4 Copyright (C) 2003-2004 Guus Sliepen <guus@tinc-vpn.org>,
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include <gnutls/gnutls.h>
26 #include <gnutls/x509.h>
28 #include "logger/logger.h"
29 #include "support/avl.h"
30 #include "support/sockaddr.h"
31 #include "support/xalloc.h"
34 static bool tnl_send(tnl_t *tnl, const void *buf, int len) {
38 result = gnutls_record_send(tnl->session, buf, len);
40 if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)
44 logger(LOG_ERR, _("tnl: error while sending: %s"), gnutls_strerror(result));
46 logger(LOG_INFO, _("tnl: connection closed by peer"));
49 tnl->error(tnl, result);
61 static bool tnl_recv(tnl_t *tnl) {
62 tnl_record_t *record = (tnl_record_t *)tnl->buf;
65 int result = gnutls_record_recv(tnl->session, tnl->buf + tnl->bufread, sizeof tnl->buf - tnl->bufread);
67 if(result == GNUTLS_E_INTERRUPTED || result == GNUTLS_E_AGAIN)
71 logger(LOG_ERR, _("tnl: error while receiving: %s"), gnutls_strerror(result));
73 logger(LOG_INFO, _("tnl: connection closed by peer"));
76 tnl->error(tnl, result);
81 tnl->bufread += result;
84 while(tnl->bufread >= sizeof *record && tnl->bufread - sizeof *record >= record->len) {
85 switch(record->type) {
88 tnl->recv_meta(tnl, record->data, record->len);
91 case TNL_RECORD_PACKET:
93 tnl->recv_packet(tnl, record->data, record->len);
97 logger(LOG_ERR, _("tnl: error while receiving: %s"), _("unknown record type"));
99 tnl->error(tnl, EINVAL);
104 tnl->bufread -= sizeof *record + record->len;
105 memmove(tnl->buf, record->data + record->len, tnl->bufread);
111 static bool tnl_recv_handler(fd_t *fd) {
115 tnl_t *tnl = fd->data;
118 result = gnutls_record_recv(tnl->session, tnl->buf + tnl->bufread, sizeof(tnl->buf) - tnl->bufread);
121 logger(LOG_DEBUG, _("tnl: connection closed by peer %s (%s)"), tnl->remote.id, tnl->remote.hostname);
128 if(gnutls_error_is_fatal(result)) {
129 logger(LOG_DEBUG, _("tnl: reception failed: %s"), gnutls_strerror(result));
131 tnl->error(tnl, result);
139 tnl->bufread += result;
140 return tnl_recv(tnl);
143 bool tnl_ep_set_x509_credentials(tnl_ep_t *tnl_ep, const char *privkey, const char *certificate, const char *trust, const char *crl) {
146 if(tnl_ep->cred.certificate) {
147 gnutls_certificate_free_credentials(tnl_ep->cred.certificate);
148 tnl_ep->cred.certificate = NULL;
151 if((err = gnutls_certificate_allocate_credentials(&tnl_ep->cred.certificate)) < 0) {
152 logger(LOG_ERR, _("Failed to allocate certificate credentials: %s"), gnutls_strerror(err));
156 if((err = gnutls_certificate_set_x509_key_file(tnl_ep->cred.certificate, certificate, privkey, GNUTLS_X509_FMT_PEM)) < 0) {
157 logger(LOG_ERR, _("Failed to load X.509 key and/or certificate: %s"), gnutls_strerror(err));
161 tnl_ep->cred.type = GNUTLS_CRD_CERTIFICATE;
163 if(trust && (err = gnutls_certificate_set_x509_trust_file(tnl_ep->cred.certificate, trust, GNUTLS_X509_FMT_PEM)) < 0) {
164 logger(LOG_ERR, _("Failed to set X.509 trust file: %s"), gnutls_strerror(err));
168 if(crl && (err = gnutls_certificate_set_x509_crl_file(tnl_ep->cred.certificate, crl, GNUTLS_X509_FMT_PEM)) < 0) {
169 logger(LOG_ERR, _("Failed to set X.509 CRL file: %s"), gnutls_strerror(err));
173 //gnutls_certificate_set_verify_flags(tnl_ep->cred.certificate, GNUTLS_VERIFY_DISABLE_CA_SIGN);
178 bool tnl_ep_set_openpgp_credentials(tnl_ep_t *tnl_ep, const char *privkey, const char *pubkey, const char *keyring, const char *trustdb) {
181 if(tnl_ep->cred.certificate) {
182 gnutls_certificate_free_credentials(tnl_ep->cred.certificate);
183 tnl_ep->cred.certificate = NULL;
186 if((err = gnutls_certificate_allocate_credentials(&tnl_ep->cred.certificate)) < 0) {
187 logger(LOG_ERR, _("Failed to allocate certificate credentials: %s"), gnutls_strerror(err));
191 if((err = gnutls_certificate_set_openpgp_key_file(tnl_ep->cred.certificate, pubkey, privkey)) < 0) {
192 logger(LOG_ERR, _("Failed to load public and/or private OpenPGP key: %s"), gnutls_strerror(err));
196 tnl_ep->cred.type = GNUTLS_CRD_CERTIFICATE;
198 if(keyring && (err = gnutls_certificate_set_openpgp_keyring_file(tnl_ep->cred.certificate, keyring)) < 0) {
199 logger(LOG_ERR, _("Failed to set OpenPGP keyring file: %s"), gnutls_strerror(err));
203 if(trustdb && (err = gnutls_certificate_set_openpgp_trustdb(tnl_ep->cred.certificate, trustdb)) < 0) {
204 logger(LOG_ERR, _("Failed to set OpenPGP trustdb file: %s"), gnutls_strerror(err));
208 //gnutls_certificate_set_verify_flags(tnl_ep->cred.certificate, GNUTLS_VERIFY_DISABLE_CA_SIGN);
213 static bool tnl_authenticate_x509(tnl_t *tnl) {
214 gnutls_x509_crt cert;
215 const gnutls_datum *certs;
216 int ncerts = 0, result;
220 certs = gnutls_certificate_get_peers(tnl->session, &ncerts);
222 if (!certs || !ncerts) {
223 logger(LOG_ERR, _("tnl: no certificates from %s"), tnl->remote.hostname);
227 gnutls_x509_crt_init(&cert);
228 result = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);
231 logger(LOG_ERR, _("tnl: error importing certificate from %s: %s"), tnl->remote.hostname, gnutls_strerror(result));
232 gnutls_x509_crt_deinit(cert);
237 result = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &len);
238 gnutls_x509_crt_deinit(cert);
241 logger(LOG_ERR, _("tnl: could not extract common name from certificate from %s: %s"), tnl->remote.hostname, gnutls_strerror(result));
245 if(len > sizeof name) {
246 logger(LOG_ERR, _("tnl: common name from certificate from %s too long"), tnl->remote.hostname);
250 if(tnl->remote.id && strcmp(tnl->remote.id, name)) {
251 logger(LOG_ERR, _("tnl: peer %s is %s instead of %s"), tnl->remote.hostname, name, tnl->remote.id);
255 replace(tnl->remote.id, xstrdup(name));
257 result = gnutls_certificate_verify_peers(tnl->session);
260 logger(LOG_ERR, "tnl: error verifying certificate from %s (%s): %s", tnl->remote.id, tnl->remote.hostname, gnutls_strerror(result));
265 logger(LOG_ERR, "tnl: certificate from %s (%s) not good, verification result %x", tnl->remote.id, tnl->remote.hostname, result);
272 static bool tnl_authenticate(tnl_t *tnl) {
273 switch(tnl->local.cred.type) {
274 case GNUTLS_CRD_CERTIFICATE:
275 switch(gnutls_certificate_type_get(tnl->session)) {
276 case GNUTLS_CRT_X509:
277 return tnl_authenticate_x509(tnl);
278 case GNUTLS_CRT_OPENPGP:
279 //return tnl_authenticate_openpgp(tnl);
281 logger(LOG_ERR, "tnl: unknown certificate type for session with %s (%s)", tnl->remote.id, tnl->remote.hostname);
285 case GNUTLS_CRD_ANON:
286 logger(LOG_ERR, "tnl: anonymous authentication not yet supported");
290 logger(LOG_ERR, "tnl: SRP authentication not yet supported");
294 logger(LOG_ERR, "tnl: unknown authentication type for session with %s (%s)", tnl->remote.id, tnl->remote.hostname);
299 static bool tnl_handshake_handler(fd_t *fd) {
301 tnl_t *tnl = fd->data;
304 result = gnutls_handshake(tnl->session);
306 if(gnutls_error_is_fatal(result)) {
307 logger(LOG_ERR, "tnl: handshake error: %s", gnutls_strerror(result));
312 /* check other stuff? */
316 logger(LOG_DEBUG, _("tnl: handshake finished"));
318 if(!tnl_authenticate(tnl))
321 tnl->status = TNL_STATUS_UP;
322 tnl->fd.read = tnl_recv_handler;
329 static bool tnl_send_meta(tnl_t *tnl, const void *buf, int len) {
330 tnl_record_t record = {
331 .type = TNL_RECORD_META,
335 return tnl_send(tnl, &record, sizeof record) && tnl_send(tnl, buf, len);
338 static bool tnl_send_packet(tnl_t *tnl, const void *buf, int len) {
339 tnl_record_t record = {
340 .type = TNL_RECORD_PACKET,
344 return tnl_send(tnl, &record, sizeof record) && tnl_send(tnl, buf, len);
347 static bool tnl_close(tnl_t *tnl) {
349 gnutls_bye(tnl->session, GNUTLS_SHUT_RDWR);
350 gnutls_deinit(tnl->session);
359 static bool tnl_accept_handler(fd_t *fd) {
360 tnl_listen_t *listener = fd->data;
362 struct sockaddr_storage ss;
363 socklen_t len = sizeof ss;
366 sock = accept(fd->fd, sa(&ss), &len);
369 logger(LOG_ERR, _("tnl: could not accept incoming connection: %s"), strerror(errno));
375 logger(LOG_DEBUG, _("tnl: accepted incoming connection"));
378 tnl->local = listener->local;
379 tnl->remote.address = ss;
380 len = sizeof tnl->local.address;
381 getsockname(sock, sa(&tnl->local.address), &len);
382 sa_unmap(&tnl->local.address);
383 tnl->type = listener->type;
384 tnl->protocol = listener->protocol;
385 tnl->send_packet = tnl_send_packet;
386 tnl->send_meta = tnl_send_meta;
387 tnl->close = tnl_close;
390 tnl->fd.read = tnl_handshake_handler;
393 fcntl(sock, F_SETFL, fcntl(sock, F_GETFL) | O_NONBLOCK);
395 tnl->status = TNL_STATUS_HANDSHAKE;
396 gnutls_init(&tnl->session, GNUTLS_SERVER);
397 //gnutls_handshake_set_private_extensions(tnl->session, 1);
398 gnutls_set_default_priority(tnl->session);
399 gnutls_credentials_set(tnl->session, tnl->local.cred.type, tnl->local.cred.certificate);
400 gnutls_certificate_server_set_request(tnl->session, GNUTLS_CERT_REQUEST);
401 gnutls_transport_set_ptr(tnl->session, (gnutls_transport_ptr)sock);
403 tnl->accept = listener->accept;
407 tnl_handshake_handler(&tnl->fd);
412 static bool tnl_connect_handler(fd_t *fd) {
413 tnl_t *tnl = fd->data;
418 getsockopt(fd->fd, SOL_SOCKET, SO_ERROR, &result, &len);
420 logger(LOG_ERR, "tnl: error while connecting: %s", strerror(result));
422 tnl->error(tnl, result);
427 logger(LOG_DEBUG, _("tnl: connected"));
429 fcntl(tnl->fd.fd, F_SETFL, fcntl(tnl->fd.fd, F_GETFL) | O_NONBLOCK);
431 tnl->status = TNL_STATUS_HANDSHAKE;
432 gnutls_init(&tnl->session, GNUTLS_CLIENT);
433 //gnutls_handshake_set_private_extensions(tnl->session, 1);
434 gnutls_set_default_priority(tnl->session);
435 gnutls_credentials_set(tnl->session, tnl->local.cred.type, tnl->local.cred.certificate);
436 gnutls_certificate_server_set_request(tnl->session, GNUTLS_CERT_REQUEST);
437 gnutls_transport_set_ptr(tnl->session, (gnutls_transport_ptr)fd->fd);
439 tnl->fd.write = NULL;
440 tnl->fd.read = tnl_handshake_handler;
443 tnl_handshake_handler(&tnl->fd);
448 bool tnl_connect(tnl_t *tnl) {
451 sock = socket(sa_family(&tnl->remote.address), tnl->type, tnl->protocol);
454 logger(LOG_ERR, _("tnl: could not create socket: %s"), strerror(errno));
459 if(sa_nonzero(&tnl->local.address) && bind(sock, sa(&tnl->local.address), sa_len(&tnl->local.address)) == -1) {
460 logger(LOG_ERR, _("tnl: could not bind socket: %s"), strerror(errno));
466 if(connect(sock, sa(&tnl->remote.address), sa_len(&tnl->remote.address)) == -1) {
467 logger(LOG_ERR, _("tnl: could not connect: %s"), strerror(errno));
472 tnl->status = TNL_STATUS_CONNECTING;
475 tnl->fd.write = tnl_connect_handler;
478 tnl->send_packet = tnl_send_packet;
479 tnl->send_meta = tnl_send_meta;
480 tnl->close = tnl_close;
487 static bool tnl_listen_close(tnl_listen_t *listener) {
488 fd_del(&listener->fd);
489 close(listener->fd.fd);
493 bool tnl_listen(tnl_listen_t *listener) {
496 sock = socket(sa_family(&listener->local.address), listener->type, listener->protocol);
499 logger(LOG_ERR, _("tnl: could not create listener socket: %s"), strerror(errno));
503 if(bind(sock, sa(&listener->local.address), sa_len(&listener->local.address)) == -1) {
504 logger(LOG_ERR, _("tnl: could not bind listener socket: %s"), strerror(errno));
508 if(listen(sock, 10) == -1) {
509 logger(LOG_ERR, _("tnl: could not listen on listener socket: %s"), strerror(errno));
513 listener->fd.fd = sock;
514 listener->fd.read = tnl_accept_handler;
515 listener->fd.data = listener;
516 listener->close = tnl_listen_close;
518 fd_add(&listener->fd);