aria2/src/LibgnutlsTLSContext.cc

/* <!-- copyright */
/*
 * aria2 - The high speed download utility
 *
 * Copyright (C) 2006 Tatsuhiro Tsujikawa
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 *
 * In addition, as a special exception, the copyright holders give
 * permission to link the code of portions of this program with the
 * OpenSSL library under certain conditions as described in each
 * individual source file, and distribute linked combinations
 * including the two.
 * You must obey the GNU General Public License in all respects
 * for all of the code used other than OpenSSL.  If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so.  If you
 * do not wish to do so, delete this exception statement from your
 * version.  If you delete this exception statement from all source
 * files in the program, then also delete it here.
 */
/* copyright --> */
#include "LibgnutlsTLSContext.h"

#ifdef HAVE_LIBGNUTLS
# include <gnutls/x509.h>
#endif // HAVE_LIBGNUTLS

#include "LogFactory.h"
#include "Logger.h"
#include "StringFormat.h"
#include "message.h"

namespace aria2 {

TLSContext::TLSContext():_certCred(0),
			 _peerVerificationEnabled(false),
			 _logger(LogFactory::getInstance())
{
  int r = gnutls_certificate_allocate_credentials(&_certCred);
  if(r == GNUTLS_E_SUCCESS) {
    _good = true;
    gnutls_certificate_set_verify_flags(_certCred,
					GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
  } else {
    _good =false;
    _logger->error("gnutls_certificate_allocate_credentials() failed."
		   " Cause: %s", gnutls_strerror(r));
  }
}

TLSContext::~TLSContext()
{
  if(_certCred) {
    gnutls_certificate_free_credentials(_certCred);
  }
}

bool TLSContext::good() const
{
  return _good;
}

bool TLSContext::bad() const
{
  return !_good;
}

void TLSContext::addClientKeyFile(const std::string& certfile,
				  const std::string& keyfile)
  throw(DlAbortEx)
{
  int ret = gnutls_certificate_set_x509_key_file(_certCred,
						 certfile.c_str(),
						 keyfile.c_str(),
						 GNUTLS_X509_FMT_PEM);
  if(ret != GNUTLS_E_SUCCESS) {
    throw DL_ABORT_EX
      (StringFormat("Failed to load client certificate from %s and"
		    " private key from %s. Cause: %s",
		    certfile.c_str(), keyfile.c_str(),
		    gnutls_strerror(ret)).str());
  }
}

void TLSContext::addTrustedCACertFile(const std::string& certfile)
  throw(DlAbortEx)
{
  int ret = gnutls_certificate_set_x509_trust_file(_certCred,
						   certfile.c_str(),
						   GNUTLS_X509_FMT_PEM);
  if(ret < 0) {
    throw DL_ABORT_EX
      (StringFormat
       (MSG_LOADING_TRUSTED_CA_CERT_FAILED,
	certfile.c_str(), gnutls_strerror(ret)).str());
  }
  _logger->info("%d certificate(s) were imported.", ret);
}

gnutls_certificate_credentials_t TLSContext::getCertCred() const
{
  return _certCred;
}

void TLSContext::enablePeerVerification()
{
  _peerVerificationEnabled = true;
}

void TLSContext::disablePeerVerification()
{
  _peerVerificationEnabled = false;
}

bool TLSContext::peerVerificationEnabled() const
{
  return _peerVerificationEnabled;
}

} // namespace aria2
2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Introduced TLSContext that holds TLS related data that can be shared with multiple SSL connections. * src/DownloadEngineFactory.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/Makefile.am * src/SocketCore.cc * src/SocketCore.h * src/TLSContext.h * src/message.h 2008-11-08 10:48:02 +00:00			`/* <!-- copyright */`
			`/*`
			`* aria2 - The high speed download utility`
			`*`
			`* Copyright (C) 2006 Tatsuhiro Tsujikawa`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 2 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA`
			`*`
			`* In addition, as a special exception, the copyright holders give`
			`* permission to link the code of portions of this program with the`
			`* OpenSSL library under certain conditions as described in each`
			`* individual source file, and distribute linked combinations`
			`* including the two.`
			`* You must obey the GNU General Public License in all respects`
			`* for all of the code used other than OpenSSL. If you modify`
			`* file(s) with this exception, you may extend this exception to your`
			`* version of the file(s), but you are not obligated to do so. If you`
			`* do not wish to do so, delete this exception statement from your`
			`* version. If you delete this exception statement from all source`
			`* files in the program, then also delete it here.`
			`*/`
			`/* copyright --> */`
			`#include "LibgnutlsTLSContext.h"`
2008-11-09 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Added the ability to verify peer in SSL/TLS using given CA certificates. The CA certificates are specified in --ca-certificate option. By default, the verification is disabled. Use --check-certificate option to enable it. * src/HttpRequestCommand.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/MultiUrlRequestInfo.cc * src/OptionHandlerFactory.cc * src/SocketCore.cc * src/SocketCore.h * src/a2functional.h * src/message.h * src/option_processing.cc * src/prefs.cc * src/prefs.h * src/usage_text.h 2008-11-09 07:36:44 +00:00
			`#ifdef HAVE_LIBGNUTLS`
			`# include <gnutls/x509.h>`
			`#endif // HAVE_LIBGNUTLS`

2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Introduced TLSContext that holds TLS related data that can be shared with multiple SSL connections. * src/DownloadEngineFactory.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/Makefile.am * src/SocketCore.cc * src/SocketCore.h * src/TLSContext.h * src/message.h 2008-11-08 10:48:02 +00:00			`#include "LogFactory.h"`
			`#include "Logger.h"`
			`#include "StringFormat.h"`
			`#include "message.h"`

			`namespace aria2 {`

2008-11-09 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Added the ability to verify peer in SSL/TLS using given CA certificates. The CA certificates are specified in --ca-certificate option. By default, the verification is disabled. Use --check-certificate option to enable it. * src/HttpRequestCommand.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/MultiUrlRequestInfo.cc * src/OptionHandlerFactory.cc * src/SocketCore.cc * src/SocketCore.h * src/a2functional.h * src/message.h * src/option_processing.cc * src/prefs.cc * src/prefs.h * src/usage_text.h 2008-11-09 07:36:44 +00:00			`TLSContext::TLSContext():_certCred(0),`
			`_peerVerificationEnabled(false),`
			`_logger(LogFactory::getInstance())`
2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Introduced TLSContext that holds TLS related data that can be shared with multiple SSL connections. * src/DownloadEngineFactory.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/Makefile.am * src/SocketCore.cc * src/SocketCore.h * src/TLSContext.h * src/message.h 2008-11-08 10:48:02 +00:00			`{`
			`int r = gnutls_certificate_allocate_credentials(&_certCred);`
			`if(r == GNUTLS_E_SUCCESS) {`
			`_good = true;`
2008-11-09 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Added the ability to verify peer in SSL/TLS using given CA certificates. The CA certificates are specified in --ca-certificate option. By default, the verification is disabled. Use --check-certificate option to enable it. * src/HttpRequestCommand.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/MultiUrlRequestInfo.cc * src/OptionHandlerFactory.cc * src/SocketCore.cc * src/SocketCore.h * src/a2functional.h * src/message.h * src/option_processing.cc * src/prefs.cc * src/prefs.h * src/usage_text.h 2008-11-09 07:36:44 +00:00			`gnutls_certificate_set_verify_flags(_certCred,`
			`GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);`
2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Introduced TLSContext that holds TLS related data that can be shared with multiple SSL connections. * src/DownloadEngineFactory.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/Makefile.am * src/SocketCore.cc * src/SocketCore.h * src/TLSContext.h * src/message.h 2008-11-08 10:48:02 +00:00			`} else {`
			`_good =false;`
			`_logger->error("gnutls_certificate_allocate_credentials() failed."`
			`" Cause: %s", gnutls_strerror(r));`
			`}`
			`}`

			`TLSContext::~TLSContext()`
			`{`
			`if(_certCred) {`
			`gnutls_certificate_free_credentials(_certCred);`
			`}`
			`}`

			`bool TLSContext::good() const`
			`{`
			`return _good;`
			`}`

			`bool TLSContext::bad() const`
			`{`
			`return !_good;`
			`}`

			`void TLSContext::addClientKeyFile(const std::string& certfile,`
			`const std::string& keyfile)`
			`throw(DlAbortEx)`
			`{`
			`int ret = gnutls_certificate_set_x509_key_file(_certCred,`
			`certfile.c_str(),`
			`keyfile.c_str(),`
			`GNUTLS_X509_FMT_PEM);`
			`if(ret != GNUTLS_E_SUCCESS) {`
2009-05-18 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Added source filename(__FILE__) and line number(__LINE__) to exception message. * src/AbstractCommand.cc * src/AbstractDiskWriter.cc * src/AbstractProxyResponseCommand.cc * src/BDE.h * src/BtAllowedFastMessage.cc * src/BtHandshakeMessageValidator.h * src/BtHaveAllMessage.cc * src/BtHaveNoneMessage.cc * src/BtPieceMessage.cc * src/BtRejectMessage.cc * src/ChunkedDecoder.cc * src/CookieStorage.cc * src/DHTAnnouncePeerMessage.cc * src/DHTEntryPointNameResolveCommand.cc * src/DHTMessageFactoryImpl.cc * src/DHTMessageTracker.cc * src/DHTRoutingTableDeserializer.cc * src/DHTRoutingTableSerializer.cc * src/DHTSetup.cc * src/DHTTokenTracker.cc * src/DefaultBtAnnounce.cc * src/DefaultBtContext.cc * src/DefaultBtInteractive.cc * src/DefaultBtMessageFactory.cc * src/DefaultBtProgressInfoFile.cc * src/DefaultExtensionMessageFactory.cc * src/DlAbortEx.h * src/DlRetryEx.h * src/DownloadCommand.cc * src/DownloadEngineFactory.cc * src/DownloadFailureException.h * src/Exception.cc * src/Exception.h * src/ExpatMetalinkProcessor.cc * src/ExpatXmlRpcRequestProcessor.cc * src/FallocFileAllocationIterator.cc * src/FatalException.h * src/FtpConnection.cc * src/FtpFinishDownloadCommand.cc * src/FtpInitiateConnectionCommand.cc * src/FtpNegotiationCommand.cc * src/GZipDecoder.cc * src/HandshakeExtensionMessage.cc * src/HttpConnection.cc * src/HttpHeaderProcessor.cc * src/HttpInitiateConnectionCommand.cc * src/HttpResponse.cc * src/HttpResponseCommand.cc * src/HttpServer.cc * src/HttpSkipResponseCommand.cc * src/InitiateConnectionCommandFactory.cc * src/IteratableChunkChecksumValidator.cc * src/LibgcryptARC4Context.h * src/LibgcryptARC4Decryptor.h * src/LibgcryptARC4Encryptor.h * src/LibgcryptDHKeyExchange.h * src/LibgnutlsTLSContext.cc * src/LibsslARC4Context.h * src/LibsslARC4Decryptor.h * src/LibsslARC4Encryptor.h * src/LibsslDHKeyExchange.h * src/LibsslTLSContext.cc * src/MSEHandshake.cc * src/MessageDigestHelper.cc * src/MetalinkHelper.cc * src/MultiDiskAdaptor.cc * src/NameMatchOptionHandler.h * src/NameResolver.cc * src/Netrc.cc * src/NsCookieParser.cc * src/OptionHandlerException.cc * src/OptionHandlerException.h * src/OptionHandlerImpl.h * src/OptionParser.cc * src/ParameterizedStringParser.cc * src/PeerAbstractCommand.cc * src/PeerConnection.cc * src/PeerMessageUtil.cc * src/PeerReceiveHandshakeCommand.cc * src/Platform.cc * src/ReceiverMSEHandshakeCommand.cc * src/RecoverableException.h * src/RequestGroup.cc * src/SimpleLogger.cc * src/SocketCore.cc * src/Sqlite3MozCookieParser.cc * src/UTPexExtensionMessage.cc * src/Util.cc * src/XML2SAXMetalinkProcessor.cc * src/Xml2XmlRpcRequestProcessor.cc * src/XmlRpcMethodImpl.cc * src/bencode.cc * src/download_helper.cc * src/messageDigest.h * test/ExceptionTest.cc * test/TestUtil.cc 2009-05-18 15:07:15 +00:00			`throw DL_ABORT_EX`
2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Introduced TLSContext that holds TLS related data that can be shared with multiple SSL connections. * src/DownloadEngineFactory.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/Makefile.am * src/SocketCore.cc * src/SocketCore.h * src/TLSContext.h * src/message.h 2008-11-08 10:48:02 +00:00			`(StringFormat("Failed to load client certificate from %s and"`
			`" private key from %s. Cause: %s",`
			`certfile.c_str(), keyfile.c_str(),`
			`gnutls_strerror(ret)).str());`
			`}`
			`}`

			`void TLSContext::addTrustedCACertFile(const std::string& certfile)`
			`throw(DlAbortEx)`
			`{`
			`int ret = gnutls_certificate_set_x509_trust_file(_certCred,`
			`certfile.c_str(),`
			`GNUTLS_X509_FMT_PEM);`
			`if(ret < 0) {`
2009-05-18 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Added source filename(__FILE__) and line number(__LINE__) to exception message. * src/AbstractCommand.cc * src/AbstractDiskWriter.cc * src/AbstractProxyResponseCommand.cc * src/BDE.h * src/BtAllowedFastMessage.cc * src/BtHandshakeMessageValidator.h * src/BtHaveAllMessage.cc * src/BtHaveNoneMessage.cc * src/BtPieceMessage.cc * src/BtRejectMessage.cc * src/ChunkedDecoder.cc * src/CookieStorage.cc * src/DHTAnnouncePeerMessage.cc * src/DHTEntryPointNameResolveCommand.cc * src/DHTMessageFactoryImpl.cc * src/DHTMessageTracker.cc * src/DHTRoutingTableDeserializer.cc * src/DHTRoutingTableSerializer.cc * src/DHTSetup.cc * src/DHTTokenTracker.cc * src/DefaultBtAnnounce.cc * src/DefaultBtContext.cc * src/DefaultBtInteractive.cc * src/DefaultBtMessageFactory.cc * src/DefaultBtProgressInfoFile.cc * src/DefaultExtensionMessageFactory.cc * src/DlAbortEx.h * src/DlRetryEx.h * src/DownloadCommand.cc * src/DownloadEngineFactory.cc * src/DownloadFailureException.h * src/Exception.cc * src/Exception.h * src/ExpatMetalinkProcessor.cc * src/ExpatXmlRpcRequestProcessor.cc * src/FallocFileAllocationIterator.cc * src/FatalException.h * src/FtpConnection.cc * src/FtpFinishDownloadCommand.cc * src/FtpInitiateConnectionCommand.cc * src/FtpNegotiationCommand.cc * src/GZipDecoder.cc * src/HandshakeExtensionMessage.cc * src/HttpConnection.cc * src/HttpHeaderProcessor.cc * src/HttpInitiateConnectionCommand.cc * src/HttpResponse.cc * src/HttpResponseCommand.cc * src/HttpServer.cc * src/HttpSkipResponseCommand.cc * src/InitiateConnectionCommandFactory.cc * src/IteratableChunkChecksumValidator.cc * src/LibgcryptARC4Context.h * src/LibgcryptARC4Decryptor.h * src/LibgcryptARC4Encryptor.h * src/LibgcryptDHKeyExchange.h * src/LibgnutlsTLSContext.cc * src/LibsslARC4Context.h * src/LibsslARC4Decryptor.h * src/LibsslARC4Encryptor.h * src/LibsslDHKeyExchange.h * src/LibsslTLSContext.cc * src/MSEHandshake.cc * src/MessageDigestHelper.cc * src/MetalinkHelper.cc * src/MultiDiskAdaptor.cc * src/NameMatchOptionHandler.h * src/NameResolver.cc * src/Netrc.cc * src/NsCookieParser.cc * src/OptionHandlerException.cc * src/OptionHandlerException.h * src/OptionHandlerImpl.h * src/OptionParser.cc * src/ParameterizedStringParser.cc * src/PeerAbstractCommand.cc * src/PeerConnection.cc * src/PeerMessageUtil.cc * src/PeerReceiveHandshakeCommand.cc * src/Platform.cc * src/ReceiverMSEHandshakeCommand.cc * src/RecoverableException.h * src/RequestGroup.cc * src/SimpleLogger.cc * src/SocketCore.cc * src/Sqlite3MozCookieParser.cc * src/UTPexExtensionMessage.cc * src/Util.cc * src/XML2SAXMetalinkProcessor.cc * src/Xml2XmlRpcRequestProcessor.cc * src/XmlRpcMethodImpl.cc * src/bencode.cc * src/download_helper.cc * src/messageDigest.h * test/ExceptionTest.cc * test/TestUtil.cc 2009-05-18 15:07:15 +00:00			`throw DL_ABORT_EX`
2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Introduced TLSContext that holds TLS related data that can be shared with multiple SSL connections. * src/DownloadEngineFactory.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/Makefile.am * src/SocketCore.cc * src/SocketCore.h * src/TLSContext.h * src/message.h 2008-11-08 10:48:02 +00:00			`(StringFormat`
			`(MSG_LOADING_TRUSTED_CA_CERT_FAILED,`
			`certfile.c_str(), gnutls_strerror(ret)).str());`
			`}`
			`_logger->info("%d certificate(s) were imported.", ret);`
			`}`

			`gnutls_certificate_credentials_t TLSContext::getCertCred() const`
			`{`
			`return _certCred;`
			`}`

2008-11-09 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Added the ability to verify peer in SSL/TLS using given CA certificates. The CA certificates are specified in --ca-certificate option. By default, the verification is disabled. Use --check-certificate option to enable it. * src/HttpRequestCommand.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/MultiUrlRequestInfo.cc * src/OptionHandlerFactory.cc * src/SocketCore.cc * src/SocketCore.h * src/a2functional.h * src/message.h * src/option_processing.cc * src/prefs.cc * src/prefs.h * src/usage_text.h 2008-11-09 07:36:44 +00:00			`void TLSContext::enablePeerVerification()`
			`{`
			`_peerVerificationEnabled = true;`
			`}`

			`void TLSContext::disablePeerVerification()`
			`{`
			`_peerVerificationEnabled = false;`
			`}`

			`bool TLSContext::peerVerificationEnabled() const`
			`{`
			`return _peerVerificationEnabled;`
			`}`

2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net> Introduced TLSContext that holds TLS related data that can be shared with multiple SSL connections. * src/DownloadEngineFactory.cc * src/LibgnutlsTLSContext.cc * src/LibgnutlsTLSContext.h * src/LibsslTLSContext.cc * src/LibsslTLSContext.h * src/Makefile.am * src/SocketCore.cc * src/SocketCore.h * src/TLSContext.h * src/message.h 2008-11-08 10:48:02 +00:00			`} // namespace aria2`