nxt_gnutls.c (65:10688b89aa16) nxt_gnutls.c (564:762f8c976ead)
1
2/*
3 * Copyright (C) Igor Sysoev
4 * Copyright (C) NGINX, Inc.
5 */
6
7#include <nxt_main.h>
8#include <gnutls/gnutls.h>

--- 85 unchanged lines hidden (view full) ---

94 }
95
96 started = 1;
97
98 /* TODO: gnutls_global_deinit */
99
100 ret = gnutls_global_init();
101 if (ret != GNUTLS_E_SUCCESS) {
1
2/*
3 * Copyright (C) Igor Sysoev
4 * Copyright (C) NGINX, Inc.
5 */
6
7#include <nxt_main.h>
8#include <gnutls/gnutls.h>

--- 85 unchanged lines hidden (view full) ---

94 }
95
96 started = 1;
97
98 /* TODO: gnutls_global_deinit */
99
100 ret = gnutls_global_init();
101 if (ret != GNUTLS_E_SUCCESS) {
102 nxt_gnutls_log_error(NXT_LOG_CRIT, nxt_thread_log(), ret,
102 nxt_gnutls_log_error(NXT_LOG_ALERT, nxt_thread_log(), ret,
103 "gnutls_global_init() failed");
104 return NXT_ERROR;
105 }
106
107 nxt_thread_log_error(NXT_LOG_INFO, "GnuTLS version: %s",
108 gnutls_check_version(NULL));
109
110#if (NXT_HAVE_GNUTLS_SET_TIME)

--- 51 unchanged lines hidden (view full) ---

162
163 conf->ctx = ctx;
164 conf->conn_init = nxt_gnutls_conn_init;
165
166 thr = nxt_thread();
167
168 ret = gnutls_certificate_allocate_credentials(&ctx->certificate);
169 if (ret != GNUTLS_E_SUCCESS) {
103 "gnutls_global_init() failed");
104 return NXT_ERROR;
105 }
106
107 nxt_thread_log_error(NXT_LOG_INFO, "GnuTLS version: %s",
108 gnutls_check_version(NULL));
109
110#if (NXT_HAVE_GNUTLS_SET_TIME)

--- 51 unchanged lines hidden (view full) ---

162
163 conf->ctx = ctx;
164 conf->conn_init = nxt_gnutls_conn_init;
165
166 thr = nxt_thread();
167
168 ret = gnutls_certificate_allocate_credentials(&ctx->certificate);
169 if (ret != GNUTLS_E_SUCCESS) {
170 nxt_gnutls_log_error(NXT_LOG_CRIT, thr->log, ret,
170 nxt_gnutls_log_error(NXT_LOG_ALERT, thr->log, ret,
171 "gnutls_certificate_allocate_credentials() failed");
172 return NXT_ERROR;
173 }
174
175 certificate = conf->certificate;
176 key = conf->certificate_key;
177
178 ret = gnutls_certificate_set_x509_key_file(ctx->certificate, certificate,
179 key, GNUTLS_X509_FMT_PEM);
180 if (ret != GNUTLS_E_SUCCESS) {
171 "gnutls_certificate_allocate_credentials() failed");
172 return NXT_ERROR;
173 }
174
175 certificate = conf->certificate;
176 key = conf->certificate_key;
177
178 ret = gnutls_certificate_set_x509_key_file(ctx->certificate, certificate,
179 key, GNUTLS_X509_FMT_PEM);
180 if (ret != GNUTLS_E_SUCCESS) {
181 nxt_gnutls_log_error(NXT_LOG_CRIT, thr->log, ret,
181 nxt_gnutls_log_error(NXT_LOG_ALERT, thr->log, ret,
182 "gnutls_certificate_set_x509_key_file(\"%s\", \"%s\") failed",
183 certificate, key);
184 goto certificate_fail;
185 }
186
187 if (nxt_gnutls_set_ciphers(conf) != NXT_OK) {
188 goto ciphers_fail;
189 }
190
191 if (conf->ca_certificate != NULL) {
192 ca_certificate = conf->ca_certificate;
193
194 ret = gnutls_certificate_set_x509_trust_file(ctx->certificate,
195 ca_certificate,
196 GNUTLS_X509_FMT_PEM);
197 if (ret < 0) {
182 "gnutls_certificate_set_x509_key_file(\"%s\", \"%s\") failed",
183 certificate, key);
184 goto certificate_fail;
185 }
186
187 if (nxt_gnutls_set_ciphers(conf) != NXT_OK) {
188 goto ciphers_fail;
189 }
190
191 if (conf->ca_certificate != NULL) {
192 ca_certificate = conf->ca_certificate;
193
194 ret = gnutls_certificate_set_x509_trust_file(ctx->certificate,
195 ca_certificate,
196 GNUTLS_X509_FMT_PEM);
197 if (ret < 0) {
198 nxt_gnutls_log_error(NXT_LOG_CRIT, thr->log, ret,
198 nxt_gnutls_log_error(NXT_LOG_ALERT, thr->log, ret,
199 "gnutls_certificate_set_x509_trust_file(\"%s\") failed",
200 ca_certificate);
201 goto ca_certificate_fail;
202 }
203 }
204
205 return NXT_OK;
206

--- 25 unchanged lines hidden (view full) ---

232 ret = gnutls_priority_init(&ctx->ciphers, ciphers, &err);
233
234 switch (ret) {
235
236 case GNUTLS_E_SUCCESS:
237 return NXT_OK;
238
239 case GNUTLS_E_INVALID_REQUEST:
199 "gnutls_certificate_set_x509_trust_file(\"%s\") failed",
200 ca_certificate);
201 goto ca_certificate_fail;
202 }
203 }
204
205 return NXT_OK;
206

--- 25 unchanged lines hidden (view full) ---

232 ret = gnutls_priority_init(&ctx->ciphers, ciphers, &err);
233
234 switch (ret) {
235
236 case GNUTLS_E_SUCCESS:
237 return NXT_OK;
238
239 case GNUTLS_E_INVALID_REQUEST:
240 nxt_gnutls_log_error(NXT_LOG_CRIT, nxt_thread_log(), ret,
240 nxt_gnutls_log_error(NXT_LOG_ALERT, nxt_thread_log(), ret,
241 "gnutls_priority_init(\"%s\") failed at \"%s\"",
242 ciphers, err);
243 return NXT_ERROR;
244
245 default:
241 "gnutls_priority_init(\"%s\") failed at \"%s\"",
242 ciphers, err);
243 return NXT_ERROR;
244
245 default:
246 nxt_gnutls_log_error(NXT_LOG_CRIT, nxt_thread_log(), ret,
246 nxt_gnutls_log_error(NXT_LOG_ALERT, nxt_thread_log(), ret,
247 "gnutls_priority_init() failed");
248 return NXT_ERROR;
249 }
250}
251
252
253static void
254nxt_gnutls_conn_init(nxt_thread_t *thr, nxt_ssltls_conf_t *conf,

--- 17 unchanged lines hidden (view full) ---

272
273 mpcl = nxt_mem_pool_cleanup(c->mem_pool, 0);
274 if (mpcl == NULL) {
275 goto fail;
276 }
277
278 ret = gnutls_init(&ssltls->session, GNUTLS_SERVER);
279 if (ret != GNUTLS_E_SUCCESS) {
247 "gnutls_priority_init() failed");
248 return NXT_ERROR;
249 }
250}
251
252
253static void
254nxt_gnutls_conn_init(nxt_thread_t *thr, nxt_ssltls_conf_t *conf,

--- 17 unchanged lines hidden (view full) ---

272
273 mpcl = nxt_mem_pool_cleanup(c->mem_pool, 0);
274 if (mpcl == NULL) {
275 goto fail;
276 }
277
278 ret = gnutls_init(&ssltls->session, GNUTLS_SERVER);
279 if (ret != GNUTLS_E_SUCCESS) {
280 nxt_gnutls_log_error(NXT_LOG_CRIT, c->socket.log, ret,
280 nxt_gnutls_log_error(NXT_LOG_ALERT, c->socket.log, ret,
281 "gnutls_init() failed");
282 goto fail;
283 }
284
285 sess = ssltls->session;
286 mpcl->handler = nxt_gnutls_session_cleanup;
287 mpcl->data = ssltls;
288
289 ctx = conf->ctx;
290
291 ret = gnutls_priority_set(sess, ctx->ciphers);
292 if (ret != GNUTLS_E_SUCCESS) {
281 "gnutls_init() failed");
282 goto fail;
283 }
284
285 sess = ssltls->session;
286 mpcl->handler = nxt_gnutls_session_cleanup;
287 mpcl->data = ssltls;
288
289 ctx = conf->ctx;
290
291 ret = gnutls_priority_set(sess, ctx->ciphers);
292 if (ret != GNUTLS_E_SUCCESS) {
293 nxt_gnutls_log_error(NXT_LOG_CRIT, c->socket.log, ret,
293 nxt_gnutls_log_error(NXT_LOG_ALERT, c->socket.log, ret,
294 "gnutls_priority_set() failed");
295 goto fail;
296 }
297
298 /*
299 * Disable TLS random padding of records in CBC ciphers,
300 * which may be up to 255 bytes.
301 */
302 gnutls_record_disable_padding(sess);
303
304 ret = gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE,
305 ctx->certificate);
306 if (ret != GNUTLS_E_SUCCESS) {
294 "gnutls_priority_set() failed");
295 goto fail;
296 }
297
298 /*
299 * Disable TLS random padding of records in CBC ciphers,
300 * which may be up to 255 bytes.
301 */
302 gnutls_record_disable_padding(sess);
303
304 ret = gnutls_credentials_set(sess, GNUTLS_CRD_CERTIFICATE,
305 ctx->certificate);
306 if (ret != GNUTLS_E_SUCCESS) {
307 nxt_gnutls_log_error(NXT_LOG_CRIT, c->socket.log, ret,
307 nxt_gnutls_log_error(NXT_LOG_ALERT, c->socket.log, ret,
308 "gnutls_credentials_set() failed");
309 goto fail;
310 }
311
312 if (conf->ca_certificate != NULL) {
313 gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
314 }
315

--- 398 unchanged lines hidden (view full) ---

714
715 /* Fall through. */
716
717 case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: /* -9 */
718 c->socket.error = 1000; /* Nonexistent errno code. */
719 break;
720
721 default:
308 "gnutls_credentials_set() failed");
309 goto fail;
310 }
311
312 if (conf->ca_certificate != NULL) {
313 gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
314 }
315

--- 398 unchanged lines hidden (view full) ---

714
715 /* Fall through. */
716
717 case GNUTLS_E_UNEXPECTED_PACKET_LENGTH: /* -9 */
718 c->socket.error = 1000; /* Nonexistent errno code. */
719 break;
720
721 default:
722 return NXT_LOG_CRIT;
722 return NXT_LOG_ALERT;
723 }
724
725 return NXT_LOG_INFO;
726}
727
728
729static void
730nxt_gnutls_log_error(nxt_uint_t level, nxt_log_t *log, int err,

--- 12 unchanged lines hidden ---
723 }
724
725 return NXT_LOG_INFO;
726}
727
728
729static void
730nxt_gnutls_log_error(nxt_uint_t level, nxt_log_t *log, int err,

--- 12 unchanged lines hidden ---