Skip to content

Commit 0f3e2af

Browse files
ggtakecggtakec
authored
Merge pull request #123 from ggtakec/fix_gnutls
Fixed bugs about connecting with SSL by gnuTLS
2 parents 2c9072f + a2859db commit 0f3e2af

File tree

1 file changed

+63
-25
lines changed

1 file changed

+63
-25
lines changed

lib/chmssgnutls.cc

+63-25
Original file line numberDiff line numberDiff line change
@@ -377,16 +377,22 @@ bool ChmSecureSock::SetExtValue(const char* key, const char* value)
377377

378378
bool ChmSecureSock::LoadCACerts(gnutls_certificate_credentials_t& cert_cred)
379379
{
380-
int resgnutls = GNUTLS_E_SUCCESS;
380+
int resgnutls;
381381

382382
// set default system trusted CA certs
383383
if(ChmSecureSock::GetCAPath().empty() && ChmSecureSock::GetCAFile().empty()){
384-
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_certificate_set_x509_system_trust(cert_cred))){
384+
if(0 > (resgnutls = gnutls_certificate_set_x509_system_trust(cert_cred))){
385385
if(GNUTLS_E_UNIMPLEMENTED_FEATURE == resgnutls){
386386
MSG_CHMPRN("Not support gnutls_certificate_set_x509_system_trust" CHM_GNUTLS_ERR_PRN_FORM, CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
387387
}else{
388388
WAN_CHMPRN("Failed to load system trusted CA" CHM_GNUTLS_ERR_PRN_FORM ", but continue...", CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
389389
}
390+
}else{
391+
if(0 == resgnutls){
392+
WAN_CHMPRN("No CA certification is loaded.");
393+
}else{
394+
MSG_CHMPRN("CA certifications(%d) are loaded.", resgnutls);
395+
}
390396
}
391397
}else{
392398
if(!ChmSecureSock::GetCAPath().empty()){
@@ -407,19 +413,30 @@ bool ChmSecureSock::LoadCACerts(gnutls_certificate_credentials_t& cert_cred)
407413
}
408414
string certfile = ChmSecureSock::GetCAPath() + string("/") + dent->d_name;
409415

410-
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_certificate_set_x509_trust_file(cert_cred, certfile.c_str(), GNUTLS_X509_FMT_PEM))){
416+
if(0 > (resgnutls = gnutls_certificate_set_x509_trust_file(cert_cred, certfile.c_str(), GNUTLS_X509_FMT_PEM))){
411417
WAN_CHMPRN("Failed to load CA file(%s) in CA directory(%s)" CHM_GNUTLS_ERR_PRN_FORM ", but continue...", dent->d_name, ChmSecureSock::GetCAPath().c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
418+
}else{
419+
if(0 == resgnutls){
420+
WAN_CHMPRN("No CA certification is loaded from CA file(%s) in CA directory(%s).", dent->d_name, ChmSecureSock::GetCAPath().c_str());
421+
}else{
422+
MSG_CHMPRN("CA certifications(%d) are loaded from CA file(%s) in CA directory(%s).", resgnutls, dent->d_name, ChmSecureSock::GetCAPath().c_str());
423+
}
412424
}
413425
}
414426
if(0 != closedir(pdir)){
415427
ERR_CHMPRN("Failed to close directory(%s) for CA certs by errno(%d), but continue...", ChmSecureSock::GetCAPath().c_str(), errno);
416428
}
417429
}
418430
if(!ChmSecureSock::GetCAFile().empty()){
419-
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_certificate_set_x509_trust_file(cert_cred, ChmSecureSock::GetCAFile().c_str(), GNUTLS_X509_FMT_PEM))){
431+
if(0 > (resgnutls = gnutls_certificate_set_x509_trust_file(cert_cred, ChmSecureSock::GetCAFile().c_str(), GNUTLS_X509_FMT_PEM))){
420432
ERR_CHMPRN("Failed to load CA file(%s)" CHM_GNUTLS_ERR_PRN_FORM, ChmSecureSock::GetCAFile().c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
421433
return false;
422434
}
435+
if(0 == resgnutls){
436+
ERR_CHMPRN("No CA certification is loaded from CA file(%s).", ChmSecureSock::GetCAPath().c_str());
437+
return false;
438+
}
439+
MSG_CHMPRN("CA certifications(%d) are loaded from CA file(%s).", resgnutls, ChmSecureSock::GetCAPath().c_str());
423440
}
424441
}
425442
return true;
@@ -567,17 +584,27 @@ ChmSSSession ChmSecureSock::AcceptSSL(ChmSSCtx ctx, int sock, int con_retrycnt,
567584

568585
// Load server cert
569586
if(ctx->strServerPKey.empty()){
570-
resgnutls = gnutls_certificate_set_x509_crl_file(cert_cred, ctx->strServerCert.c_str(), GNUTLS_X509_FMT_PEM);
587+
if(0 > (resgnutls = gnutls_certificate_set_x509_crl_file(cert_cred, ctx->strServerCert.c_str(), GNUTLS_X509_FMT_PEM))){
588+
ERR_CHMPRN("Failed to load server cert(cert file=%s) allocate credential" CHM_GNUTLS_ERR_PRN_FORM, ctx->strServerCert.c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
589+
gnutls_certificate_free_credentials(cert_cred);
590+
return NULL;
591+
}
592+
if(0 == resgnutls){
593+
ERR_CHMPRN("No server cert is loaded from cert file(%s).", ctx->strServerCert.c_str());
594+
gnutls_certificate_free_credentials(cert_cred);
595+
return NULL;
596+
}
597+
MSG_CHMPRN("Server certs(%d) are loaded from cert file(%s).", resgnutls, ctx->strServerCert.c_str());
598+
571599
}else{
572-
resgnutls = gnutls_certificate_set_x509_key_file(cert_cred, ctx->strServerCert.c_str(), ctx->strServerPKey.c_str(), GNUTLS_X509_FMT_PEM);
573-
}
574-
if(GNUTLS_E_SUCCESS != resgnutls){
575-
ERR_CHMPRN("Failed to load server cert(cert file=%s, key file=%s)allocate credential" CHM_GNUTLS_ERR_PRN_FORM, ctx->strServerCert.c_str(), ctx->strServerPKey.c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
576-
gnutls_certificate_free_credentials(cert_cred);
577-
return NULL;
600+
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_certificate_set_x509_key_file(cert_cred, ctx->strServerCert.c_str(), ctx->strServerPKey.c_str(), GNUTLS_X509_FMT_PEM))){
601+
ERR_CHMPRN("Failed to load server cert(cert file=%s, key file=%s) allocate credential" CHM_GNUTLS_ERR_PRN_FORM, ctx->strServerCert.c_str(), ctx->strServerPKey.c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
602+
gnutls_certificate_free_credentials(cert_cred);
603+
return NULL;
604+
}
605+
MSG_CHMPRN("Server cert is loaded from cert file(%s) and key file(%s).", ctx->strServerCert.c_str(), ctx->strServerPKey.c_str());
578606
}
579607

580-
581608
// initialize session
582609
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_init(&session, GNUTLS_SERVER | GNUTLS_NONBLOCK))){
583610
ERR_CHMPRN("Failed to initialize server session" CHM_GNUTLS_ERR_PRN_FORM, CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
@@ -621,12 +648,12 @@ ChmSSSession ChmSecureSock::AcceptSSL(ChmSSCtx ctx, int sock, int con_retrycnt,
621648
gnutls_transport_set_int(session, sock);
622649

623650
// handshake
624-
for(bool isLoop = true; isLoop; isLoop = (0 > resgnutls && 0 == gnutls_error_is_fatal(resgnutls))){
625-
if(0 > (resgnutls = gnutls_handshake(session))){
651+
for(bool isLoop = true; isLoop; isLoop = (GNUTLS_E_SUCCESS != resgnutls && 0 == gnutls_error_is_fatal(resgnutls))){
652+
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_handshake(session))){
626653
WAN_CHMPRN("Failed to handshake on server session" CHM_GNUTLS_ERR_PRN_FORM, CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
627654
}
628655
}
629-
if(0 > resgnutls){
656+
if(GNUTLS_E_SUCCESS != resgnutls){
630657
ERR_CHMPRN("Fatal failed to handshake on server session" CHM_GNUTLS_ERR_PRN_FORM, CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
631658
gnutls_deinit(session);
632659
gnutls_certificate_free_credentials(cert_cred);
@@ -673,14 +700,25 @@ ChmSSSession ChmSecureSock::ConnectSSL(ChmSSCtx ctx, int sock, int con_retrycnt,
673700
// Load slave cert
674701
if(ChmSecureSock::is_verify_peer && !ctx->strSlaveCert.empty()){
675702
if(ctx->strSlavePKey.empty()){
676-
resgnutls = gnutls_certificate_set_x509_crl_file(cert_cred, ctx->strSlaveCert.c_str(), GNUTLS_X509_FMT_PEM);
703+
if(0 > (resgnutls = gnutls_certificate_set_x509_crl_file(cert_cred, ctx->strSlaveCert.c_str(), GNUTLS_X509_FMT_PEM))){
704+
ERR_CHMPRN("Failed to load slave cert(cert file=%s) allocate credential" CHM_GNUTLS_ERR_PRN_FORM, ctx->strSlaveCert.c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
705+
gnutls_certificate_free_credentials(cert_cred);
706+
return NULL;
707+
}
708+
if(0 == resgnutls){
709+
ERR_CHMPRN("No slave cert is loaded from cert file(%s).", ctx->strSlaveCert.c_str());
710+
gnutls_certificate_free_credentials(cert_cred);
711+
return NULL;
712+
}
713+
MSG_CHMPRN("Server certs(%d) are loaded from cert file(%s).", resgnutls, ctx->strSlaveCert.c_str());
714+
677715
}else{
678-
resgnutls = gnutls_certificate_set_x509_key_file(cert_cred, ctx->strSlaveCert.c_str(), ctx->strSlavePKey.c_str(), GNUTLS_X509_FMT_PEM);
679-
}
680-
if(GNUTLS_E_SUCCESS != resgnutls){
681-
ERR_CHMPRN("Failed to load slave cert(cert file=%s, key file=%s)allocate credential" CHM_GNUTLS_ERR_PRN_FORM, ctx->strSlaveCert.c_str(), ctx->strSlavePKey.c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
682-
gnutls_certificate_free_credentials(cert_cred);
683-
return NULL;
716+
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_certificate_set_x509_key_file(cert_cred, ctx->strSlaveCert.c_str(), ctx->strSlavePKey.c_str(), GNUTLS_X509_FMT_PEM))){
717+
ERR_CHMPRN("Failed to load slave cert(cert file=%s, key file=%s) allocate credential" CHM_GNUTLS_ERR_PRN_FORM, ctx->strSlaveCert.c_str(), ctx->strSlavePKey.c_str(), CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
718+
gnutls_certificate_free_credentials(cert_cred);
719+
return NULL;
720+
}
721+
MSG_CHMPRN("Slave cert is loaded from cert file(%s) and key file(%s).", ctx->strSlaveCert.c_str(), ctx->strSlavePKey.c_str());
684722
}
685723
}else if(ChmSecureSock::is_verify_peer && ctx->strSlaveCert.empty()){
686724
ERR_CHMPRN("Slave cert file path is empty even though verify peer is true");
@@ -725,12 +763,12 @@ ChmSSSession ChmSecureSock::ConnectSSL(ChmSSCtx ctx, int sock, int con_retrycnt,
725763
gnutls_transport_set_int(session, sock);
726764

727765
// handshake
728-
for(bool isLoop = true; isLoop; isLoop = (0 > resgnutls && 0 == gnutls_error_is_fatal(resgnutls))){
729-
if(0 > (resgnutls = gnutls_handshake(session))){
766+
for(bool isLoop = true; isLoop; isLoop = (GNUTLS_E_SUCCESS != resgnutls && 0 == gnutls_error_is_fatal(resgnutls))){
767+
if(GNUTLS_E_SUCCESS != (resgnutls = gnutls_handshake(session))){
730768
WAN_CHMPRN("Failed to handshake on slave session" CHM_GNUTLS_ERR_PRN_FORM, CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
731769
}
732770
}
733-
if(0 > resgnutls){
771+
if(GNUTLS_E_SUCCESS != resgnutls){
734772
ERR_CHMPRN("Fatal failed to handshake on slave session" CHM_GNUTLS_ERR_PRN_FORM, CHM_GNUTLS_ERR_PRN_ARGS(resgnutls));
735773
gnutls_deinit(session);
736774
gnutls_certificate_free_credentials(cert_cred);

0 commit comments

Comments
 (0)