Removed GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on OCSP parsing errors.
[gnutls.git] / extra / gnutls_openssl.c
blobe8cbe675d366b29245f16eb33cab7cecacd9ca9b
1 /*
2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 * Copyright (c) 2002 Andrew McDonald <andrew@mcdonald.org.uk>
5 * This file is part of GnuTLS-EXTRA.
7 * GnuTLS-extra is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuTLS-extra is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include <config.h>
23 #include <gnutls/gnutls.h>
24 #include <openssl_compat.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include "../lib/gnutls_int.h"
29 #include "../lib/random.h"
30 #include "../lib/gnutls_hash_int.h"
32 /* In win32 X509_NAME is defined in wincrypt.h.
33 * undefine it to avoid the conflict with openssl.h.
35 #ifdef X509_NAME
36 # undef X509_NAME
37 #endif
38 #include <gnutls/openssl.h>
40 /* Gnulib re-defines shutdown on mingw. We only use it as a variable
41 name, so restore the original name. */
42 #undef shutdown
44 /* XXX: See lib/gnutls_int.h. */
45 #define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
46 #define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
48 /* WARNING: Error functions aren't currently thread-safe */
50 static int last_error = 0;
52 /* Library initialisation functions */
54 int
55 SSL_library_init (void)
57 gnutls_global_init ();
58 /* NB: we haven't got anywhere to call gnutls_global_deinit() */
59 return 1;
62 void
63 OpenSSL_add_all_algorithms (void)
68 /* SSL_CTX structure handling */
70 SSL_CTX *
71 SSL_CTX_new (SSL_METHOD * method)
73 SSL_CTX *ctx;
75 ctx = (SSL_CTX *) calloc (1, sizeof (SSL_CTX));
76 ctx->method = method;
78 return ctx;
81 void
82 SSL_CTX_free (SSL_CTX * ctx)
84 free (ctx->method);
85 free (ctx);
88 int
89 SSL_CTX_set_default_verify_paths (SSL_CTX * ctx)
91 return 0;
94 int
95 SSL_CTX_use_certificate_file (SSL_CTX * ctx, const char *certfile, int type)
97 ctx->certfile = (char *) calloc (1, strlen (certfile) + 1);
98 if (!ctx->certfile)
99 return -1;
100 memcpy (ctx->certfile, certfile, strlen (certfile));
102 ctx->certfile_type = type;
104 return 1;
108 SSL_CTX_use_PrivateKey_file (SSL_CTX * ctx, const char *keyfile, int type)
110 ctx->keyfile = (char *) calloc (1, strlen (keyfile) + 1);
111 if (!ctx->keyfile)
112 return -1;
113 memcpy (ctx->keyfile, keyfile, strlen (keyfile));
115 ctx->keyfile_type = type;
117 return 1;
121 void
122 SSL_CTX_set_verify (SSL_CTX * ctx, int verify_mode,
123 int (*verify_callback) (int, X509_STORE_CTX *))
125 ctx->verify_mode = verify_mode;
126 ctx->verify_callback = verify_callback;
129 unsigned long
130 SSL_CTX_set_options (SSL_CTX * ctx, unsigned long options)
132 return (ctx->options |= options);
135 long
136 SSL_CTX_set_mode (SSL_CTX * ctx, long mode)
138 return 0;
142 SSL_CTX_set_cipher_list (SSL_CTX * ctx, const char *list)
144 /* FIXME: ignore this for the moment */
145 /* We're going to have to parse the "list" string to do this */
146 /* It is a string, which in its simplest form is something like
147 "DES-CBC3-SHA:IDEA-CBC-MD5", but can be rather more complicated
148 (see OpenSSL's ciphers(1) manpage for details) */
150 return 1;
154 /* SSL_CTX statistics */
156 long
157 SSL_CTX_sess_number (SSL_CTX * ctx)
159 return 0;
162 long
163 SSL_CTX_sess_connect (SSL_CTX * ctx)
165 return 0;
168 long
169 SSL_CTX_sess_connect_good (SSL_CTX * ctx)
171 return 0;
174 long
175 SSL_CTX_sess_connect_renegotiate (SSL_CTX * ctx)
177 return 0;
180 long
181 SSL_CTX_sess_accept (SSL_CTX * ctx)
183 return 0;
186 long
187 SSL_CTX_sess_accept_good (SSL_CTX * ctx)
189 return 0;
192 long
193 SSL_CTX_sess_accept_renegotiate (SSL_CTX * ctx)
195 return 0;
198 long
199 SSL_CTX_sess_hits (SSL_CTX * ctx)
201 return 0;
204 long
205 SSL_CTX_sess_misses (SSL_CTX * ctx)
207 return 0;
210 long
211 SSL_CTX_sess_timeouts (SSL_CTX * ctx)
213 return 0;
218 /* SSL structure handling */
220 SSL *
221 SSL_new (SSL_CTX * ctx)
223 SSL *ssl;
224 int err;
226 ssl = (SSL *) calloc (1, sizeof (SSL));
227 if (!ssl)
228 return NULL;
230 err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred);
231 if (err < 0)
233 last_error = err;
234 free (ssl);
235 return NULL;
238 gnutls_init (&ssl->gnutls_state, ctx->method->connend);
240 gnutls_priority_set_direct (ssl->gnutls_state,
241 ctx->method->priority_string, NULL);
243 gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE,
244 ssl->gnutls_cred);
245 if (ctx->certfile)
246 gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred,
247 ctx->certfile,
248 ctx->certfile_type);
249 if (ctx->keyfile)
250 gnutls_certificate_set_x509_key_file (ssl->gnutls_cred,
251 ctx->certfile, ctx->keyfile,
252 ctx->keyfile_type);
253 ssl->ctx = ctx;
254 ssl->verify_mode = ctx->verify_mode;
255 ssl->verify_callback = ctx->verify_callback;
257 ssl->options = ctx->options;
259 ssl->rfd = (gnutls_transport_ptr_t) - 1;
260 ssl->wfd = (gnutls_transport_ptr_t) - 1;
262 return ssl;
265 void
266 SSL_free (SSL * ssl)
268 gnutls_certificate_free_credentials (ssl->gnutls_cred);
269 gnutls_deinit (ssl->gnutls_state);
270 free (ssl);
273 void
274 SSL_load_error_strings (void)
279 SSL_get_error (SSL * ssl, int ret)
281 if (ret > 0)
282 return SSL_ERROR_NONE;
284 return SSL_ERROR_ZERO_RETURN;
288 SSL_set_fd (SSL * ssl, int fd)
290 gnutls_transport_set_ptr (ssl->gnutls_state, GNUTLS_INT_TO_POINTER (fd));
291 return 1;
295 SSL_set_rfd (SSL * ssl, int fd)
297 ssl->rfd = GNUTLS_INT_TO_POINTER (fd);
299 if (ssl->wfd != (gnutls_transport_ptr_t) - 1)
300 gnutls_transport_set_ptr2 (ssl->gnutls_state, ssl->rfd, ssl->wfd);
302 return 1;
306 SSL_set_wfd (SSL * ssl, int fd)
308 ssl->wfd = GNUTLS_INT_TO_POINTER (fd);
310 if (ssl->rfd != (gnutls_transport_ptr_t) - 1)
311 gnutls_transport_set_ptr2 (ssl->gnutls_state, ssl->rfd, ssl->wfd);
313 return 1;
316 void
317 SSL_set_bio (SSL * ssl, BIO * rbio, BIO * wbio)
319 gnutls_transport_set_ptr2 (ssl->gnutls_state, rbio->fd, wbio->fd);
320 /* free(BIO); ? */
323 void
324 SSL_set_connect_state (SSL * ssl)
329 SSL_pending (SSL * ssl)
331 return gnutls_record_check_pending (ssl->gnutls_state);
334 void
335 SSL_set_verify (SSL * ssl, int verify_mode,
336 int (*verify_callback) (int, X509_STORE_CTX *))
338 ssl->verify_mode = verify_mode;
339 ssl->verify_callback = verify_callback;
342 const X509 *
343 SSL_get_peer_certificate (SSL * ssl)
345 const gnutls_datum_t *cert_list;
346 unsigned int cert_list_size = 0;
348 cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
349 &cert_list_size);
351 return cert_list;
354 /* SSL connection open/close/read/write functions */
357 SSL_connect (SSL * ssl)
359 X509_STORE_CTX *store;
360 unsigned int cert_list_size = 0;
361 int err;
362 char x_priority[256];
363 /* take options into account before connecting */
365 memset (x_priority, 0, sizeof (x_priority));
366 if (ssl->options & SSL_OP_NO_TLSv1)
368 snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string);
369 err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL);
370 if (err < 0)
372 last_error = err;
373 return 0;
377 err = gnutls_handshake (ssl->gnutls_state);
378 ssl->last_error = err;
380 if (err < 0)
382 last_error = err;
383 return 0;
386 store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX));
387 store->ssl = ssl;
388 store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
389 &cert_list_size);
391 if (ssl->verify_callback)
393 ssl->verify_callback (1 /*FIXME*/, store);
395 ssl->state = SSL_ST_OK;
397 err = store->error;
398 free (store);
400 /* FIXME: deal with error from callback */
402 return 1;
406 SSL_accept (SSL * ssl)
408 X509_STORE_CTX *store;
409 unsigned int cert_list_size = 0;
410 int err;
411 char x_priority[256];
412 /* take options into account before connecting */
414 memset (x_priority, 0, sizeof (x_priority));
415 if (ssl->options & SSL_OP_NO_TLSv1)
417 snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string);
418 err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL);
419 if (err < 0)
421 last_error = err;
422 return 0;
426 /* FIXME: dh params, do we want client cert? */
428 err = gnutls_handshake (ssl->gnutls_state);
429 ssl->last_error = err;
431 if (err < 0)
433 last_error = err;
434 return 0;
437 store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX));
438 store->ssl = ssl;
439 store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
440 &cert_list_size);
442 if (ssl->verify_callback)
444 ssl->verify_callback (1 /*FIXME*/, store);
446 ssl->state = SSL_ST_OK;
448 err = store->error;
449 free (store);
451 /* FIXME: deal with error from callback */
453 return 1;
457 SSL_shutdown (SSL * ssl)
459 if (!ssl->shutdown)
461 gnutls_bye (ssl->gnutls_state, GNUTLS_SHUT_WR);
462 ssl->shutdown++;
464 else
466 gnutls_bye (ssl->gnutls_state, GNUTLS_SHUT_RDWR);
467 ssl->shutdown++;
470 /* FIXME */
471 return 1;
475 SSL_read (SSL * ssl, void *buf, int len)
477 int ret;
479 ret = gnutls_record_recv (ssl->gnutls_state, buf, len);
480 ssl->last_error = ret;
482 if (ret < 0)
484 last_error = ret;
485 return 0;
488 return ret;
492 SSL_write (SSL * ssl, const void *buf, int len)
494 int ret;
496 ret = gnutls_record_send (ssl->gnutls_state, buf, len);
497 ssl->last_error = ret;
499 if (ret < 0)
501 last_error = ret;
502 return 0;
505 return ret;
509 SSL_want (SSL * ssl)
511 return SSL_NOTHING;
515 /* SSL_METHOD functions */
517 SSL_METHOD *
518 SSLv23_client_method (void)
520 SSL_METHOD *m;
521 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
522 if (!m)
523 return NULL;
525 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
527 m->connend = GNUTLS_CLIENT;
529 return m;
532 SSL_METHOD *
533 SSLv23_server_method (void)
535 SSL_METHOD *m;
536 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
537 if (!m)
538 return NULL;
540 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
541 m->connend = GNUTLS_SERVER;
543 return m;
546 SSL_METHOD *
547 SSLv3_client_method (void)
549 SSL_METHOD *m;
550 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
551 if (!m)
552 return NULL;
554 strcpy(m->priority_string, "NONE:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
555 m->connend = GNUTLS_CLIENT;
557 return m;
560 SSL_METHOD *
561 SSLv3_server_method (void)
563 SSL_METHOD *m;
564 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
565 if (!m)
566 return NULL;
568 strcpy(m->priority_string, "NONE:+VERS-SSL3.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
569 m->connend = GNUTLS_SERVER;
571 return m;
574 SSL_METHOD *
575 TLSv1_client_method (void)
577 SSL_METHOD *m;
578 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
579 if (!m)
580 return NULL;
582 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
583 m->connend = GNUTLS_CLIENT;
585 return m;
588 SSL_METHOD *
589 TLSv1_server_method (void)
591 SSL_METHOD *m;
592 m = (SSL_METHOD *) calloc (1, sizeof (SSL_METHOD));
593 if (!m)
594 return NULL;
596 strcpy(m->priority_string, "NONE:+VERS-TLS1.0:+CIPHER-ALL:+COMP-ALL:+RSA:+DHE-RSA:+DHE-DSS:+MAC-ALL");
597 m->connend = GNUTLS_SERVER;
599 return m;
603 /* SSL_CIPHER functions */
605 SSL_CIPHER *
606 SSL_get_current_cipher (SSL * ssl)
608 if (!ssl)
609 return NULL;
611 ssl->ciphersuite.version = gnutls_protocol_get_version (ssl->gnutls_state);
612 ssl->ciphersuite.cipher = gnutls_cipher_get (ssl->gnutls_state);
613 ssl->ciphersuite.kx = gnutls_kx_get (ssl->gnutls_state);
614 ssl->ciphersuite.mac = gnutls_mac_get (ssl->gnutls_state);
615 ssl->ciphersuite.compression = gnutls_compression_get (ssl->gnutls_state);
616 ssl->ciphersuite.cert = gnutls_certificate_type_get (ssl->gnutls_state);
618 return &(ssl->ciphersuite);
621 const char *
622 SSL_CIPHER_get_name (SSL_CIPHER * cipher)
624 if (!cipher)
625 return ("NONE");
627 return gnutls_cipher_suite_get_name (cipher->kx,
628 cipher->cipher, cipher->mac);
632 SSL_CIPHER_get_bits (SSL_CIPHER * cipher, int *bits)
634 int bit_result;
636 if (!cipher)
637 return 0;
639 bit_result = (8 * gnutls_cipher_get_key_size (cipher->cipher));
641 if (bits)
642 *bits = bit_result;
644 return bit_result;
647 const char *
648 SSL_CIPHER_get_version (SSL_CIPHER * cipher)
650 const char *ret;
652 if (!cipher)
653 return ("(NONE)");
655 ret = gnutls_protocol_get_name (cipher->version);
656 if (ret)
657 return ret;
659 return ("unknown");
662 char *
663 SSL_CIPHER_description (SSL_CIPHER * cipher, char *buf, int size)
665 char *tmpbuf;
666 int tmpsize;
667 int local_alloc;
669 if (buf)
671 tmpbuf = buf;
672 tmpsize = size;
673 local_alloc = 0;
675 else
677 tmpbuf = (char *) malloc (128);
678 tmpsize = 128;
679 local_alloc = 1;
682 if (snprintf (tmpbuf, tmpsize, "%s %s %s %s",
683 gnutls_protocol_get_name (cipher->version),
684 gnutls_kx_get_name (cipher->kx),
685 gnutls_cipher_get_name (cipher->cipher),
686 gnutls_mac_get_name (cipher->mac)) == -1)
688 if (local_alloc)
689 free (tmpbuf);
690 return (char *) "Buffer too small";
693 return tmpbuf;
697 /* X509 functions */
699 X509_NAME *
700 X509_get_subject_name (const X509 * cert)
702 gnutls_x509_dn *dn;
703 dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn));
704 if (gnutls_x509_extract_certificate_dn (cert, dn) < 0)
706 free (dn);
707 return NULL;
709 return dn;
712 X509_NAME *
713 X509_get_issuer_name (const X509 * cert)
715 gnutls_x509_dn *dn;
716 dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn));
717 if (gnutls_x509_extract_certificate_issuer_dn (cert, dn) < 0)
719 free (dn);
720 return NULL;
722 return dn;
725 char *
726 X509_NAME_oneline (gnutls_x509_dn * name, char *buf, int len)
728 /* XXX openssl allocates buffer if buf == NULL */
729 if (!buf)
730 return NULL;
731 memset (buf, 0, len);
733 snprintf (buf, len - 1,
734 "C=%s, ST=%s, L=%s, O=%s, OU=%s, CN=%s/Email=%s",
735 name->country, name->state_or_province_name,
736 name->locality_name, name->organization,
737 name->organizational_unit_name, name->common_name, name->email);
738 return buf;
741 void
742 X509_free (const X509 * cert)
744 /* only get certificates as const items */
748 /* BIO functions */
750 void
751 BIO_get_fd (gnutls_session_t gnutls_state, int *fd)
753 gnutls_transport_ptr_t tmp = gnutls_transport_get_ptr (gnutls_state);
754 *fd = GNUTLS_POINTER_TO_INT (tmp);
757 BIO *
758 BIO_new_socket (int sock, int close_flag)
760 BIO *bio;
762 bio = (BIO *) malloc (sizeof (BIO));
763 if (!bio)
764 return NULL;
766 bio->fd = GNUTLS_INT_TO_POINTER (sock);
768 return bio;
772 /* error handling */
774 unsigned long
775 ERR_get_error (void)
777 unsigned long ret;
779 ret = -1 * last_error;
780 last_error = 0;
782 return ret;
785 const char *
786 ERR_error_string (unsigned long e, char *buf)
788 return gnutls_strerror (-1 * e);
792 /* RAND functions */
795 RAND_status (void)
797 return 1;
800 void
801 RAND_seed (const void *buf, int num)
806 RAND_bytes (unsigned char *buf, int num)
808 gnutls_rnd (GNUTLS_RND_RANDOM, buf, num);
809 return 1;
813 RAND_pseudo_bytes (unsigned char *buf, int num)
815 gnutls_rnd (GNUTLS_RND_NONCE, buf, num);
816 return 1;
819 const char *
820 RAND_file_name (char *buf, size_t len)
822 return "";
826 RAND_load_file (const char *name, long maxbytes)
828 return maxbytes;
832 RAND_write_file (const char *name)
834 return 0;
838 RAND_egd_bytes (const char *path, int bytes)
840 /* fake it */
841 return bytes;
845 /* message digest functions */
847 void
848 MD5_Init (MD5_CTX * ctx)
850 ctx->handle = gnutls_malloc (sizeof (digest_hd_st));
851 if (!ctx->handle)
852 abort ();
853 _gnutls_hash_init (ctx->handle, GNUTLS_DIG_MD5);
856 void
857 MD5_Update (MD5_CTX * ctx, const void *buf, int len)
859 _gnutls_hash (ctx->handle, buf, len);
862 void
863 MD5_Final (unsigned char *md, MD5_CTX * ctx)
865 _gnutls_hash_deinit (ctx->handle, md);
866 gnutls_free (ctx->handle);
869 unsigned char *
870 MD5 (const unsigned char *buf, unsigned long len, unsigned char *md)
872 if (!md)
873 return NULL;
875 _gnutls_hash_fast (GNUTLS_DIG_MD5, buf, len, md);
877 return md;
880 void
881 RIPEMD160_Init (RIPEMD160_CTX * ctx)
883 ctx->handle = gnutls_malloc (sizeof (digest_hd_st));
884 if (!ctx->handle)
885 abort ();
886 _gnutls_hash_init (ctx->handle, GNUTLS_DIG_RMD160);
889 void
890 RIPEMD160_Update (RIPEMD160_CTX * ctx, const void *buf, int len)
892 _gnutls_hash (ctx->handle, buf, len);
895 void
896 RIPEMD160_Final (unsigned char *md, RIPEMD160_CTX * ctx)
898 _gnutls_hash_deinit (ctx->handle, md);
899 gnutls_free (ctx->handle);
902 unsigned char *
903 RIPEMD160 (const unsigned char *buf, unsigned long len, unsigned char *md)
905 if (!md)
906 return NULL;
908 _gnutls_hash_fast (GNUTLS_DIG_RMD160, buf, len, md);
910 return md;