#include "gns.h"
/** SSL **/
-#include <openssl/pem.h>
-#include <openssl/conf.h>
-#include <openssl/x509v3.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include <gnutls/crypto.h>
+#include <time.h>
#define GNUNET_GNS_PROXY_PORT 7777
/* regexp */
#define RE_DOTPLUS "<a href=\"http://(([A-Za-z]+[.])+)([+])"
+#define RE_A_HREF "<a href=\"https?://(([A-Za-z]+[.])+)([+]|zkey)"
#define RE_N_MATCHES 4
/* The usual suspects */
struct ProxyCA
{
/* The certificate */
- X509* cert;
+ gnutls_x509_crt_t cert;
/* The private key */
- EVP_PKEY *key;
+ gnutls_x509_privkey_t key;
};
*/
struct ProxyGNSCertificate
{
- /* The certificate */
- X509* cert;
+ /* The certificate as PEM */
+ char cert[10 * 1024];
- /* The private key */
- EVP_PKEY *key;
+ /* The private key as PEM */
+ char key[10 * 1024];
};
static regex_t re_dotplus;
/* The users local GNS zone hash */
-struct GNUNET_CRYPTO_ShortHashCode local_gns_zone;
+static struct GNUNET_CRYPTO_ShortHashCode local_gns_zone;
/* The CA for SSL certificate generation */
-struct ProxyCA *proxy_ca;
+static struct ProxyCA proxy_ca;
/**
* Checks if name is in tld
}
memset (ctask->pp_buf, 0, sizeof(ctask->pp_buf));
- memcpy (ctask->pp_buf, hostptr, (m[1].rm_eo-m[1].rm_so));
+
+ /* If .+ extend with authority */
+ if (0 == strcmp (ctask->buffer_ptr+m[1].rm_eo, "+"))
+ {
+ memcpy (ctask->pp_buf, hostptr, (m[1].rm_eo-m[1].rm_so));
+ strcpy ( ctask->pp_buf+strlen(ctask->pp_buf),
+ ctask->authority);
+ }
+ /* If .zkey simply copy the name */
+ else
+ {
+ memcpy (ctask->pp_buf, hostptr, (m[1].rm_eo-m[1].rm_so + strlen (GNUNET_TLD_ZKEY)));
+ }
ctask->is_postprocessing = GNUNET_YES;
ctask->pp_finished = GNUNET_NO;
+
+ GNUNET_GNS_shorten (gns_handle,
+ ctask->pp_buf,
+ &process_shorten,
+ ctask);
//postprocess_name(ctask, NULL);
- ctask->pp_task = GNUNET_SCHEDULER_add_now (&postprocess_name, ctask);
+ //ctask->pp_task = GNUNET_SCHEDULER_add_now (&postprocess_name, ctask);
return 0;
}
/** SSL stuff **/
/**
- * Get authority from file
+ * Load PEM key from file
+ *
+ * @param key where to store the data
+ * @param keyfile path to the PEM file
*/
-static X509*
-load_cert_from_file (char* file)
+static void
+load_key_from_file (gnutls_x509_privkey_t key, char* keyfile)
{
- SSL_CTX *context = NULL;;
+ gnutls_datum_t key_data;
+ int ret;
- context = SSL_CTX_new (SSLv23_server_method ());
+ key_data.data = (unsigned char*)load_file (keyfile);
+ key_data.size = strlen ((char*)key_data.data);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- "Reading cert file %s\n", file);
+ ret = gnutls_x509_privkey_import (key, &key_data,
+ GNUTLS_X509_FMT_PEM);
+
+ if (GNUTLS_E_SUCCESS != ret)
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Unable to import private key %s\n", keyfile);
+ GNUNET_break (0);
+ }
+}
- SSL_CTX_use_certificate_file (context, file, SSL_FILETYPE_PEM);
+/**
+ * Load cert from file
+ *
+ * @param crt struct to store data in
+ * @param certfile path to pem file
+ */
+static void
+load_cert_from_file (gnutls_x509_crt_t crt, char* certfile)
+{
+ gnutls_datum_t cert_data;
+ int ret;
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- "Extracting\n");
+ cert_data.data = (unsigned char*)load_file (certfile);
+ cert_data.size = strlen ((char*)cert_data.data);
- return SSL_get_certificate (SSL_new (context));
+ ret = gnutls_x509_crt_import (crt, &cert_data,
+ GNUTLS_X509_FMT_PEM);
+ if (GNUTLS_E_SUCCESS != ret)
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Unable to import certificate %s\n", certfile);
+ GNUNET_break (0);
+ }
}
/**
- * Get authority from file
+ * Generate new certificate for specific name
+ *
+ * @param name the subject name to generate a cert for
+ * @return a struct holding the PEM data
*/
-static struct ProxyCA*
-load_authority_from_file (char* file)
+static struct ProxyGNSCertificate *
+generate_gns_certificate (const char *name)
{
- struct ProxyCA *ca = NULL;
- SSL_CTX *context;
-
- ca = GNUNET_malloc (sizeof (struct ProxyCA));
-
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
- "Reading cert file %s\n", file);
- ca->cert = load_cert_from_file (file);
- context = SSL_CTX_new (SSLv23_server_method ());
-
- SSL_CTX_use_PrivateKey_file (context, file, SSL_FILETYPE_PEM);
+ int ret;
+ unsigned int serial;
+ unsigned int bits;
+ size_t key_buf_size;
+ size_t cert_buf_size;
+ gnutls_x509_crt_t request;
+ gnutls_x509_privkey_t rsa;
+ time_t etime;
+ struct tm *tm_data;
- ca->key = SSL_get_privatekey (SSL_new (context));
+ ret = gnutls_x509_crt_init (&request);
- return ca;
+ if (GNUTLS_E_SUCCESS != ret)
+ {
+ GNUNET_break (0);
+ }
-}
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Generating key\n");
+ gnutls_x509_privkey_init (&rsa);
+ bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_NORMAL);
+ ret = gnutls_x509_privkey_generate (rsa, GNUTLS_PK_RSA, bits, 0);
+ if (GNUTLS_E_SUCCESS != ret)
+ {
+ GNUNET_break (0);
+ }
+ ret = gnutls_x509_crt_set_key (request, rsa);
-static unsigned int
-generate_serial ()
-{
- unsigned int serial;
- RAND_bytes ((unsigned char*)&serial, sizeof (serial));
+ if (GNUTLS_E_SUCCESS != ret)
+ {
+ GNUNET_break (0);
+ }
- return serial;
-}
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Generating cert\n");
+ struct ProxyGNSCertificate *pgc =
+ GNUNET_malloc (sizeof (struct ProxyGNSCertificate));
-/* The template certificate file */
-char* template_cert_file;
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Adding DNs\n");
+
+ gnutls_x509_crt_set_dn_by_oid (request, GNUTLS_OID_X520_COUNTRY_NAME,
+ 0, "DE", 2);
-/* The template certificate */
-X509 *template_certificate;
+ gnutls_x509_crt_set_dn_by_oid (request, GNUTLS_OID_X520_ORGANIZATION_NAME,
+ 0, "GNUnet", 6);
+ gnutls_x509_crt_set_dn_by_oid (request, GNUTLS_OID_X520_COMMON_NAME,
+ 0, name, strlen (name));
-/**
- * Generate new certificate for specific name
- *
- */
-static struct ProxyGNSCertificate*
-generate_gns_certificate (const char *name, char *keyfilename, char *certfilename)
-{
- X509_NAME *server_name = X509_get_subject_name (template_certificate);
- X509_NAME *issuer_name = X509_get_subject_name (proxy_ca->cert);
- X509 *request = X509_new ();
- int cn_nid = OBJ_txt2nid("CN");
- int cn_idx = X509_NAME_get_index_by_NID(server_name, cn_nid, -1);
- RSA *rsa = RSA_generate_key (1024, RSA_F4, NULL, NULL);
- EVP_PKEY *rsa_spec = EVP_PKEY_new();
- FILE* keyfile;
- FILE* certfile;
+ ret = gnutls_x509_crt_set_version (request, 3);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Generating key\n");
+ ret = gnutls_rnd (GNUTLS_RND_NONCE, &serial, sizeof (serial));
- EVP_PKEY_assign_RSA (rsa_spec, rsa);
+ etime = time (NULL);
+ tm_data = localtime (&etime);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Generating cert\n");
- struct ProxyGNSCertificate *pgc =
- GNUNET_malloc (sizeof (struct ProxyGNSCertificate));
+ ret = gnutls_x509_crt_set_serial (request,
+ &serial,
+ sizeof (serial));
- X509_NAME_delete_entry (server_name, cn_idx);
-
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Adding name\n");
- if (!X509_NAME_add_entry_by_txt (server_name, "CN",
- MBSTRING_UTF8, (const unsigned char*)name,
- -1, -1, 0))
+ ret = gnutls_x509_crt_set_activation_time (request,
+ etime);
+ tm_data->tm_year++;
+ etime = mktime (tm_data);
+
+ if (-1 == etime)
{
- return NULL;
+ GNUNET_break (0);
}
- X509_set_version(request, 3);
- X509_set_subject_name(request, server_name);
- X509_set_issuer_name(request, issuer_name);
-
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Signing\n");
- ASN1_INTEGER_set(X509_get_serialNumber(request), generate_serial());
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Signing\n");
- X509_gmtime_adj(X509_get_notBefore(request), -365);
- X509_gmtime_adj(X509_get_notAfter(request), (long)60*60*24*365);
- X509_set_pubkey(request, rsa_spec);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Signing %d\n", proxy_ca->key);
- X509_sign(request, proxy_ca->key, EVP_sha1());
-
- pgc->cert = request;
- pgc->key = rsa_spec;
+ ret = gnutls_x509_crt_set_expiration_time (request,
+ etime);
+ GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Signing...\n");
-
+ ret = gnutls_x509_crt_sign (request, proxy_ca.cert, proxy_ca.key);
- keyfile = fopen (keyfilename, "w+");
- certfile = fopen (certfilename, "w+");
+ key_buf_size = sizeof (pgc->key);
+ cert_buf_size = sizeof (pgc->cert);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Writing to file %d\n", rsa_spec);
- PEM_write_PrivateKey (keyfile, rsa_spec,
- NULL, NULL, 0, NULL, NULL);
- GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Writing to file %d\n", request);
- PEM_write_X509 (certfile, request);
+ gnutls_x509_crt_export (request, GNUTLS_X509_FMT_PEM,
+ pgc->cert, &cert_buf_size);
- fclose (keyfile);
- fclose (certfile);
+ gnutls_x509_privkey_export (rsa, GNUTLS_X509_FMT_PEM,
+ pgc->key, &key_buf_size);
- return pgc;
-}
+ gnutls_x509_crt_deinit (request);
+ gnutls_x509_privkey_deinit (rsa);
+ return pgc;
+}
/**
add_handle_to_ssl_mhd (struct GNUNET_NETWORK_Handle *h, char* domain)
{
struct MhdHttpList *hd = NULL;
-
- char* key_pem;
- char* cert_pem;
- char key_pem_file[1024];
- char cert_pem_file[1024];
-
- sprintf (key_pem_file, "%s.key", domain);
- sprintf (cert_pem_file, "%s.pem", domain);
-
- generate_gns_certificate (domain, key_pem_file, cert_pem_file);
-
- key_pem = load_file (key_pem_file);
- cert_pem = load_file (cert_pem_file);
+ struct ProxyGNSCertificate *pgc;
for (hd = mhd_httpd_head; hd != NULL; hd = hd->next)
{
if (NULL == hd)
{
/* Start new MHD */
- /* TODO: create cert, start SSL MHD */
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"No previous SSL instance found... starting new one for %s\n",
domain);
+
+ pgc = generate_gns_certificate (domain);
+
hd = GNUNET_malloc (sizeof (struct MhdHttpList));
hd->is_ssl = GNUNET_YES;
strcpy (hd->domain, domain);
MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 16,
MHD_OPTION_NOTIFY_COMPLETED,
NULL, NULL,
- MHD_OPTION_HTTPS_MEM_KEY, key_pem,
- MHD_OPTION_HTTPS_MEM_CERT, cert_pem,
+ MHD_OPTION_HTTPS_MEM_KEY, pgc->key,
+ MHD_OPTION_HTTPS_MEM_CERT, pgc->cert,
MHD_OPTION_END);
hd->httpd_task = GNUNET_SCHEDULER_NO_TASK;
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"Loading CA\n");
- SSL_library_init ();
- SSL_load_error_strings ();
- proxy_ca = load_authority_from_file (cafile);
+ gnutls_global_init ();
+
+ load_cert_from_file (proxy_ca.cert, cafile);
+ load_key_from_file (proxy_ca.key, cafile);
GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
"Loading Template\n");
- template_certificate = load_cert_from_file (template_cert_file);
compile_regex (&re_dotplus, (char*) RE_DOTPLUS);
{'a', "authority", NULL,
gettext_noop ("pem file to use as CA"), 1,
&GNUNET_GETOPT_set_string, &cafile},
- {'t', "template", NULL,
- gettext_noop ("template certificate file to use"), 1,
- &GNUNET_GETOPT_set_string, &template_cert_file},
GNUNET_GETOPT_OPTION_END
};
int ret;
+ if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+ return 2;
+
GNUNET_log_setup ("gnunet-gns-proxy", "WARNING", NULL);
ret =
(GNUNET_OK ==
projects / oweals / gnunet.git / blobdiff