
int cstp_uncork(struct worker_st *ws);
|
|
|
|
/* DTLS API */
|
|
void dtls_close(struct worker_st *ws);
|
|
ssize_t dtls_send(struct worker_st *ws, const void *data, size_t data_size);
|
|
|
|
#endif
|