diff --git a/README.md b/README.md index 34024f17ae..6bb3cea7da 100644 --- a/README.md +++ b/README.md @@ -439,16 +439,6 @@ these without understanding the implications. The defaults have been carefully considered to provide full functionality so users will not be missing anything. -### Cryptography - -EFL officially offers openssl or gnutls as cryptography backends. By -default it uses "openssl" to do signature, cipher and related. Alternatively -one can use "gnutls" (some distros are strict about licenses and want gnutls -instead of openssl) You can switch to gnutls with: -``` sh --Dcrypto=gnutls -``` - ----- ## Compiling and Installing diff --git a/doc/ecore_examples.dox b/doc/ecore_examples.dox index c02de6f1d7..320dd56b54 100644 --- a/doc/ecore_examples.dox +++ b/doc/ecore_examples.dox @@ -948,11 +948,6 @@ * @ref ecore_event_example_02_c "the explanation here". */ -/** - * @example ecore_fd_handler_gnutls_example.c - * Shows how to use fd handlers. - */ - /** * @example ecore_con_lookup_example.c * Shows how to make a simple DNS lookup. See the complete example description diff --git a/meson.build b/meson.build index 0350e9e718..744904c9b3 100644 --- a/meson.build +++ b/meson.build @@ -223,10 +223,6 @@ if host_os == 'freebsd' or host_os == 'dragonfly' # can cause major issues (2 copies of the same library). crypto = declare_dependency(link_args : [ '-lssl', '-lcrypto']) config_h.set('HAVE_OPENSSL', '1') -elif get_option('crypto') == 'gnutls' - # gcrypt does not want to provide a pkg config file so we try the lib - crypto = [dependency('gnutls'), cc.find_library('gcrypt')] - config_h.set('HAVE_GNUTLS', '1') elif get_option('crypto') == 'openssl' crypto = dependency('openssl') config_h.set('HAVE_OPENSSL', '1') diff --git a/meson_options.txt b/meson_options.txt index b39f64970c..27ace2e7eb 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -108,7 +108,7 @@ option('build-tests', option('crypto', type : 'combo', - choices : ['gnutls', 'openssl'], + choices : ['openssl'], value : 'openssl', description : 'Which SSL Crypto library used in efl' ) diff --git a/po/POTFILES.in b/po/POTFILES.in index 9598abfc42..00f11e6b6e 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -406,7 +406,6 @@ src/examples/ecore/ecore_event_example_02.c src/examples/ecore/ecore_exe_example.c src/examples/ecore/ecore_exe_example_child.c src/examples/ecore/ecore_fd_handler_example.c -src/examples/ecore/ecore_fd_handler_gnutls_example.c src/examples/ecore/ecore_file_download_example.c src/examples/ecore/ecore_getopt_example.c src/examples/ecore/ecore_idler_example.c @@ -861,11 +860,9 @@ src/lib/ecore_con/efl_net_socket_tcp.c src/lib/ecore_con/efl_net_socket_udp.c src/lib/ecore_con/efl_net_socket_unix.c src/lib/ecore_con/efl_net_socket_windows.c -src/lib/ecore_con/efl_net_ssl_conn-gnutls.c src/lib/ecore_con/efl_net_ssl_conn-none.c src/lib/ecore_con/efl_net_ssl_conn-openssl.c src/lib/ecore_con/efl_net_ssl_context.c -src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c src/lib/ecore_con/efl_net_ssl_ctx-none.c src/lib/ecore_con/efl_net_ssl_ctx-openssl.c src/lib/ecore_drm2/ecore_drm2.c @@ -2484,7 +2481,6 @@ src/lib/embryo/embryo_time.c src/lib/emile/emile_base64.c src/lib/emile/emile_base64.h src/lib/emile/emile_cipher.c -src/lib/emile/emile_cipher_gnutls.c src/lib/emile/emile_cipher.h src/lib/emile/emile_cipher_openssl.c src/lib/emile/emile_compress.c diff --git a/src/examples/ecore/.gitignore b/src/examples/ecore/.gitignore index 7f0a1c8a82..2f9fddf50d 100644 --- a/src/examples/ecore/.gitignore +++ b/src/examples/ecore/.gitignore @@ -33,7 +33,6 @@ /ecore_exe_example /ecore_exe_example_child /ecore_fd_handler_example -/ecore_fd_handler_gnutls_example /ecore_file_download_example /ecore_getopt_example /ecore_idler_example diff --git a/src/examples/ecore/ecore_fd_handler_gnutls_example.c b/src/examples/ecore/ecore_fd_handler_gnutls_example.c deleted file mode 100644 index de30f02365..0000000000 --- a/src/examples/ecore/ecore_fd_handler_gnutls_example.c +++ /dev/null @@ -1,232 +0,0 @@ -//Compile with: -// gcc -o ecore_fd_handler_gnutls_example ecore_fd_handler_gnutls_example.c `pkg-config --cflags --libs ecore gnutls` - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include -#ifdef HAVE_NETINET_TCP_H -# include -#endif -#ifdef HAVE_NETINET_IN_H -# include -#endif -#ifdef HAVE_SYS_SOCKET_H -# include -#endif -#ifdef HAVE_ARPA_INET_H -# include -#endif -#include -#include -#include -#include -#include - -/* Ecore_Fd_Handler example - * 2010 Mike Blumenkrantz - * compile with gcc $(pkgconfig --cflags --libs gnutls ecore) - */ - -#define print(...) \ -do { \ - fprintf(stderr, "line %i: ", __LINE__); \ - fprintf(stderr, __VA_ARGS__); \ - fprintf(stderr, "\n");\ -} while(0) - -static int done = 0; - -static void -tls_log_func(int level, const char *str) -{ - fprintf(stderr, "|<%d>| %s", level, str); -} - -static const char * -SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_description_t status) -{ - switch (status) - { - case GNUTLS_HANDSHAKE_HELLO_REQUEST: - return "Hello request"; - - case GNUTLS_HANDSHAKE_CLIENT_HELLO: - return "Client hello"; - - case GNUTLS_HANDSHAKE_SERVER_HELLO: - return "Server hello"; - - case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: - return "Certificate packet"; - - case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: - return "Server key exchange"; - - case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: - return "Certificate request"; - - case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE: - return "Server hello done"; - - case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: - return "Certificate verify"; - - case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE: - return "Client key exchange"; - - case GNUTLS_HANDSHAKE_FINISHED: - return "Finished"; - - case GNUTLS_HANDSHAKE_SUPPLEMENTAL: - return "Supplemental"; - default: - return "Uncaught state"; - } - return NULL; -} - -/* Connects to the peer and returns a socket - * descriptor. - */ -static int -tcp_connect(void) -{ - const char *PORT = "443"; - const char *SERVER = "69.58.181.89"; //verisign.com - int err, sd; - int flag = 1, curstate = 0; - struct sockaddr_in sa; - - /* sets some fd options such as nonblock */ - sd = socket(AF_INET, SOCK_STREAM, 0); - if (sd < 0) abort(); - if (fcntl(sd, F_SETFL, O_NONBLOCK) < 0) perror("fcntl"); - eina_file_close_on_exec(sd, EINA_TRUE); - if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (const void *)&curstate, sizeof(curstate)) < 0) perror("setsockopt"); - - if (setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int)) < 0) perror("setsockopt"); - - memset(&sa, '\0', sizeof (sa)); - sa.sin_family = AF_INET; - sa.sin_port = eina_htons(atoi(PORT)); - if (inet_pton(AF_INET, SERVER, &sa.sin_addr)) perror("inet_pton"); - - /* connects to server - */ - err = connect(sd, (struct sockaddr *)&sa, sizeof (sa)); - if ((err < 0) && (errno != EINPROGRESS)) - { - print("Connect error\n"); - exit(1); - } - - return sd; -} - -/* closes the given socket descriptor. - */ -static void -tcp_close(int sd) -{ -#ifdef _WIN32 - shutdown(sd, SD_BOTH); /* no more receptions */ - closesocket(sd); -#else - shutdown(sd, SHUT_RDWR); /* no more receptions */ - close(sd); -#endif -} - -static Eina_Bool -_process_data(gnutls_session_t client, Ecore_Fd_Handler *fd_handler) -{ - static int ret, lastret; - static unsigned int count = 0; - - if (!done) - { - lastret = ret; - ret = gnutls_handshake(client); - count++; - if (gnutls_record_get_direction(client)) - ecore_main_fd_handler_active_set(fd_handler, ECORE_FD_WRITE); - else - ecore_main_fd_handler_active_set(fd_handler, ECORE_FD_READ); - /* avoid printing messages infinity times */ - if (lastret != ret) - { - print("gnutls returned with: %s - %s", gnutls_strerror_name(ret), gnutls_strerror(ret)); - if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) || (ret == GNUTLS_E_FATAL_ALERT_RECEIVED)) - print("Also received alert: %s", gnutls_alert_get_name(gnutls_alert_get(client))); - print("last out: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_out(client))); - print("last in: %s", SSL_GNUTLS_PRINT_HANDSHAKE_STATUS(gnutls_handshake_get_last_in(client))); - } - - if (gnutls_error_is_fatal(ret)) - { - print("yarrr this be an error!"); - exit(1); - } - } - if (ret == GNUTLS_E_SUCCESS) - { - done = 1; - print("Handshake successful in %u handshake calls!", count); - ecore_main_loop_quit(); - } - - return ECORE_CALLBACK_RENEW; -} - -int -main(void) -{ - /* credentials */ - gnutls_anon_client_credentials_t c_anoncred; - gnutls_certificate_credentials_t c_certcred; - - gnutls_session_t client; - int sd; - - /* General init. */ - gnutls_global_init(); - ecore_init(); - gnutls_global_set_log_function(tls_log_func); - gnutls_global_set_log_level(6); - - /* Init client */ - gnutls_anon_allocate_client_credentials(&c_anoncred); - gnutls_certificate_allocate_credentials(&c_certcred); - gnutls_init(&client, GNUTLS_CLIENT); - /* set very specific priorities */ - gnutls_priority_set_direct(client, "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0", NULL); - gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); - gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_certcred); - gnutls_server_name_set(client, GNUTLS_NAME_DNS, "www.verisign.com", strlen("www.verisign.com")); - - /* connect to the peer - */ - sd = tcp_connect(); - - /* associate gnutls with socket */ - gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t)(uintptr_t)sd); - /* add a callback for data being available for send/receive on socket */ - if (!ecore_main_fd_handler_add(sd, ECORE_FD_READ | ECORE_FD_WRITE, (Ecore_Fd_Cb)_process_data, client, NULL, NULL)) - { - print("could not create fd handler!"); - exit(1); - } - /* begin main loop */ - ecore_main_loop_begin(); - - gnutls_bye(client, GNUTLS_SHUT_RDWR); - - gnutls_deinit(client); - - tcp_close(sd); - - return 0; -} - diff --git a/src/examples/ecore/meson.build b/src/examples/ecore/meson.build index 6091a62666..37430ae26a 100644 --- a/src/examples/ecore/meson.build +++ b/src/examples/ecore/meson.build @@ -18,13 +18,8 @@ if config_h.has('HAVE_FORK') examples += 'ecore_pipe_simple_example' endif -gnutls = dependency('gnutls', required : false) -if gnutls.found() -examples += ['ecore_fd_handler_gnutls_example'] -endif - foreach example : examples - executable(example, example + '.c', dependencies: [eina, ecore, ecore_file, gnutls]) + executable(example, example + '.c', dependencies: [eina, ecore, ecore_file]) endforeach if get_option('gstreamer') == true diff --git a/src/lib/ecore_con/Ecore_Con.h b/src/lib/ecore_con/Ecore_Con.h index 2945b06a8f..9cbfc0cd67 100644 --- a/src/lib/ecore_con/Ecore_Con.h +++ b/src/lib/ecore_con/Ecore_Con.h @@ -720,8 +720,7 @@ ECORE_CON_API Eina_Bool ecore_con_lookup(const char *name, Ecore_Con_Dns_Cb done /** * @brief Returns if SSL support is available. - * @return @c 1 if SSL is available and provided by gnutls, - * @c 2 if SSL is available and provided by openssl, + * @return @c 2 if SSL is available and provided by openssl, * @c 0 if it is not available. */ ECORE_CON_API int ecore_con_ssl_available_get(void); diff --git a/src/lib/ecore_con/ecore_con.c b/src/lib/ecore_con/ecore_con.c index 96cb7b3e5e..96c294e8dd 100644 --- a/src/lib/ecore_con/ecore_con.c +++ b/src/lib/ecore_con/ecore_con.c @@ -165,9 +165,7 @@ ecore_con_shutdown(void) ECORE_CON_API int ecore_con_ssl_available_get(void) { -#if HAVE_GNUTLS - return 1; -#elif HAVE_OPENSSL +#ifdef HAVE_OPENSSL return 2; #else return 0; diff --git a/src/lib/ecore_con/efl_net_socket_ssl.c b/src/lib/ecore_con/efl_net_socket_ssl.c index c952acbaeb..835281e8f0 100644 --- a/src/lib/ecore_con/efl_net_socket_ssl.c +++ b/src/lib/ecore_con/efl_net_socket_ssl.c @@ -96,11 +96,9 @@ static Eina_Error efl_net_ssl_conn_hostname_verify_set(Efl_Net_Ssl_Conn *conn, E static Eina_Error efl_net_ssl_conn_hostname_override_set(Efl_Net_Ssl_Conn *conn, const char *hostname); #if HAVE_OPENSSL -#include "efl_net_ssl_conn-openssl.c" -#elif HAVE_GNUTLS -#include "efl_net_ssl_conn-gnutls.c" +# include "efl_net_ssl_conn-openssl.c" #else -#include "efl_net_ssl_conn-none.c" +# include "efl_net_ssl_conn-none.c" #endif #define MY_CLASS EFL_NET_SOCKET_SSL_CLASS diff --git a/src/lib/ecore_con/efl_net_ssl_conn-gnutls.c b/src/lib/ecore_con/efl_net_ssl_conn-gnutls.c deleted file mode 100644 index c3601edbab..0000000000 --- a/src/lib/ecore_con/efl_net_ssl_conn-gnutls.c +++ /dev/null @@ -1,362 +0,0 @@ -#include -#include - -struct _Efl_Net_Ssl_Conn { - gnutls_session_t session; - gnutls_datum_t ticket; - Eo *sock; - const char *hostname; - Efl_Net_Ssl_Verify_Mode verify_mode; - Eina_Bool hostname_verify; - Eina_Bool is_dialer; -}; - -static ssize_t -_efl_net_ssl_conn_write(gnutls_transport_ptr_t transp, const void *buf, size_t len) -{ - Eina_Slice slice = { - .mem = buf, - .len = len - }; - Efl_Net_Ssl_Conn *conn = transp; - Eina_Error err; - - if ((!buf) || (len == 0)) return 0; - if (!conn) return 0; - - if (!efl_io_writer_can_write_get(conn->sock)) - { - DBG("socket=%p would block if written!", conn->sock); - gnutls_transport_set_errno(conn->session, EAGAIN); - return -1; - } - - err = efl_io_writer_write(conn->sock, &slice, NULL); - if (err) - { - gnutls_transport_set_errno(conn->session, err); - return -1; - } - - gnutls_transport_set_errno(conn->session, 0); - return slice.len; -} - -static ssize_t -_efl_net_ssl_conn_read(gnutls_transport_ptr_t transp, void *buf, size_t len) -{ - Eina_Rw_Slice slice = { - .mem = buf, - .len = len - }; - Efl_Net_Ssl_Conn *conn = transp; - Eina_Error err; - - if ((!buf) || (len == 0)) return 0; - if (!conn) return 0; - - if (!efl_io_reader_can_read_get(conn->sock)) - { - DBG("socket=%p would block if read!", conn->sock); - gnutls_transport_set_errno(conn->session, EAGAIN); - return -1; - } - - err = efl_io_reader_read(conn->sock, &slice); - if (err) - { - gnutls_transport_set_errno(conn->session, err); - return -1; - } - - gnutls_transport_set_errno(conn->session, 0); - return slice.len; -} - -static Eina_Error -efl_net_ssl_conn_setup(Efl_Net_Ssl_Conn *conn, Eina_Bool is_dialer, Efl_Net_Socket *sock, Efl_Net_Ssl_Context *context) -{ - gnutls_certificate_request_t req; - int r; - - EINA_SAFETY_ON_TRUE_RETURN_VAL(conn->session != NULL, EALREADY); - - conn->is_dialer = is_dialer; - - conn->session = efl_net_ssl_context_connection_new(context); - EINA_SAFETY_ON_NULL_RETURN_VAL(conn->session, ENOSYS); - - gnutls_handshake_set_private_extensions(conn->session, 1); - - switch (conn->verify_mode) - { - case EFL_NET_SSL_VERIFY_MODE_NONE: - req = GNUTLS_CERT_IGNORE; - break; - case EFL_NET_SSL_VERIFY_MODE_OPTIONAL: - req = GNUTLS_CERT_REQUEST; - break; - case EFL_NET_SSL_VERIFY_MODE_REQUIRED: - default: - req = GNUTLS_CERT_REQUIRE; - } - gnutls_certificate_server_set_request(conn->session, req); - - if (is_dialer) - { - r = gnutls_session_ticket_enable_client(conn->session); - if (r < 0) - { - ERR("ssl_conn=%p could not enable session's ticket client: %s", conn, gnutls_strerror(r)); - goto error; - } - } - else - { - r = gnutls_session_ticket_key_generate(&conn->ticket); - if (r < 0) - { - ERR("ssl_conn=%p could not generate session ticket: %s", conn, gnutls_strerror(r)); - goto error; - } - - r = gnutls_session_ticket_enable_server(conn->session, &conn->ticket); - if (r < 0) - { - ERR("ssl_conn=%p could not enable session's ticket server: %s", conn, gnutls_strerror(r)); - goto error_ticket; - } - } - - conn->sock = sock; - gnutls_transport_set_ptr(conn->session, conn); - gnutls_transport_set_push_function(conn->session, _efl_net_ssl_conn_write); - gnutls_transport_set_pull_function(conn->session, _efl_net_ssl_conn_read); - - return 0; - - error_ticket: - gnutls_free(conn->ticket.data); - conn->ticket.data = NULL; - - error: - gnutls_deinit(conn->session); - conn->session = NULL; - return ENOSYS; -} - -static void -efl_net_ssl_conn_teardown(Efl_Net_Ssl_Conn *conn) -{ - if (conn->session) - { - gnutls_bye(conn->session, GNUTLS_SHUT_RDWR); - gnutls_deinit(conn->session); - conn->session = NULL; - } - - if (conn->ticket.data) - { - gnutls_free(conn->ticket.data); - conn->ticket.data = NULL; - } - - eina_stringshare_replace(&conn->hostname, NULL); -} - -static Eina_Error -efl_net_ssl_conn_write(Efl_Net_Ssl_Conn *conn, Eina_Slice *slice) -{ - ssize_t r = gnutls_record_send(conn->session, slice->mem, slice->len); - if (r < 0) - { - slice->len = 0; - if (gnutls_error_is_fatal(r)) - { - ERR("ssl_conn=%p could not send %zd bytes: %s", conn, slice->len, gnutls_strerror(r)); - return EINVAL; - } - DBG("ssl_conn=%p could not send %zd bytes: %s", conn, slice->len, gnutls_strerror(r)); - return EAGAIN; - } - slice->len = r; - return 0; -} - -static Eina_Error -efl_net_ssl_conn_read(Efl_Net_Ssl_Conn *conn, Eina_Rw_Slice *slice) -{ - ssize_t r = gnutls_record_recv(conn->session, slice->mem, slice->len); - if (r < 0) - { - slice->len = 0; - if (gnutls_error_is_fatal(r)) - { - ERR("ssl_conn=%p could not receive %zd bytes: %s", conn, slice->len, gnutls_strerror(r)); - return EINVAL; - } - DBG("ssl_conn=%p could not receive %zd bytes: %s", conn, slice->len, gnutls_strerror(r)); - return EAGAIN; - } - slice->len = r; - return 0; -} - -static Eina_Error -_efl_net_ssl_conn_verify(Efl_Net_Ssl_Conn *conn) -{ - unsigned status = 0; - int r; - - r = gnutls_certificate_verify_peers2(conn->session, &status); - if (r < 0) - { - ERR("ssl_conn=%p could not verify peer: %s", conn, gnutls_strerror(r)); - return EFL_NET_SOCKET_SSL_ERROR_HANDSHAKE; - } - - if (!status) return 0; - - if (status & GNUTLS_CERT_INVALID) - WRN("ssl_conn=%p The certificate is not trusted.", conn); - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - WRN("ssl_conn=%p The certificate hasn't got a known issuer.", conn); - if (status & GNUTLS_CERT_REVOKED) - WRN("ssl_conn=%p The certificate has been revoked.", conn); - if (status & GNUTLS_CERT_EXPIRED) - WRN("ssl_conn=%p The certificate has expired", conn); - if (status & GNUTLS_CERT_NOT_ACTIVATED) - WRN("ssl_conn=%p The certificate is not yet activated", conn); - - return EFL_NET_SOCKET_SSL_ERROR_CERTIFICATE_VERIFY_FAILED; -} - -static Eina_Error -_efl_net_ssl_conn_hostname_verify(Efl_Net_Ssl_Conn *conn) -{ - const gnutls_datum_t *list; - unsigned int size; - gnutls_x509_crt_t cert = NULL; - int r; - - if ((!conn->hostname) || (conn->hostname[0] == '\0')) - { - ERR("ssl_conn=%p no hostname, cannot verify", conn); - return EFL_NET_SOCKET_SSL_ERROR_CERTIFICATE_VERIFY_FAILED; - } - - if (gnutls_certificate_type_get(conn->session) != GNUTLS_CRT_X509) - { - ERR("ssl_conn=%p PGP certificates are not yet supported!", conn); - return EFL_NET_SOCKET_SSL_ERROR_CERTIFICATE_VERIFY_FAILED; - } - - list = gnutls_certificate_get_peers(conn->session, &size); - if (!list) - { - ERR("ssl_conn=%p no peer certificate!", conn); - return EFL_NET_SOCKET_SSL_ERROR_HANDSHAKE; - } - - r = gnutls_x509_crt_init(&cert); - EINA_SAFETY_ON_TRUE_RETURN_VAL(r < 0, EFL_NET_SOCKET_SSL_ERROR_CERTIFICATE_VERIFY_FAILED); - - r = gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER); - if (r < 0) - { - ERR("ssl_conn=%p could not import x509 certificate to verify: %s", conn, gnutls_strerror(r)); - gnutls_x509_crt_deinit(cert); - return EFL_NET_SOCKET_SSL_ERROR_CERTIFICATE_VERIFY_FAILED; - } - - r = gnutls_x509_crt_check_hostname(cert, conn->hostname); - gnutls_x509_crt_deinit(cert); - - if (r == 1) - return 0; - - ERR("ssl_conn=%p hostname='%s' doesn't match certificate.", - conn, conn->hostname); - return EFL_NET_SOCKET_SSL_ERROR_CERTIFICATE_VERIFY_FAILED; -} - -static Eina_Error -efl_net_ssl_conn_handshake(Efl_Net_Ssl_Conn *conn, Eina_Bool *done) -{ - int r = gnutls_handshake(conn->session); - if (r < 0) - { - *done = EINA_FALSE; - if (gnutls_error_is_fatal(r)) - { - ERR("ssl_conn=%p could not handshake: %s", conn, gnutls_strerror(r)); - return EFL_NET_SOCKET_SSL_ERROR_HANDSHAKE; - } - - DBG("ssl_conn=%p did not finish handshake: %s", conn, gnutls_strerror(r)); - return 0; - } - - if (conn->verify_mode != EFL_NET_SSL_VERIFY_MODE_NONE) - { - Eina_Error err = _efl_net_ssl_conn_verify(conn); - if (err) - return err; - } - - if (conn->hostname_verify) - { - Eina_Error err = _efl_net_ssl_conn_hostname_verify(conn); - if (err) - return err; - } - - *done = EINA_TRUE; - DBG("ssl_conn=%p handshake finished!", conn); - return 0; -} - -static Eina_Error -efl_net_ssl_conn_verify_mode_set(Efl_Net_Ssl_Conn *conn, Efl_Net_Ssl_Verify_Mode verify_mode) -{ - gnutls_certificate_request_t req; - conn->verify_mode = verify_mode; - - switch (conn->verify_mode) - { - case EFL_NET_SSL_VERIFY_MODE_NONE: - req = GNUTLS_CERT_IGNORE; - break; - case EFL_NET_SSL_VERIFY_MODE_OPTIONAL: - req = GNUTLS_CERT_REQUEST; - break; - case EFL_NET_SSL_VERIFY_MODE_REQUIRED: - default: - req = GNUTLS_CERT_REQUIRE; - } - gnutls_certificate_server_set_request(conn->session, req); - - return 0; -} - -static Eina_Error -efl_net_ssl_conn_hostname_verify_set(Efl_Net_Ssl_Conn *conn, Eina_Bool hostname_verify) -{ - conn->hostname_verify = hostname_verify; - return 0; -} - -static Eina_Error -efl_net_ssl_conn_hostname_override_set(Efl_Net_Ssl_Conn *conn, const char *hostname) -{ - int r; - eina_stringshare_replace(&conn->hostname, hostname); - if (!hostname) hostname = ""; - r = gnutls_server_name_set(conn->session, GNUTLS_NAME_DNS, hostname, strlen(hostname)); - if (r < 0) - { - ERR("ssl_conn=%p could not set server name '%s': %s", conn, hostname, gnutls_strerror(r)); - return EINVAL; - } - return 0; -} diff --git a/src/lib/ecore_con/efl_net_ssl_context.c b/src/lib/ecore_con/efl_net_ssl_context.c index a625fe81ee..bbf1aec1e9 100644 --- a/src/lib/ecore_con/efl_net_ssl_context.c +++ b/src/lib/ecore_con/efl_net_ssl_context.c @@ -81,11 +81,9 @@ static Eina_Error efl_net_ssl_ctx_hostname_verify_set(Efl_Net_Ssl_Ctx *ctx, Eina static Eina_Error efl_net_ssl_ctx_hostname_set(Efl_Net_Ssl_Ctx *ctx, const char *hostname); #if HAVE_OPENSSL -#include "efl_net_ssl_ctx-openssl.c" -#elif HAVE_GNUTLS -#include "efl_net_ssl_ctx-gnutls.c" +# include "efl_net_ssl_ctx-openssl.c" #else -#include "efl_net_ssl_ctx-none.c" +# include "efl_net_ssl_ctx-none.c" #endif #define MY_CLASS EFL_NET_SSL_CONTEXT_CLASS diff --git a/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c b/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c deleted file mode 100644 index cb1980827f..0000000000 --- a/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c +++ /dev/null @@ -1,307 +0,0 @@ -#include - -struct _Efl_Net_Ssl_Ctx { - gnutls_certificate_credentials_t x509_cred; - gnutls_priority_t priority; - Eina_Bool is_dialer; -}; - -static Eina_Error -_efl_net_ssl_ctx_load_lists(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg) -{ - Eina_List *n, *n_next, *pk_node; - const char *path; - unsigned certificates_count = eina_list_count(*cfg.certificates); - unsigned private_keys_count = eina_list_count(*cfg.private_keys); - unsigned certificate_revocation_lists_count = eina_list_count(*cfg.certificate_revocation_lists); - unsigned certificate_authorities_count = eina_list_count(*cfg.certificate_authorities); - int r; - - ctx->is_dialer = cfg.is_dialer; - - if (cfg.load_defaults) - { - r = gnutls_certificate_set_x509_system_trust(ctx->x509_cred); - if (r < 0) - { - ERR("ssl_ctx=%p could not load default paths: %s", ctx, gnutls_strerror(r)); - return ENOSYS; - } - DBG("ssl_ctx=%p loaded default paths", ctx); - } - else - DBG("ssl_ctx=%p did not load default paths", ctx); - - /* GNUTLS needs certificate-key pairs, so we do: - * - * - if no private keys, use certificate as its own key; - * - * - if a private keys, walk the list alongside certificates, but - * do NOT delete elements if list sizes are different. Stop at - * last private key, allowing a single private key for multiple - * certificates. - */ - pk_node = *cfg.private_keys; - EINA_LIST_FOREACH_SAFE(*cfg.certificates, n, n_next, path) - { - const char *key = pk_node ? pk_node->data : path; - - r = gnutls_certificate_set_x509_key_file(ctx->x509_cred, path, key, GNUTLS_X509_FMT_PEM); - if (r < 0) - { - ERR("ssl_ctx=%p could not use certificate from '%s' with key '%s': %s", - ctx, path, key, gnutls_strerror(r)); - - if (pk_node) - { - if (eina_list_count(*cfg.private_keys) == eina_list_count(*cfg.certificates)) - { - pk_node = pk_node->next; - eina_stringshare_del(key); - *cfg.private_keys = eina_list_remove_list(*cfg.private_keys, pk_node->prev); - } - else if (pk_node->next) pk_node = pk_node->next; - } - - eina_stringshare_del(path); - *cfg.certificates = eina_list_remove_list(*cfg.certificates, n); - continue; - } - else - { - if (pk_node->next) pk_node = pk_node->next; - } - - DBG("ssl_ctx=%p loaded certificate '%s' with key '%s'", ctx, path, key); - } - if (certificates_count && !*cfg.certificates) - { - ERR("ssl_ctx=%p none of the required certificates were loaded!", ctx); - return EINVAL; - } - - if (private_keys_count && !*cfg.private_keys) - { - ERR("ssl_ctx=%p none of the required private keys were loaded!", ctx); - return EINVAL; - } - else if (pk_node != eina_list_last(*cfg.private_keys)) - { - do - { - n = pk_node->next; - path = n->data; - ERR("ssl_ctx=%p extra private key is unused '%s'", ctx, path); - eina_stringshare_del(path); - *cfg.private_keys = eina_list_remove_list(*cfg.private_keys, n); - } - while (pk_node->next); - } - - EINA_LIST_FOREACH_SAFE(*cfg.certificate_revocation_lists, n, n_next, path) - { - r = gnutls_certificate_set_x509_crl_file(ctx->x509_cred, path, GNUTLS_X509_FMT_PEM); - if (r < 0) - { - ERR("ssl_ctx=%p could not use certificate revocation lists from %s: %s", - ctx, path, gnutls_strerror(r)); - eina_stringshare_del(path); - *cfg.certificate_revocation_lists = eina_list_remove_list(*cfg.certificate_revocation_lists, n); - continue; - } - - DBG("ssl_ctx=%p loaded certificate revocation lists '%s'", ctx, path); - } - if (certificate_revocation_lists_count && !*cfg.certificate_revocation_lists) - { - ERR("ssl_ctx=%p none of the required certificate revocation lists were loaded!", ctx); - return EINVAL; - } - - EINA_LIST_FOREACH_SAFE(*cfg.certificate_authorities, n, n_next, path) - { - struct stat st; - - r = 0; - if (stat(path, &st) != 0) - { - ERR("ssl_ctx=%p could not load certificate authorities from '%s': %s", ctx, path, eina_error_msg_get(errno)); - eina_stringshare_del(path); - *cfg.certificate_authorities = eina_list_remove_list(*cfg.certificate_authorities, n); - continue; - } - else if (S_ISDIR(st.st_mode)) - r = gnutls_certificate_set_x509_trust_dir(ctx->x509_cred, path, GNUTLS_X509_FMT_PEM); - else - r = gnutls_certificate_set_x509_trust_file(ctx->x509_cred, path, GNUTLS_X509_FMT_PEM); - - if (r < 0) - { - ERR("ssl_ctx=%p could not use certificate authorities from '%s': %s", ctx, path, gnutls_strerror(r)); - eina_stringshare_del(path); - *cfg.certificate_authorities = eina_list_remove_list(*cfg.certificate_authorities, n); - continue; - } - - DBG("ssl_ctx=%p loaded certificate authorities '%s'", ctx, path); - } - if (certificate_authorities_count && !*cfg.certificate_authorities) - { - ERR("ssl_ctx=%p none of the required certificate authorities were loaded!", ctx); - return EINVAL; - } - - return 0; -} - -static void * -efl_net_ssl_ctx_connection_new(Efl_Net_Ssl_Ctx *ctx) -{ - gnutls_session_t session; - int r; - - r = gnutls_init(&session, ctx->is_dialer ? GNUTLS_CLIENT : GNUTLS_SERVER); - if (r < 0) - { - ERR("ssl_ctx=%p could not create %s session: %s", - ctx, ctx->is_dialer ? "dialer" : "server", gnutls_strerror(r)); - return NULL; - } - - if (!ctx->priority) - { - r = gnutls_set_default_priority(session); - if (r < 0) - { - ERR("ssl_ctx=%p could not set default cipher priority: %s", ctx, gnutls_strerror(r)); - goto error; - } - } - else - { - r = gnutls_priority_set(session, ctx->priority); - if (r < 0) - { - ERR("ssl_ctx=%p could not set cipher priority: %s", ctx, gnutls_strerror(r)); - goto error; - } - } - - r = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred); - if (r < 0) - { - ERR("ssl_ctx=%p could not set session credentials: %s", ctx, gnutls_strerror(r)); - goto error; - } - - return session; - - error: - gnutls_deinit(session); - return NULL; -} - -static Eina_Error -efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg) -{ - Eina_Error err; - const char *priority; - int r; - - EINA_SAFETY_ON_TRUE_RETURN_VAL(ctx->x509_cred != NULL, EALREADY); - - switch (cfg.cipher) - { - case EFL_NET_SSL_CIPHER_AUTO: - priority = NULL; - break; - case EFL_NET_SSL_CIPHER_TLSV1: - priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0!VERS-TLS1.1:!VERS-TLS1.2"; - break; - case EFL_NET_SSL_CIPHER_TLSV1_1: - priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.2"; - break; - case EFL_NET_SSL_CIPHER_TLSV1_2: - priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1"; - break; - default: - ERR("ssl_ctx=%p unsupported cipher %d", ctx, cfg.cipher); - return EINVAL; - } - - if (priority) - { - const char *err_pos = NULL; - r = gnutls_priority_init(&ctx->priority, priority, &err_pos); - if (r < 0) - { - size_t off = err_pos - priority; - if (r == GNUTLS_E_INVALID_REQUEST) - { - ERR("ssl_ctx=%p invalid syntax on GNUTLS priority string offset %zd: '%s'", ctx, off, priority); - return EINVAL; - } - ERR("ssl_ctx=%p could not set GNUTLS priority offset %zd '%s': %s", ctx, off, priority, gnutls_strerror(r)); - return EINVAL; - } - } - - r = gnutls_certificate_allocate_credentials(&ctx->x509_cred); - if (r < 0) - { - ERR("ssl_ctx=%p could not allocate X509 credentials: %s", ctx, gnutls_strerror(r)); - err = ENOSYS; - goto err_cert_alloc; - } - - err = _efl_net_ssl_ctx_load_lists(ctx, cfg); - if (err) - { - ERR("ssl_ctx=%p failed to load certificate, private keys, CRL or CA", ctx); - goto err_load; - } - - return 0; - - err_load: - gnutls_certificate_free_credentials(ctx->x509_cred); - ctx->x509_cred = NULL; - err_cert_alloc: - gnutls_priority_deinit(ctx->priority); - ctx->priority = NULL; - return err; -} - -static void -efl_net_ssl_ctx_teardown(Efl_Net_Ssl_Ctx *ctx) -{ - if (ctx->x509_cred) - { - gnutls_certificate_free_credentials(ctx->x509_cred); - ctx->x509_cred = NULL; - } - - if (ctx->priority) - { - gnutls_priority_deinit(ctx->priority); - ctx->priority = NULL; - } -} - -static Eina_Error -efl_net_ssl_ctx_verify_mode_set(Efl_Net_Ssl_Ctx *ctx EINA_UNUSED, Efl_Net_Ssl_Verify_Mode verify_mode EINA_UNUSED) -{ - return 0; -} - -static Eina_Error -efl_net_ssl_ctx_hostname_verify_set(Efl_Net_Ssl_Ctx *ctx EINA_UNUSED, Eina_Bool hostname_verify EINA_UNUSED) -{ - return 0; -} - -static Eina_Error -efl_net_ssl_ctx_hostname_set(Efl_Net_Ssl_Ctx *ctx EINA_UNUSED, const char *hostname EINA_UNUSED) -{ - return 0; -} diff --git a/src/lib/eet/eet_cipher.c b/src/lib/eet/eet_cipher.c index 30501b99e1..d54dd063cc 100644 --- a/src/lib/eet/eet_cipher.c +++ b/src/lib/eet/eet_cipher.c @@ -14,20 +14,15 @@ # else # include # endif -# ifdef HAVE_GNUTLS -# include -# include -# else /* ifdef HAVE_GNUTLS */ -# include -# include -# include -# include -# include -# include -# include -# include -# include -# endif /* ifdef HAVE_GNUTLS */ +# include +# include +# include +# include +# include +# include +# include +# include +# include #endif /* ifdef HAVE_SIGNATURE */ #ifdef HAVE_OPENSSL @@ -35,15 +30,9 @@ #endif /* ifdef HAVE_OPENSSL */ #ifdef HAVE_CIPHER -# ifdef HAVE_GNUTLS -# include -# include -# include -# else /* ifdef HAVE_GNUTLS */ -# include -# include -# include -# endif /* ifdef HAVE_GNUTLS */ +# include +# include +# include #endif /* ifdef HAVE_CIPHER */ #include @@ -51,25 +40,15 @@ #include "Eet.h" #include "Eet_private.h" -#ifdef HAVE_GNUTLS -# define MAX_KEY_LEN 32 -# define MAX_IV_LEN 16 -#else /* ifdef HAVE_GNUTLS */ -# define MAX_KEY_LEN EVP_MAX_KEY_LENGTH -# define MAX_IV_LEN EVP_MAX_IV_LENGTH -#endif /* ifdef HAVE_GNUTLS */ +#define MAX_KEY_LEN EVP_MAX_KEY_LENGTH +#define MAX_IV_LEN EVP_MAX_IV_LENGTH struct _Eet_Key { int references; #ifdef HAVE_SIGNATURE -# ifdef HAVE_GNUTLS - gnutls_x509_crt_t certificate; - gnutls_x509_privkey_t private_key; -# else /* ifdef HAVE_GNUTLS */ X509 *certificate; EVP_PKEY *private_key; -# endif /* ifdef HAVE_GNUTLS */ #endif /* ifdef HAVE_SIGNATURE */ }; @@ -81,109 +60,6 @@ eet_identity_open(const char *certificate_file, #ifdef HAVE_SIGNATURE /* Signature declarations */ Eet_Key *key = NULL; -# ifdef HAVE_GNUTLS - /* Gnutls private declarations */ - Eina_File *f = NULL; - void *data = NULL; - gnutls_datum_t load_file = { NULL, 0 }; - char pass[1024]; - - if (!emile_cipher_init()) return NULL; - - /* Init */ - if (!(key = malloc(sizeof(Eet_Key)))) - goto on_error; - - key->references = 1; - - if (gnutls_x509_crt_init(&(key->certificate))) - goto on_error; - - if (gnutls_x509_privkey_init(&(key->private_key))) - goto on_error; - - /* Mmap certificate_file */ - f = eina_file_open(certificate_file, 0); - if (!f) - goto on_error; - - /* let's make mmap safe and just get 0 pages for IO erro */ - eina_mmap_safety_enabled_set(EINA_TRUE); - - data = eina_file_map_all(f, EINA_FILE_SEQUENTIAL); - if (!data) goto on_error; - - /* Import the certificate in Eet_Key structure */ - load_file.data = data; - load_file.size = eina_file_size_get(f); - if (gnutls_x509_crt_import(key->certificate, &load_file, - GNUTLS_X509_FMT_PEM) < 0) - goto on_error; - - eina_file_map_free(f, data); - - /* Reset values */ - eina_file_close(f); - f = NULL; - data = NULL; - load_file.data = NULL; - load_file.size = 0; - - /* Mmap private_key_file */ - f = eina_file_open(private_key_file, 0); - if (!f) - goto on_error; - - /* let's make mmap safe and just get 0 pages for IO erro */ - eina_mmap_safety_enabled_set(EINA_TRUE); - - data = eina_file_map_all(f, EINA_FILE_SEQUENTIAL); - if (!data) - goto on_error; - - /* Import the private key in Eet_Key structure */ - load_file.data = data; - load_file.size = eina_file_size_get(f); - /* Try to directly import the PEM encoded private key */ - if (gnutls_x509_privkey_import(key->private_key, &load_file, - GNUTLS_X509_FMT_PEM) < 0) - { - /* Else ask for the private key pass */ - if (cb && cb(pass, 1024, 0, NULL)) - { - /* If pass then try to decode the pkcs 8 private key */ - if (gnutls_x509_privkey_import_pkcs8(key->private_key, &load_file, - GNUTLS_X509_FMT_PEM, pass, 0)) - goto on_error; - } - else - /* Else try to import the pkcs 8 private key without pass */ - if (gnutls_x509_privkey_import_pkcs8(key->private_key, &load_file, - GNUTLS_X509_FMT_PEM, NULL, 1)) - goto on_error; - } - - eina_file_map_free(f, data); - eina_file_close(f); - - return key; - -on_error: - if (data) eina_file_map_free(f, data); - if (f) eina_file_close(f); - - if (key) - { - if (key->certificate) - gnutls_x509_crt_deinit(key->certificate); - - if (key->private_key) - gnutls_x509_privkey_deinit(key->private_key); - - free(key); - } - -# else /* ifdef HAVE_GNUTLS */ /* Openssl private declarations */ EVP_PKEY *pkey = NULL; X509 *cert = NULL; @@ -231,7 +107,6 @@ on_error: if (pkey) EVP_PKEY_free(pkey); -# endif /* ifdef HAVE_GNUTLS */ #else (void) certificate_file; (void) private_key_file; @@ -249,13 +124,8 @@ eet_identity_close(Eet_Key *key) if (!key || (key->references > 0)) return; -# ifdef HAVE_GNUTLS - gnutls_x509_crt_deinit(key->certificate); - gnutls_x509_privkey_deinit(key->private_key); -# else /* ifdef HAVE_GNUTLS */ X509_free(key->certificate); EVP_PKEY_free(key->private_key); -# endif /* ifdef HAVE_GNUTLS */ free(key); # else (void)key; @@ -267,92 +137,6 @@ eet_identity_print(Eet_Key *key, FILE *out) { #ifdef HAVE_SIGNATURE -# ifdef HAVE_GNUTLS - const char *names[6] = { - "Modulus", - "Public exponent", - "Private exponent", - "First prime", - "Second prime", - "Coefficient" - }; - int err = 0; - gnutls_datum_t data = { NULL, 0 }; - gnutls_datum_t rsa_raw[6]; - size_t size = 128; - char *res = NULL; - char buf[33]; - unsigned int i, j; - - if (!key) - return; - - if (!emile_cipher_init()) return ; - - if (key->private_key) - { - if (gnutls_x509_privkey_export_rsa_raw(key->private_key, - rsa_raw + 0, /* Modulus */ - rsa_raw + 1, /* Public exponent */ - rsa_raw + 2, /* Private exponent */ - rsa_raw + 3, /* First prime */ - rsa_raw + 4, /* Second prime */ - rsa_raw + 5)) /* Coefficient */ - goto on_error; - - if (!(res = malloc(size))) - goto on_error; - - fprintf(out, "Private Key:\n"); - buf[32] = '\0'; - - for (i = 0; i < 6; i++) - { - while ((err = gnutls_hex_encode(rsa_raw + i, res, &size)) == - GNUTLS_E_SHORT_MEMORY_BUFFER) - { - char *temp; - - size += 128; - if (!(temp = realloc(res, size))) - goto on_error; - res = temp; - } - if (err) - goto on_error; - - fprintf(out, "\t%s:\n", names[i]); - for (j = 0; strlen(res) > j; j += 32) - { - snprintf(buf, 32, "%s", res + j); - fprintf(out, "\t\t%s\n", buf); - } - } - free(res); - res = NULL; - } - - if (key->certificate) - { - fprintf(out, "Public certificate:\n"); - if (gnutls_x509_crt_print(key->certificate, GNUTLS_X509_CRT_FULL, - &data)) - goto on_error; - - fprintf(out, "%s\n", data.data); - gnutls_free(data.data); - data.data = NULL; - } - -on_error: - if (res) - free(res); - - if (data.data) - gnutls_free(data.data); - - return; -# else /* ifdef HAVE_GNUTLS */ RSA *rsa; DSA *dsa; DH *dh; @@ -385,7 +169,6 @@ on_error: fprintf(out, "Public certificate:\n"); X509_print_fp(out, key->certificate); -# endif /* ifdef HAVE_GNUTLS */ #else /* ifdef HAVE_SIGNATURE */ key = NULL; out = NULL; @@ -420,17 +203,6 @@ eet_identity_compute_sha1(const void *data_base, void *result; #ifdef HAVE_SIGNATURE -# ifdef HAVE_GNUTLS - result = malloc(gcry_md_get_algo_dlen(GCRY_MD_SHA1)); - if (!result) - return NULL; - - gcry_md_hash_buffer(GCRY_MD_SHA1, result, data_base, data_length); - if (sha1_length) - *sha1_length = gcry_md_get_algo_dlen(GCRY_MD_SHA1); - -# else /* ifdef HAVE_GNUTLS */ -# ifdef HAVE_OPENSSL result = malloc(SHA_DIGEST_LENGTH); if (!result) return NULL; @@ -439,10 +211,6 @@ eet_identity_compute_sha1(const void *data_base, if (sha1_length) *sha1_length = SHA_DIGEST_LENGTH; -# else /* ifdef HAVE_OPENSSL */ - result = NULL; -# endif /* ifdef HAVE_OPENSSL */ -# endif /* ifdef HAVE_GNUTLS */ #else /* ifdef HAVE_SIGNATURE */ data_base = NULL; data_length = 0; @@ -465,21 +233,13 @@ eet_identity_sign(FILE *fp, int head[3]; unsigned char *sign = NULL; unsigned char *cert = NULL; -# ifdef HAVE_GNUTLS - gnutls_datum_t datum = { NULL, 0 }; - size_t sign_len = 0; - size_t cert_len = 0; - gnutls_datum_t signum = { NULL, 0 }; - gnutls_privkey_t privkey; -# else /* ifdef HAVE_GNUTLS */ -# if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)) +# if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)) EVP_MD_CTX *md_ctx; -# else +# else EVP_MD_CTX md_ctx; -# endif +# endif unsigned int sign_len = 0; int cert_len = 0; -# endif /* ifdef HAVE_GNUTLS */ /* A few check and flush pending write. */ if (!fp || !key || !key->certificate || !key->private_key) @@ -503,56 +263,6 @@ eet_identity_sign(FILE *fp, if (data == MAP_FAILED) return EET_ERROR_MMAP_FAILED; -# ifdef HAVE_GNUTLS - datum.data = data; - datum.size = st_buf.st_size; - - /* Get the signature length */ - if (gnutls_privkey_init(&privkey) < 0) - { - err = EET_ERROR_SIGNATURE_FAILED; - goto on_error; - } - - if (gnutls_privkey_import_x509(privkey, key->private_key, 0) < 0) - { - err = EET_ERROR_SIGNATURE_FAILED; - goto on_error; - } - - if (gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &datum, &signum) < 0) - { - err = EET_ERROR_SIGNATURE_FAILED; - goto on_error; - } - - sign = signum.data; - sign_len = signum.size; - - /* Get the certificate length */ - if (gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert, - &cert_len) && - !cert_len) - { - err = EET_ERROR_SIGNATURE_FAILED; - goto on_error; - } - - /* Get the certificate */ - cert = malloc(cert_len); - if (!cert || - gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert, - &cert_len)) - { - if (!cert) - err = EET_ERROR_OUT_OF_MEMORY; - else - err = EET_ERROR_SIGNATURE_FAILED; - - goto on_error; - } - -# else /* ifdef HAVE_GNUTLS */ sign_len = EVP_PKEY_size(key->private_key); sign = malloc(sign_len); if (!sign) @@ -562,7 +272,7 @@ eet_identity_sign(FILE *fp, } /* Do the signature. */ -#if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && (!defined(LIBRESSL_VERSION_NUMBER))) +# if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && (!defined(LIBRESSL_VERSION_NUMBER))) md_ctx = EVP_MD_CTX_new(); if (!md_ctx) { @@ -576,7 +286,7 @@ eet_identity_sign(FILE *fp, (unsigned int *)&sign_len, key->private_key); EVP_MD_CTX_free(md_ctx); -#else +# else EVP_SignInit(&md_ctx, EVP_sha1()); EVP_SignUpdate(&md_ctx, data, st_buf.st_size); err = EVP_SignFinal(&md_ctx, @@ -584,7 +294,7 @@ eet_identity_sign(FILE *fp, (unsigned int *)&sign_len, key->private_key); EVP_MD_CTX_cleanup(&md_ctx); -#endif +# endif if (err != 1) { ERR_print_errors_fp(stdout); @@ -601,7 +311,6 @@ eet_identity_sign(FILE *fp, goto on_error; } -# endif /* ifdef HAVE_GNUTLS */ /* Append the signature at the end of the file. */ head[0] = (int)eina_htonl ((unsigned int)EET_MAGIC_SIGN); head[1] = (int)eina_htonl ((unsigned int)sign_len); @@ -626,15 +335,6 @@ eet_identity_sign(FILE *fp, } on_error: -# ifdef HAVE_GNUTLS - if (cert) - free(cert); - -# else /* ifdef HAVE_GNUTLS */ - if (cert) - OPENSSL_free(cert); - -# endif /* ifdef HAVE_GNUTLS */ if (sign) free(sign); @@ -692,75 +392,14 @@ eet_identity_check(const void *data_base, sign = (unsigned char *)signature_base + sizeof(int) * 3; cert_der = sign + sign_len; -# ifdef HAVE_GNUTLS - gnutls_x509_crt_t cert; - gnutls_datum_t datum; - gnutls_datum_t signature; - gnutls_pubkey_t pubkey; - unsigned char *hash; - gcry_md_hd_t md; - int err; - - /* Create an understanding certificate structure for gnutls */ - datum.data = (void *)cert_der; - datum.size = cert_len; - gnutls_x509_crt_init(&cert); - gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER); - - signature.data = (void *)sign; - signature.size = sign_len; - - /* Verify the signature */ - /* - I am waiting for my patch being accepted in GnuTLS release. - But we now have a way to prevent double computation of SHA1. - */ - err = gcry_md_open (&md, GCRY_MD_SHA1, 0); - if (err < 0) - return NULL; - - gcry_md_write(md, data_base, data_length); - - hash = gcry_md_read(md, GCRY_MD_SHA1); - if (!hash) - goto on_error; - - datum.size = gcry_md_get_algo_dlen(GCRY_MD_SHA1); - datum.data = hash; - - if (gnutls_pubkey_init(&pubkey) < 0) - goto on_error; - - if (gnutls_pubkey_import_x509(pubkey, cert, 0) < 0) - goto on_error; - - if (gnutls_pubkey_verify_hash2(pubkey, - gnutls_x509_crt_get_signature_algorithm(cert), - 0, - &datum, &signature) < 0) - goto on_error; - - if (sha1) - { - *sha1 = malloc(datum.size); - if (!*sha1) goto on_error; - - memcpy(*sha1, hash, datum.size); - *sha1_length = datum.size; - } - - gcry_md_close(md); - gnutls_x509_crt_deinit(cert); - -# else /* ifdef HAVE_GNUTLS */ const unsigned char *tmp; EVP_PKEY *pkey; X509 *x509; -#if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)) +# if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)) EVP_MD_CTX *md_ctx; -#else +# else EVP_MD_CTX md_ctx; -#endif +# endif int err; /* Strange but d2i_X509 seems to put 0 all over the place. */ @@ -779,7 +418,7 @@ eet_identity_check(const void *data_base, } /* Verify the signature */ -#if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)) +# if (LIBRESSL_VERSION_NUMBER >= 0x3050000fL) || ((OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)) md_ctx = EVP_MD_CTX_new(); if (!md_ctx) { @@ -795,12 +434,12 @@ eet_identity_check(const void *data_base, EVP_VerifyUpdate(md_ctx, data_base, data_length); err = EVP_VerifyFinal(md_ctx, sign, sign_len, pkey); EVP_MD_CTX_free(md_ctx); -#else +# else EVP_VerifyInit(&md_ctx, EVP_sha1()); EVP_VerifyUpdate(&md_ctx, data_base, data_length); err = EVP_VerifyFinal(&md_ctx, sign, sign_len, pkey); EVP_MD_CTX_cleanup(&md_ctx); -#endif +# endif X509_free(x509); EVP_PKEY_free(pkey); @@ -814,7 +453,6 @@ eet_identity_check(const void *data_base, if (err != 1) return NULL; -# endif /* ifdef HAVE_GNUTLS */ if (x509_length) *x509_length = cert_len; @@ -825,11 +463,6 @@ eet_identity_check(const void *data_base, *raw_signature_length = sign_len; return cert_der; -# ifdef HAVE_GNUTLS - on_error: - gcry_md_close(md); - return NULL; -# endif #else /* ifdef HAVE_SIGNATURE */ data_base = NULL; data_length = 0; @@ -858,34 +491,6 @@ eet_identity_certificate_print(const unsigned char *certificate, if (!emile_cipher_init()) return ; -# ifdef HAVE_GNUTLS - gnutls_datum_t datum; - gnutls_x509_crt_t cert; - - /* Create an understanding certificate structure for gnutls */ - datum.data = (void *)certificate; - datum.size = der_length; - if (gnutls_x509_crt_init(&cert)) - goto on_error; - - if (gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) - goto on_error; - - /* Pretty print the certificate */ - datum.data = NULL; - datum.size = 0; - if (gnutls_x509_crt_print(cert, GNUTLS_X509_CRT_FULL, &datum)) - goto on_error; - - INF("Public certificate :"); - INF("%s", datum.data); - -on_error: - if (datum.data) - gnutls_free(datum.data); - - gnutls_x509_crt_deinit(cert); -# else /* ifdef HAVE_GNUTLS */ const unsigned char *tmp; X509 *x509; @@ -903,7 +508,6 @@ on_error: X509_print_fp(out, x509); X509_free(x509); -# endif /* ifdef HAVE_GNUTLS */ #else /* ifdef HAVE_SIGNATURE */ certificate = NULL; der_length = 0; diff --git a/src/lib/emile/emile_cipher.h b/src/lib/emile/emile_cipher.h index 3849c549c9..61265810cb 100644 --- a/src/lib/emile/emile_cipher.h +++ b/src/lib/emile/emile_cipher.h @@ -20,7 +20,7 @@ typedef enum _Emile_Cipher_Backend { EMILE_NONE, EMILE_OPENSSL, - EMILE_GNUTLS + EMILE_GNUTLS /* < deprecated since 1.27 */ } Emile_Cipher_Backend; /** @@ -38,7 +38,7 @@ typedef enum _Emile_Cipher_Algorithm /** * Force the initialization of the underlying cipher library. * - * This call force the initialisation of GNUTLS or OpenSSL, so + * This call force the initialisation of OpenSSL, so * that you get the same setup for everyone. * * @return EINA_TRUE on success, EINA_FALSE otherwise. diff --git a/src/lib/emile/emile_cipher_gnutls.c b/src/lib/emile/emile_cipher_gnutls.c deleted file mode 100644 index 92f41a57d2..0000000000 --- a/src/lib/emile/emile_cipher_gnutls.c +++ /dev/null @@ -1,604 +0,0 @@ -#ifdef HAVE_CONFIG_H -# include -#endif - -#include -#include -#include - -#include - -#include "Emile.h" - -#include "emile_private.h" - -#define MAX_KEY_LEN 32 -#define MAX_IV_LEN 16 - -struct _Emile_SSL -{ - const char *last_error; - const char *cert_file; - const char *name; - - gnutls_certificate_credentials_t cert; - gnutls_session_t session; - - union { - struct { - gnutls_datum_t session_ticket; - } client; - struct { - gnutls_anon_client_credentials_t anoncred_c; - gnutls_anon_server_credentials_t anoncred_s; - gnutls_psk_client_credentials_t pskcred_c; - gnutls_psk_server_credentials_t pskcred_s; - char *cert_file; - gnutls_dh_params_t dh_params; - } server; - } u; - - Emile_Cipher_Type t; - Emile_SSL_State ssl_state; - - Eina_Bool server : 1; - Eina_Bool verify : 1; - Eina_Bool verify_basic : 1; -}; - -GCRY_THREAD_OPTION_PTHREAD_IMPL; - -Eina_Bool -_emile_cipher_init(void) -{ - if (gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread)) - WRN("YOU ARE USING PTHREADS, " - "BUT I CANNOT INITIALIZE THREADSAFE GCRYPT OPERATIONS!"); - - /* Before the library can be used, it must initialize itself if needed. */ - if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0) - { - gcry_check_version(NULL); - /* Disable warning messages about problems with the secure memory subsystem. - This command should be run right after gcry_check_version. */ - if (gcry_control(GCRYCTL_DISABLE_SECMEM_WARN)) - return EINA_FALSE; - - /* This command is used to allocate a pool of secure memory and thus - enabling the use of secure memory. It also drops all extra privileges the - process has (i.e. if it is run as setuid (root)). If the argument nbytes - is 0, secure memory will be disabled. The minimum amount of secure memory - allocated is currently 16384 bytes; you may thus use a value of 1 to - request that default size. */ - if (gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0)) - WRN("BIG FAT WARNING: I AM UNABLE TO REQUEST SECMEM, " - "Cryptographic operation are at risk !"); - } - - if (gnutls_global_init()) - return EINA_FALSE; - - return EINA_TRUE; -} - -static inline Eina_Bool -emile_hmac_sha1(const void *key, - size_t key_len, - const void *data, - size_t data_len, - unsigned char *res) -{ - size_t hlen = gcry_md_get_algo_dlen(GCRY_MD_SHA1); - gcry_md_hd_t mdh; - unsigned char *hash; - gpg_error_t err; - - err = gcry_md_open(&mdh, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); - if (err != GPG_ERR_NO_ERROR) - return EINA_FALSE; - - err = gcry_md_setkey(mdh, key, key_len); - if (err != GPG_ERR_NO_ERROR) - { - gcry_md_close(mdh); - return EINA_FALSE; - } - - gcry_md_write(mdh, data, data_len); - - hash = gcry_md_read(mdh, GCRY_MD_SHA1); - if (!hash) - { - gcry_md_close(mdh); - return EINA_FALSE; - } - - memcpy(res, hash, hlen); - - gcry_md_close(mdh); - - return EINA_TRUE; -} - -EAPI Eina_Bool -emile_binbuf_hmac_sha1(const char *key, - unsigned int key_len, - const Eina_Binbuf *data, - unsigned char digest[20]) -{ - return emile_hmac_sha1(key, key_len, - eina_binbuf_string_get(data), eina_binbuf_length_get(data), - digest); -} - -static inline Eina_Bool -emile_sha1(const void *data, - size_t data_len, - unsigned char *res) -{ - size_t hlen = gcry_md_get_algo_dlen(GCRY_MD_SHA1); - gcry_md_hd_t mdh; - unsigned char *hash; - gpg_error_t err; - - err = gcry_md_open(&mdh, GCRY_MD_SHA1, 0); - if (err != GPG_ERR_NO_ERROR) - return EINA_FALSE; - - gcry_md_write(mdh, data, data_len); - - hash = gcry_md_read(mdh, GCRY_MD_SHA1); - if (!hash) - { - gcry_md_close(mdh); - return EINA_FALSE; - } - - memcpy(res, hash, hlen); - - gcry_md_close(mdh); - - return EINA_TRUE; -} - -EAPI Eina_Bool -emile_binbuf_sha1(const Eina_Binbuf * data, unsigned char digest[20]) -{ - Eina_Slice slice = eina_binbuf_slice_get(data); - return emile_sha1(slice.mem, slice.len, digest); -} - -EAPI Eina_Binbuf * -emile_binbuf_cipher(Emile_Cipher_Algorithm algo, - const Eina_Binbuf *data, - const char *key, - unsigned int length) -{ - /* Cipher declarations */ - Eina_Binbuf *result; - unsigned char *pointer; - unsigned char iv[MAX_IV_LEN]; - unsigned char ik[MAX_KEY_LEN]; - unsigned char key_material[MAX_IV_LEN + MAX_KEY_LEN]; - unsigned int salt; - unsigned int tmp = 0; - unsigned int crypted_length; - int opened = 0; - /* Gcrypt declarations */ - gcry_error_t err = 0; - gcry_cipher_hd_t cipher; - - if (algo != EMILE_AES256_CBC) return NULL; - if (!emile_cipher_init()) return NULL; - - /* Gcrypt salt generation */ - gcry_create_nonce((unsigned char *)&salt, sizeof(salt)); - - result = eina_binbuf_new(); - if (!result) return NULL; - - emile_pbkdf2_sha1(key, - length, - (unsigned char *)&salt, - sizeof(unsigned int), - 2048, - key_material, - MAX_KEY_LEN + MAX_IV_LEN); - - memcpy(iv, key_material, MAX_IV_LEN); - memcpy(ik, key_material + MAX_IV_LEN, MAX_KEY_LEN); - - memset(key_material, 0, sizeof (key_material)); - - crypted_length = ((((eina_binbuf_length_get(data) + sizeof (unsigned int)) >> 5) + 1) << 5) - + sizeof (unsigned int); - - eina_binbuf_append_length(result, (unsigned char*) &salt, sizeof (salt)); - memset(&salt, 0, sizeof (salt)); - - tmp = eina_htonl(eina_binbuf_length_get(data)); - eina_binbuf_append_length(result, (unsigned char*) &tmp, sizeof (tmp)); - eina_binbuf_append_buffer(result, data); - - while (eina_binbuf_length_get(result) < crypted_length) - { - int r; - - r = rand(); - eina_binbuf_append_length(result, (unsigned char*) &r, sizeof (r)); - } - eina_binbuf_remove(result, crypted_length, eina_binbuf_length_get(result)); - - /* Gcrypt create the corresponding cipher - AES with a 256 bit key, Cipher Block Chaining mode */ - err = gcry_cipher_open(&cipher, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CBC, 0); - if (err) goto on_error; - - opened = 1; - err = gcry_cipher_setiv(cipher, iv, MAX_IV_LEN); - if (err) goto on_error; - - err = gcry_cipher_setkey(cipher, ik, MAX_KEY_LEN); - if (err) goto on_error; - - memset(iv, 0, sizeof (iv)); - memset(ik, 0, sizeof (ik)); - - pointer = (unsigned char*) eina_binbuf_string_get(result); - - /* Gcrypt encrypt */ - err = gcry_cipher_encrypt(cipher, pointer + sizeof (int), - eina_binbuf_length_get(result) - sizeof (int), - NULL, 0); - if (err) goto on_error; - - /* Gcrypt close the cipher */ - gcry_cipher_close(cipher); - - return result; - -on_error: - memset(iv, 0, sizeof (iv)); - memset(ik, 0, sizeof (ik)); - - /* Gcrypt error */ - if (opened) - gcry_cipher_close(cipher); - - /* General error */ - eina_binbuf_free(result); - - return NULL; -} - -EAPI Eina_Binbuf * -emile_binbuf_decipher(Emile_Cipher_Algorithm algo, - const Eina_Binbuf *data, - const char *key, - unsigned int length) -{ - Eina_Binbuf *result = NULL; - unsigned int *over; - gcry_error_t err = 0; - gcry_cipher_hd_t cipher; - unsigned char ik[MAX_KEY_LEN]; - unsigned char iv[MAX_IV_LEN]; - unsigned char key_material[MAX_KEY_LEN + MAX_IV_LEN]; - unsigned int salt; - unsigned int size; - int tmp_len; - int tmp = 0; - - if (algo != EMILE_AES256_CBC) return NULL; - if (!emile_cipher_init()) return NULL; - - over = (unsigned int*) eina_binbuf_string_get(data); - size = eina_binbuf_length_get(data); - - /* At least the salt and an AES block */ - if (size < sizeof(unsigned int) + 16) - return NULL; - - /* Get the salt */ - salt = *over; - - /* Generate the iv and the key with the salt */ - emile_pbkdf2_sha1(key, length, (unsigned char *)&salt, - sizeof(unsigned int), 2048, key_material, - MAX_KEY_LEN + MAX_IV_LEN); - - memcpy(iv, key_material, MAX_IV_LEN); - memcpy(ik, key_material + MAX_IV_LEN, MAX_KEY_LEN); - - memset(key_material, 0, sizeof (key_material)); - memset(&salt, 0, sizeof (salt)); - - /* Align to AES block size if size is not align */ - tmp_len = size - sizeof (unsigned int); - if ((tmp_len & 0x1F) != 0) goto on_error; - - result = eina_binbuf_new(); - if (!result) goto on_error; - - eina_binbuf_append_length(result, (unsigned char*) (over + 1), tmp_len); - - /* Gcrypt create the corresponding cipher */ - err = gcry_cipher_open(&cipher, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CBC, 0); - if (err) goto on_error; - - err = gcry_cipher_setiv(cipher, iv, MAX_IV_LEN); - if (err) goto on_error; - - err = gcry_cipher_setkey(cipher, ik, MAX_KEY_LEN); - if (err) goto on_error; - - memset(iv, 0, sizeof (iv)); - memset(ik, 0, sizeof (ik)); - - /* Gcrypt decrypt */ - err = gcry_cipher_decrypt(cipher, - (void*) eina_binbuf_string_get(result), tmp_len, - (void*) (over + 1), tmp_len); - if (err) goto on_error; - - /* Gcrypt close the cipher */ - gcry_cipher_close(cipher); - - /* Get the decrypted data size */ - tmp = *(unsigned int*)(eina_binbuf_string_get(result)); - tmp = eina_ntohl(tmp); - if (tmp > tmp_len || tmp <= 0) - goto on_error; - - /* Remove header and padding */ - eina_binbuf_remove(result, 0, sizeof (unsigned int)); - eina_binbuf_remove(result, tmp, eina_binbuf_length_get(result)); - - return result; - -on_error: - memset(iv, 0, sizeof (iv)); - memset(ik, 0, sizeof (ik)); - - eina_binbuf_free(result); - - return NULL; -} - -// FIXME: handshaking and fun - - -EAPI Emile_SSL * -emile_cipher_server_listen(Emile_Cipher_Type t) -{ - Emile_SSL *r; - int ret; - - if (t != EMILE_SSLv23 && - t != EMILE_TLSv1) - return NULL; - - r = calloc(1, sizeof (Emile_SSL)); - if (!r) return NULL; - - ret = gnutls_certificate_allocate_credentials(&r->cert); - if (ret) goto on_error; - - r->t = t; - r->server = EINA_TRUE; - - return r; - - on_error: - ERR("GNUTLS error: %s - %s.", - gnutls_strerror_name(ret), - gnutls_strerror(ret)); - emile_cipher_free(r); - return NULL; -} - -EAPI Emile_SSL * -emile_cipher_client_connect(Emile_SSL *server EINA_UNUSED, int fd EINA_UNUSED) -{ - return NULL; -} - -EAPI Emile_SSL * -emile_cipher_server_connect(Emile_Cipher_Type t) -{ - const char *priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT"; - Emile_SSL *r; - int ret; - - switch (t) - { - case EMILE_SSLv23: - break; - case EMILE_TLSv1: - priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0"; - break; - default: - return NULL; - } - - r = calloc(1, sizeof (Emile_SSL)); - if (!r) return NULL; - - r->server = EINA_FALSE; - - ret = gnutls_certificate_allocate_credentials(&r->cert); - if (ret) goto on_error; - - ret = gnutls_init(&r->session, GNUTLS_CLIENT); - if (ret) goto on_error; - - ret = gnutls_session_ticket_enable_client(r->session); - if (ret) goto on_error; - - // FIXME: Delay that until later access - - ret = gnutls_server_name_set(r->session, GNUTLS_NAME_DNS, - r->name, strlen(r->name)); - if (ret) goto on_error; - - ret = gnutls_priority_set_direct(r->session, priority, NULL); - if (ret) goto on_error; - - gnutls_handshake_set_private_extensions(r->session, 1); - ret = gnutls_credentials_set(r->session, GNUTLS_CRD_CERTIFICATE, r->cert); - - return r; - - on_error: - // FIXEM: cleanly destroy session - free(r); - return NULL; -} - -EAPI Eina_Bool -emile_cipher_free(Emile_SSL *emile EINA_UNUSED) -{ - return EINA_TRUE; -} - -EAPI Eina_Bool -emile_cipher_cafile_add(Emile_SSL *emile, const char *file) -{ - Eina_File_Direct_Info *info; - Eina_Iterator *it; - struct stat st; - int count = 0; - int ret; - - if (stat(file, &st)) return EINA_FALSE; - if (S_ISDIR(st.st_mode)) - { - it = eina_file_direct_ls(file); - EINA_ITERATOR_FOREACH(it, info) - { - if (!(info->type == EINA_FILE_UNKNOWN || - info->type == EINA_FILE_REG || - info->type == EINA_FILE_LNK)) - continue ; - - ret = gnutls_certificate_set_x509_trust_file(emile->cert, - file, - GNUTLS_X509_FMT_PEM); - if (ret > 0) count += ret; - } - eina_iterator_free(it); - } - else - { - ret = gnutls_certificate_set_x509_trust_file(emile->cert, - file, - GNUTLS_X509_FMT_PEM); - if (ret > 0) count += ret; - } - - if (!count) ERR("Could not load CA file from '%s'.", file); - return !count ? EINA_FALSE : EINA_TRUE; -} - -EAPI Eina_Bool -emile_cipher_cert_add(Emile_SSL *emile, const char *file) -{ - return eina_stringshare_replace(&emile->cert_file, file); -} - -EAPI Eina_Bool -emile_cipher_privkey_add(Emile_SSL *emile, const char *file) -{ - int ret; - - ret = gnutls_certificate_set_x509_key_file(emile->cert, - emile->cert_file, - file, - GNUTLS_X509_FMT_PEM); - if (ret) - ERR("Could not load certificate/key file ('%s'/'%s').", - emile->cert_file, file); - return ret ? EINA_FALSE : EINA_TRUE; -} - -EAPI Eina_Bool -emile_cipher_crl_add(Emile_SSL *emile, const char *file) -{ - int ret; - - ret = gnutls_certificate_set_x509_crl_file(emile->cert, file, - GNUTLS_X509_FMT_PEM); - if (ret) - ERR("Could not load CRL file from '%s'.", file); - return ret ? EINA_FALSE : EINA_TRUE; -} - -EAPI int -emile_cipher_read(Emile_SSL *emile, Eina_Binbuf *buffer) -{ - int num; - - if (!buffer || eina_binbuf_length_get(buffer) <= 0) return 0; - if (emile->ssl_state == EMILE_SSL_STATE_HANDSHAKING) - { - DBG("Ongoing GNUTLS handshaking."); - //_emile_cipher_handshaking(emile); - if (emile->ssl_state == EMILE_SSL_STATE_ERROR) - return -1; - return 0; - } - - num = gnutls_record_recv(emile->session, - (void*) eina_binbuf_string_get(buffer), - eina_binbuf_length_get(buffer)); - return num; -} - -EAPI int -emile_cipher_write(Emile_SSL *emile EINA_UNUSED, const Eina_Binbuf *buffer EINA_UNUSED) -{ - return 0; -} - -EAPI const char * -emile_cipher_error_get(const Emile_SSL *emile) -{ - return emile->last_error; -} - -EAPI Eina_Bool -emile_cipher_verify_name_set(Emile_SSL *emile, const char *name) -{ - return eina_stringshare_replace(&emile->name, name); -} - -EAPI const char * -emile_cipher_verify_name_get(const Emile_SSL *emile) -{ - return emile->name; -} - -EAPI void -emile_cipher_verify_set(Emile_SSL *emile, Eina_Bool verify) -{ - emile->verify = verify; -} - -EAPI void -emile_cipher_verify_basic_set(Emile_SSL *emile, Eina_Bool verify_basic) -{ - emile->verify_basic = verify_basic; -} - -EAPI Eina_Bool -emile_cipher_verify_get(const Emile_SSL *emile) -{ - return emile->verify; -} - -EAPI Eina_Bool -emile_cipher_verify_basic_get(const Emile_SSL *emile) -{ - return emile->verify_basic; -} - diff --git a/src/lib/emile/emile_main.c b/src/lib/emile/emile_main.c index ce20df757d..58806e2019 100644 --- a/src/lib/emile/emile_main.c +++ b/src/lib/emile/emile_main.c @@ -1,17 +1,11 @@ #ifdef HAVE_CONFIG_H -#include +# include #endif /* ifdef HAVE_CONFIG_H */ -#ifdef HAVE_GNUTLS -#include -#include -#include -#endif /* ifdef HAVE_GNUTLS */ - #ifdef HAVE_OPENSSL -#include -#include -#include +# include +# include +# include #endif /* ifdef HAVE_OPENSSL */ #include @@ -40,15 +34,11 @@ emile_cipher_init(void) EAPI Emile_Cipher_Backend emile_cipher_module_get(void) { -#ifdef HAVE_GNUTLS - return EMILE_GNUTLS; -#else #ifdef HAVE_OPENSSL return EMILE_OPENSSL; #else return EMILE_NONE; #endif -#endif } EAPI int @@ -87,22 +77,6 @@ emile_shutdown(void) if (_emile_cipher_inited) { -#ifdef HAVE_GNUTLS - /* Note that gnutls has a leak where it doesnt free stuff it alloced - * on init. valgrind trace here: - * 21 bytes in 1 blocks are definitely lost in loss record 24 of 194 - * at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) - * by 0x68AC801: strdup (strdup.c:43) - * by 0xD215B6A: p11_kit_registered_module_to_name (in /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0) - * by 0x9571574: gnutls_pkcs11_init (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.21.8) - * by 0x955B031: gnutls_global_init (in /usr/lib/x86_64-linux-gnu/libgnutls.so.26.21.8) - * by 0x6DFD6D0: eet_init (eet_lib.c:608) - * - * yes - i've tried calling gnutls_pkcs11_deinit() by hand but no luck. - * the leak is in there. - */ - gnutls_global_deinit(); -#endif /* ifdef HAVE_GNUTLS */ #if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) EVP_cleanup(); ERR_free_strings(); diff --git a/src/lib/emile/meson.build b/src/lib/emile/meson.build index fb5822836b..9c546594e6 100644 --- a/src/lib/emile/meson.build +++ b/src/lib/emile/meson.build @@ -18,9 +18,7 @@ emile_src = files([ 'emile_base64.c', ]) -if (get_option('crypto') == 'gnutls') - emile_src += files('emile_cipher_gnutls.c') -elif (get_option('crypto') == 'openssl') +if (get_option('crypto') == 'openssl') emile_src += files('emile_cipher_openssl.c') endif diff --git a/src/tests/ecore_con/ecore_con_test_ecore_con.c b/src/tests/ecore_con/ecore_con_test_ecore_con.c index 7a6333fa0e..c2366c508b 100644 --- a/src/tests/ecore_con/ecore_con_test_ecore_con.c +++ b/src/tests/ecore_con/ecore_con_test_ecore_con.c @@ -454,9 +454,7 @@ EFL_END_TEST EFL_START_TEST(ecore_test_ecore_con_ssl_available) { int ret = ecore_con_ssl_available_get(); -#ifdef HAVE_GNUTLS - fail_if(ret != 1); -#elif HAVE_OPENSSL +#ifdef HAVE_OPENSSL fail_if(ret != 2); #else fail_if(!ret);