aboutsummaryrefslogtreecommitdiff
path: root/plugins/ice
diff options
context:
space:
mode:
authorfiaxh <git@lightrise.org>2021-03-24 14:12:42 +0100
committerfiaxh <git@lightrise.org>2021-03-25 14:45:54 +0100
commitec35f95e13f4f2f756c81a35ded0980245acc5f4 (patch)
treee5920e372955091cfb511b42e034d505030594bd /plugins/ice
parent4b230808b9566322fae8d1ef0d1a5cb3e8027d3b (diff)
downloaddino-ec35f95e13f4f2f756c81a35ded0980245acc5f4.tar.gz
dino-ec35f95e13f4f2f756c81a35ded0980245acc5f4.zip
Add initial support for DTLS-SRTP
Diffstat (limited to 'plugins/ice')
-rw-r--r--plugins/ice/CMakeLists.txt7
-rw-r--r--plugins/ice/src/dtls_srtp.vala247
-rw-r--r--plugins/ice/src/transport_parameters.vala48
-rw-r--r--plugins/ice/vapi/gnutls.vapi419
4 files changed, 715 insertions, 6 deletions
diff --git a/plugins/ice/CMakeLists.txt b/plugins/ice/CMakeLists.txt
index 90fe5b7d..38025aa0 100644
--- a/plugins/ice/CMakeLists.txt
+++ b/plugins/ice/CMakeLists.txt
@@ -2,6 +2,7 @@ find_packages(ICE_PACKAGES REQUIRED
Gee
GLib
GModule
+ GnuTLS
GObject
GTK3
Nice
@@ -9,8 +10,9 @@ find_packages(ICE_PACKAGES REQUIRED
vala_precompile(ICE_VALA_C
SOURCES
- src/plugin.vala
+ src/dtls_srtp.vala
src/module.vala
+ src/plugin.vala
src/transport_parameters.vala
src/util.vala
src/register_plugin.vala
@@ -18,6 +20,7 @@ CUSTOM_VAPIS
${CMAKE_BINARY_DIR}/exports/xmpp-vala.vapi
${CMAKE_BINARY_DIR}/exports/dino.vapi
${CMAKE_BINARY_DIR}/exports/qlite.vapi
+ ${CMAKE_BINARY_DIR}/exports/crypto.vapi
PACKAGES
${ICE_PACKAGES}
OPTIONS
@@ -26,7 +29,7 @@ OPTIONS
add_definitions(${VALA_CFLAGS} -DG_LOG_DOMAIN="ice")
add_library(ice SHARED ${ICE_VALA_C})
-target_link_libraries(ice libdino ${ICE_PACKAGES})
+target_link_libraries(ice libdino crypto-vala ${ICE_PACKAGES})
set_target_properties(ice PROPERTIES PREFIX "")
set_target_properties(ice PROPERTIES LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/plugins/)
diff --git a/plugins/ice/src/dtls_srtp.vala b/plugins/ice/src/dtls_srtp.vala
new file mode 100644
index 00000000..a21c242b
--- /dev/null
+++ b/plugins/ice/src/dtls_srtp.vala
@@ -0,0 +1,247 @@
+using GnuTLS;
+
+public class DtlsSrtp {
+
+ public signal void send_data(uint8[] data);
+
+ private X509.Certificate[] own_cert;
+ private X509.PrivateKey private_key;
+ private Cond buffer_cond = new Cond();
+ private Mutex buffer_mutex = new Mutex();
+ private Gee.LinkedList<Bytes> buffer_queue = new Gee.LinkedList<Bytes>();
+ private uint pull_timeout = uint.MAX;
+ private string peer_fingerprint;
+
+ private Crypto.Srtp.Session encrypt_session;
+ private Crypto.Srtp.Session decrypt_session;
+
+ public static DtlsSrtp setup() throws GLib.Error {
+ var obj = new DtlsSrtp();
+ obj.generate_credentials();
+ return obj;
+ }
+
+ internal string get_own_fingerprint(DigestAlgorithm digest_algo) {
+ return format_certificate(own_cert[0], digest_algo);
+ }
+
+ public void set_peer_fingerprint(string fingerprint) {
+ this.peer_fingerprint = fingerprint;
+ }
+
+ public uint8[] process_incoming_data(uint component_id, uint8[] data) {
+ if (decrypt_session != null) {
+ if (component_id == 1) return decrypt_session.decrypt_rtp(data);
+ if (component_id == 2) return decrypt_session.decrypt_rtcp(data);
+ } else if (component_id == 1) {
+ on_data_rec(data);
+ }
+ return null;
+ }
+
+ public uint8[] process_outgoing_data(uint component_id, uint8[] data) {
+ if (encrypt_session != null) {
+ if (component_id == 1) return encrypt_session.encrypt_rtp(data);
+ if (component_id == 2) return encrypt_session.encrypt_rtcp(data);
+ }
+ return null;
+ }
+
+ public void on_data_rec(owned uint8[] data) {
+ buffer_mutex.lock();
+ buffer_queue.add(new Bytes.take(data));
+ buffer_cond.signal();
+ buffer_mutex.unlock();
+ }
+
+ private void generate_credentials() throws GLib.Error {
+ int err = 0;
+
+ private_key = X509.PrivateKey.create();
+ err = private_key.generate(PKAlgorithm.RSA, 2048);
+ throw_if_error(err);
+
+ var start_time = new DateTime.now_local().add_days(1);
+ var end_time = start_time.add_days(2);
+
+ X509.Certificate cert = X509.Certificate.create();
+ cert.set_key(private_key);
+ cert.set_version(1);
+ cert.set_activation_time ((time_t) start_time.to_unix ());
+ cert.set_expiration_time ((time_t) end_time.to_unix ());
+
+ uint32 serial = 1;
+ cert.set_serial(&serial, sizeof(uint32));
+
+ cert.sign(cert, private_key);
+
+ own_cert = new X509.Certificate[] { (owned)cert };
+ }
+
+ public async void setup_dtls_connection(bool server) {
+ InitFlags server_or_client = server ? InitFlags.SERVER : InitFlags.CLIENT;
+ debug("Setting up DTLS connection. We're %s", server_or_client.to_string());
+
+ CertificateCredentials cert_cred = CertificateCredentials.create();
+ int err = cert_cred.set_x509_key(own_cert, private_key);
+ throw_if_error(err);
+
+ Session? session = Session.create(server_or_client | InitFlags.DATAGRAM);
+ session.enable_heartbeat(1);
+ session.set_srtp_profile_direct("SRTP_AES128_CM_HMAC_SHA1_80");
+ session.set_credentials(GnuTLS.CredentialsType.CERTIFICATE, cert_cred);
+ session.server_set_request(CertificateRequest.REQUEST);
+ session.set_priority_from_string("NORMAL:!VERS-TLS-ALL:+VERS-DTLS-ALL:+CTYPE-CLI-X509");
+
+ session.set_transport_pointer(this);
+ session.set_pull_function(pull_function);
+ session.set_pull_timeout_function(pull_timeout_function);
+ session.set_push_function(push_function);
+ session.set_verify_function(verify_function);
+
+ Thread<int> thread = new Thread<int> (null, () => {
+ DateTime maximum_time = new DateTime.now_utc().add_seconds(20);
+ do {
+ err = session.handshake();
+
+ DateTime current_time = new DateTime.now_utc();
+ if (maximum_time.compare(current_time) < 0) {
+ warning("DTLS handshake timeouted");
+ return -1;
+ }
+ } while (err < 0 && !((ErrorCode)err).is_fatal());
+ Idle.add(setup_dtls_connection.callback);
+ return err;
+ });
+ yield;
+ err = thread.join();
+
+ uint8[] km = new uint8[150];
+ Datum? client_key, client_salt, server_key, server_salt;
+ session.get_srtp_keys(km, km.length, out client_key, out client_salt, out server_key, out server_salt);
+ if (client_key == null || client_salt == null || server_key == null || server_salt == null) {
+ warning("SRTP client/server key/salt null");
+ }
+
+ Crypto.Srtp.Session encrypt_session = new Crypto.Srtp.Session(Crypto.Srtp.Encryption.AES_CM, Crypto.Srtp.Authentication.HMAC_SHA1, 10, Crypto.Srtp.Prf.AES_CM, 0);
+ Crypto.Srtp.Session decrypt_session = new Crypto.Srtp.Session(Crypto.Srtp.Encryption.AES_CM, Crypto.Srtp.Authentication.HMAC_SHA1, 10, Crypto.Srtp.Prf.AES_CM, 0);
+
+ if (server) {
+ encrypt_session.setkey(server_key.extract(), server_salt.extract());
+ decrypt_session.setkey(client_key.extract(), client_salt.extract());
+ } else {
+ encrypt_session.setkey(client_key.extract(), client_salt.extract());
+ decrypt_session.setkey(server_key.extract(), server_salt.extract());
+ }
+
+ this.encrypt_session = (owned)encrypt_session;
+ this.decrypt_session = (owned)decrypt_session;
+ }
+
+ private static ssize_t pull_function(void* transport_ptr, uint8[] buffer) {
+ DtlsSrtp self = transport_ptr as DtlsSrtp;
+
+ self.buffer_mutex.lock();
+ while (self.buffer_queue.size == 0) {
+ self.buffer_cond.wait(self.buffer_mutex);
+ }
+ owned Bytes data = self.buffer_queue.remove_at(0);
+ self.buffer_mutex.unlock();
+
+ uint8[] data_uint8 = Bytes.unref_to_data(data);
+ Memory.copy(buffer, data_uint8, data_uint8.length);
+
+ // The callback should return 0 on connection termination, a positive number indicating the number of bytes received, and -1 on error.
+ return (ssize_t)data.length;
+ }
+
+ private static int pull_timeout_function(void* transport_ptr, uint ms) {
+ DtlsSrtp self = transport_ptr as DtlsSrtp;
+
+ DateTime current_time = new DateTime.now_utc();
+ current_time.add_seconds(ms/1000);
+ int64 end_time = current_time.to_unix();
+
+ self.buffer_mutex.lock();
+ while (self.buffer_queue.size == 0) {
+ self.buffer_cond.wait_until(self.buffer_mutex, end_time);
+
+ DateTime new_current_time = new DateTime.now_utc();
+ if (new_current_time.compare(current_time) > 0) {
+ break;
+ }
+ }
+ self.buffer_mutex.unlock();
+
+ // The callback should return 0 on timeout, a positive number if data can be received, and -1 on error.
+ return 1;
+ }
+
+ private static ssize_t push_function(void* transport_ptr, uint8[] buffer) {
+ DtlsSrtp self = transport_ptr as DtlsSrtp;
+ self.send_data(buffer);
+
+ // The callback should return a positive number indicating the bytes sent, and -1 on error.
+ return (ssize_t)buffer.length;
+ }
+
+ private static int verify_function(Session session) {
+ DtlsSrtp self = session.get_transport_pointer() as DtlsSrtp;
+ try {
+ bool valid = self.verify_peer_cert(session);
+ if (!valid) {
+ warning("DTLS certificate invalid. Aborting handshake.");
+ return 1;
+ }
+ } catch (Error e) {
+ warning("Error during DTLS certificate validation: %s. Aborting handshake.", e.message);
+ return 1;
+ }
+
+ // The callback function should return 0 for the handshake to continue or non-zero to terminate.
+ return 0;
+ }
+
+ private bool verify_peer_cert(Session session) throws GLib.Error {
+ unowned Datum[] cert_datums = session.get_peer_certificates();
+ if (cert_datums.length == 0) {
+ warning("No peer certs");
+ return false;
+ }
+ if (cert_datums.length > 1) warning("More than one peer cert");
+
+ X509.Certificate peer_cert = X509.Certificate.create();
+ peer_cert.import(ref cert_datums[0], CertificateFormat.DER);
+
+ string peer_fp_str = format_certificate(peer_cert, DigestAlgorithm.SHA256);
+ if (peer_fp_str.down() != this.peer_fingerprint.down()) {
+ warning("First cert in peer cert list doesn't equal advertised one %s vs %s", peer_fp_str, this.peer_fingerprint);
+ return false;
+ }
+
+ return true;
+ }
+
+ private string format_certificate(X509.Certificate certificate, DigestAlgorithm digest_algo) {
+ uint8[] buf = new uint8[512];
+ size_t buf_out_size = 512;
+ certificate.get_fingerprint(digest_algo, buf, ref buf_out_size);
+
+ var sb = new StringBuilder();
+ for (int i = 0; i < buf_out_size; i++) {
+ sb.append("%02x".printf(buf[i]));
+ if (i < buf_out_size - 1) {
+ sb.append(":");
+ }
+ }
+ return sb.str;
+ }
+
+ private uint8[] uint8_pt_to_a(uint8* data, uint size) {
+ uint8[size] ret = new uint8[size];
+ for (int i = 0; i < size; i++) {
+ ret[i] = data[i];
+ }
+ return ret;
+ }
+} \ No newline at end of file
diff --git a/plugins/ice/src/transport_parameters.vala b/plugins/ice/src/transport_parameters.vala
index a8172678..5b6431c2 100644
--- a/plugins/ice/src/transport_parameters.vala
+++ b/plugins/ice/src/transport_parameters.vala
@@ -9,9 +9,11 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
private bool we_want_connection;
private bool remote_credentials_set;
private Map<uint8, DatagramConnection> connections = new HashMap<uint8, DatagramConnection>();
+ private DtlsSrtp? dtls_srtp;
private class DatagramConnection : Jingle.DatagramConnection {
private Nice.Agent agent;
+ private DtlsSrtp? dtls_srtp;
private uint stream_id;
private string? error;
private ulong sent;
@@ -20,8 +22,9 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
private ulong recv_reported;
private ulong datagram_received_id;
- public DatagramConnection(Nice.Agent agent, uint stream_id, uint8 component_id) {
+ public DatagramConnection(Nice.Agent agent, DtlsSrtp? dtls_srtp, uint stream_id, uint8 component_id) {
this.agent = agent;
+ this.dtls_srtp = dtls_srtp;
this.stream_id = stream_id;
this.component_id = component_id;
this.datagram_received_id = this.datagram_received.connect((datagram) => {
@@ -41,7 +44,12 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
public override void send_datagram(Bytes datagram) {
if (this.agent != null && is_component_ready(agent, stream_id, component_id)) {
- agent.send(stream_id, component_id, datagram.get_data());
+ uint8[] encrypted_data = null;
+ if (dtls_srtp != null) {
+ encrypted_data = dtls_srtp.process_outgoing_data(component_id, datagram.get_data());
+ if (encrypted_data == null) return;
+ }
+ agent.send(stream_id, component_id, encrypted_data ?? datagram.get_data());
sent += datagram.length;
if (sent > sent_reported + 100000) {
debug("Sent %lu bytes via stream %u component %u", sent, stream_id, component_id);
@@ -55,6 +63,20 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
base(components, local_full_jid, peer_full_jid, node);
this.we_want_connection = (node == null);
this.agent = agent;
+
+ if (this.peer_fingerprint != null || !incoming) {
+ dtls_srtp = DtlsSrtp.setup();
+ dtls_srtp.send_data.connect((data) => {
+ agent.send(stream_id, 1, data);
+ });
+ this.own_fingerprint = dtls_srtp.get_own_fingerprint(GnuTLS.DigestAlgorithm.SHA256);
+ if (incoming) {
+ dtls_srtp.set_peer_fingerprint(this.peer_fingerprint);
+ } else {
+ dtls_srtp.setup_dtls_connection(true);
+ }
+ }
+
agent.candidate_gathering_done.connect(on_candidate_gathering_done);
agent.initial_binding_request_received.connect(on_initial_binding_request_received);
agent.component_state_changed.connect(on_component_state_changed);
@@ -112,6 +134,12 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
public override void handle_transport_accept(StanzaNode transport) throws Jingle.IqError {
debug("on_transport_accept from %s", peer_full_jid.to_string());
base.handle_transport_accept(transport);
+
+ if (dtls_srtp != null && peer_fingerprint != null) {
+ dtls_srtp.set_peer_fingerprint(this.peer_fingerprint);
+ } else {
+ dtls_srtp = null;
+ }
}
public override void handle_transport_info(StanzaNode transport) throws Jingle.IqError {
@@ -163,9 +191,16 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
int new_candidates = agent.set_remote_candidates(stream_id, i, candidates);
debug("Initiated component %u with %i remote candidates", i, new_candidates);
- connections[i] = new DatagramConnection(agent, stream_id, i);
+ connections[i] = new DatagramConnection(agent, dtls_srtp, stream_id, i);
content.set_transport_connection(connections[i], i);
}
+
+ if (incoming && dtls_srtp != null) {
+ Jingle.DatagramConnection rtp_datagram = (Jingle.DatagramConnection) content.get_transport_connection(1);
+ rtp_datagram.notify["ready"].connect(() => {
+ dtls_srtp.setup_dtls_connection(false);
+ });
+ }
base.create_transport_connection(stream, content);
}
@@ -194,12 +229,17 @@ public class Dino.Plugins.Ice.TransportParameters : JingleIceUdp.IceUdpTransport
private void on_recv(Nice.Agent agent, uint stream_id, uint component_id, uint8[] data) {
if (stream_id != this.stream_id) return;
+ uint8[] decrypt_data = null;
+ if (dtls_srtp != null) {
+ decrypt_data = dtls_srtp.process_incoming_data(component_id, data);
+ if (decrypt_data == null) return;
+ }
may_consider_ready(stream_id, component_id);
if (connections.has_key((uint8) component_id)) {
if (!connections[(uint8) component_id].ready) {
debug("on_recv stream %u component %u when state %s", stream_id, component_id, agent.get_component_state(stream_id, component_id).to_string());
}
- connections[(uint8) component_id].datagram_received(new Bytes(data));
+ connections[(uint8) component_id].datagram_received(new Bytes(decrypt_data ?? data));
} else {
debug("on_recv stream %u component %u length %u", stream_id, component_id, data.length);
}
diff --git a/plugins/ice/vapi/gnutls.vapi b/plugins/ice/vapi/gnutls.vapi
new file mode 100644
index 00000000..a8f75e14
--- /dev/null
+++ b/plugins/ice/vapi/gnutls.vapi
@@ -0,0 +1,419 @@
+[CCode (cprefix = "gnutls_", lower_case_cprefix = "gnutls_", cheader_filename = "gnutls/gnutls.h")]
+namespace GnuTLS {
+
+ public int global_init();
+
+ [CCode (cname = "gnutls_pull_func", has_target = false)]
+ public delegate ssize_t PullFunc(void* transport_ptr, [CCode (ctype = "void*", array_length_type="size_t")] uint8[] array);
+
+ [CCode (cname = "gnutls_pull_timeout_func", has_target = false)]
+ public delegate int PullTimeoutFunc(void* transport_ptr, uint ms);
+
+ [CCode (cname = "gnutls_push_func", has_target = false)]
+ public delegate ssize_t PushFunc(void* transport_ptr, [CCode (ctype = "void*", array_length_type="size_t")] uint8[] array);
+
+ [CCode (cname = "gnutls_certificate_verify_function", has_target = false)]
+ public delegate int VerifyFunc(Session session);
+
+ [Compact]
+ [CCode (cname = "struct gnutls_session_int", free_function = "gnutls_deinit")]
+ public class Session {
+
+ public static Session? create(int con_end) throws GLib.Error {
+ Session result;
+ var ret = init(out result, con_end);
+ throw_if_error(ret);
+ return result;
+ }
+
+ [CCode (cname = "gnutls_init")]
+ private static int init(out Session session, int con_end);
+
+ [CCode (cname = "gnutls_transport_set_push_function")]
+ public void set_push_function(PushFunc func);
+
+ [CCode (cname = "gnutls_transport_set_pull_function")]
+ public void set_pull_function(PullFunc func);
+
+ [CCode (cname = "gnutls_transport_set_pull_timeout_function")]
+ public void set_pull_timeout_function(PullTimeoutFunc func);
+
+ [CCode (cname = "gnutls_transport_set_ptr")]
+ public void set_transport_pointer(void* ptr);
+
+ [CCode (cname = "gnutls_transport_get_ptr")]
+ public void* get_transport_pointer();
+
+ [CCode (cname = "gnutls_heartbeat_enable")]
+ public int enable_heartbeat(uint type);
+
+ [CCode (cname = "gnutls_certificate_server_set_request")]
+ public void server_set_request(CertificateRequest req);
+
+ [CCode (cname = "gnutls_credentials_set")]
+ public int set_credentials_(CredentialsType type, void* cred);
+ [CCode (cname = "gnutls_credentials_set_")]
+ public void set_credentials(CredentialsType type, void* cred) throws GLib.Error {
+ int err = set_credentials_(type, cred);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_priority_set_direct")]
+ public int set_priority_from_string_(string priority, out unowned string err_pos = null);
+ [CCode (cname = "gnutls_priority_set_direct_")]
+ public void set_priority_from_string(string priority, out unowned string err_pos = null) throws GLib.Error {
+ int err = set_priority_from_string_(priority, out err_pos);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_srtp_set_profile_direct")]
+ public int set_srtp_profile_direct_(string profiles, out unowned string err_pos = null);
+ [CCode (cname = "gnutls_srtp_set_profile_direct_")]
+ public void set_srtp_profile_direct(string profiles, out unowned string err_pos = null) throws GLib.Error {
+ int err = set_srtp_profile_direct_(profiles, out err_pos);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_transport_set_int")]
+ public void transport_set_int(int fd);
+
+ [CCode (cname = "gnutls_handshake")]
+ public int handshake();
+
+ [CCode (cname = "gnutls_srtp_get_keys")]
+ public int get_srtp_keys_(void *key_material, uint32 key_material_size, out Datum client_key, out Datum client_salt, out Datum server_key, out Datum server_salt);
+ [CCode (cname = "gnutls_srtp_get_keys_")]
+ public void get_srtp_keys(void *key_material, uint32 key_material_size, out Datum client_key, out Datum client_salt, out Datum server_key, out Datum server_salt) throws GLib.Error {
+ get_srtp_keys_(key_material, key_material_size, out client_key, out client_salt, out server_key, out server_salt);
+ }
+
+ [CCode (cname = "gnutls_certificate_get_peers", array_length_type = "unsigned int")]
+ public unowned Datum[]? get_peer_certificates();
+
+ [CCode (cname = "gnutls_session_set_verify_function")]
+ public void set_verify_function(VerifyFunc func);
+ }
+
+ [Compact]
+ [CCode (cname = "struct gnutls_certificate_credentials_st", free_function = "gnutls_certificate_free_credentials", cprefix = "gnutls_certificate_")]
+ public class CertificateCredentials {
+
+ [CCode (cname = "gnutls_certificate_allocate_credentials")]
+ private static int allocate(out CertificateCredentials credentials);
+
+ public static CertificateCredentials create() throws GLib.Error {
+ CertificateCredentials result;
+ var ret = allocate (out result);
+ throw_if_error(ret);
+ return result;
+ }
+
+ public void get_x509_crt(uint index, [CCode (array_length_type = "unsigned int")] out unowned X509.Certificate[] x509_ca_list);
+
+ public int set_x509_key(X509.Certificate[] cert_list, X509.PrivateKey key);
+ }
+
+ [CCode (cheader_filename = "gnutls/x509.h", cprefix = "GNUTLS_")]
+ namespace X509 {
+
+ [Compact]
+ [CCode (cname = "struct gnutls_x509_crt_int", cprefix = "gnutls_x509_crt_", free_function = "gnutls_x509_crt_deinit")]
+ public class Certificate {
+
+ [CCode (cname = "gnutls_x509_crt_init")]
+ private static int init (out Certificate cert);
+ public static Certificate create() throws GLib.Error {
+ Certificate result;
+ var ret = init (out result);
+ throw_if_error(ret);
+ return result;
+ }
+
+ [CCode (cname = "gnutls_x509_crt_import")]
+ public int import_(ref Datum data, CertificateFormat format);
+ [CCode (cname = "gnutls_x509_crt_import_")]
+ public void import(ref Datum data, CertificateFormat format) throws GLib.Error {
+ int err = import_(ref data, format);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_x509_crt_set_version")]
+ public int set_version_(uint version);
+ [CCode (cname = "gnutls_x509_crt_set_version_")]
+ public void set_version(uint version) throws GLib.Error {
+ int err = set_version_(version);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_x509_crt_set_key")]
+ public int set_key_(PrivateKey key);
+ [CCode (cname = "gnutls_x509_crt_set_key_")]
+ public void set_key(PrivateKey key) throws GLib.Error {
+ int err = set_key_(key);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_x509_crt_set_activation_time")]
+ public int set_activation_time_(time_t act_time);
+ [CCode (cname = "gnutls_x509_crt_set_activation_time_")]
+ public void set_activation_time(time_t act_time) throws GLib.Error {
+ int err = set_activation_time_(act_time);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_x509_crt_set_expiration_time")]
+ public int set_expiration_time_(time_t exp_time);
+ [CCode (cname = "gnutls_x509_crt_set_expiration_time_")]
+ public void set_expiration_time(time_t exp_time) throws GLib.Error {
+ int err = set_expiration_time_(exp_time);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_x509_crt_set_serial")]
+ public int set_serial_(void* serial, size_t serial_size);
+ [CCode (cname = "gnutls_x509_crt_set_serial_")]
+ public void set_serial(void* serial, size_t serial_size) throws GLib.Error {
+ int err = set_serial_(serial, serial_size);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_x509_crt_sign")]
+ public int sign_(Certificate issuer, PrivateKey issuer_key);
+ [CCode (cname = "gnutls_x509_crt_sign_")]
+ public void sign(Certificate issuer, PrivateKey issuer_key) throws GLib.Error {
+ int err = sign_(issuer, issuer_key);
+ throw_if_error(err);
+ }
+
+ [CCode (cname = "gnutls_x509_crt_get_fingerprint")]
+ public int get_fingerprint_(DigestAlgorithm algo, void* buf, ref size_t buf_size);
+ [CCode (cname = "gnutls_x509_crt_get_fingerprint_")]
+ public void get_fingerprint(DigestAlgorithm algo, void* buf, ref size_t buf_size) throws GLib.Error {
+ int err = get_fingerprint_(algo, buf, ref buf_size);
+ throw_if_error(err);
+ }
+ }
+
+ [Compact]
+ [CCode (cname = "struct gnutls_x509_privkey_int", cprefix = "gnutls_x509_privkey_", free_function = "gnutls_x509_privkey_deinit")]
+ public class PrivateKey {
+ private static int init (out PrivateKey key);
+ public static PrivateKey create () throws GLib.Error {
+ PrivateKey result;
+ var ret = init (out result);
+ throw_if_error(ret);
+ return result;
+ }
+
+ public int generate(PKAlgorithm algo, uint bits, uint flags = 0);
+ }
+
+ }
+
+ [CCode (cname = "gnutls_certificate_request_t", cprefix = "GNUTLS_CERT_", has_type_id = false)]
+ public enum CertificateRequest {
+ IGNORE,
+ REQUEST,
+ REQUIRE
+ }
+
+ [CCode (cname = "gnutls_pk_algorithm_t", cprefix = "GNUTLS_PK_", has_type_id = false)]
+ public enum PKAlgorithm {
+ UNKNOWN,
+ RSA,
+ DSA;
+ }
+
+ [CCode (cname = "gnutls_digest_algorithm_t", cprefix = "GNUTLS_DIG_", has_type_id = false)]
+ public enum DigestAlgorithm {
+ NULL,
+ MD5,
+ SHA1,
+ RMD160,
+ MD2,
+ SHA224,
+ SHA256,
+ SHA384,
+ SHA512;
+ }
+
+ [Flags]
+ [CCode (cname = "gnutls_init_flags_t", cprefix = "GNUTLS_", has_type_id = false)]
+ public enum InitFlags {
+ SERVER,
+ CLIENT,
+ DATAGRAM
+ }
+
+ [CCode (cname = "gnutls_credentials_type_t", cprefix = "GNUTLS_CRD_", has_type_id = false)]
+ public enum CredentialsType {
+ CERTIFICATE,
+ ANON,
+ SRP,
+ PSK,
+ IA
+ }
+
+ [CCode (cname = "gnutls_x509_crt_fmt_t", cprefix = "GNUTLS_X509_FMT_", has_type_id = false)]
+ public enum CertificateFormat {
+ DER,
+ PEM
+ }
+
+ [Flags]
+ [CCode (cname = "gnutls_certificate_status_t", cprefix = "GNUTLS_CERT_", has_type_id = false)]
+ public enum CertificateStatus {
+ INVALID, // will be set if the certificate was not verified.
+ REVOKED, // in X.509 this will be set only if CRLs are checked
+ SIGNER_NOT_FOUND,
+ SIGNER_NOT_CA,
+ INSECURE_ALGORITHM
+ }
+
+ [SimpleType]
+ [CCode (cname = "gnutls_datum_t", has_type_id = false)]
+ public struct Datum {
+ public uint8* data;
+ public uint size;
+
+ public uint8[] extract() {
+ uint8[size] ret = new uint8[size];
+ for (int i = 0; i < size; i++) {
+ ret[i] = data[i];
+ }
+ return ret;
+ }
+ }
+
+ // Gnutls error codes. The mapping to a TLS alert is also shown in comments.
+ [CCode (cname = "int", cprefix = "GNUTLS_E_", lower_case_cprefix = "gnutls_error_", has_type_id = false)]
+ public enum ErrorCode {
+ SUCCESS,
+ UNKNOWN_COMPRESSION_ALGORITHM,
+ UNKNOWN_CIPHER_TYPE,
+ LARGE_PACKET,
+ UNSUPPORTED_VERSION_PACKET, // GNUTLS_A_PROTOCOL_VERSION
+ UNEXPECTED_PACKET_LENGTH, // GNUTLS_A_RECORD_OVERFLOW
+ INVALID_SESSION,
+ FATAL_ALERT_RECEIVED,
+ UNEXPECTED_PACKET, // GNUTLS_A_UNEXPECTED_MESSAGE
+ WARNING_ALERT_RECEIVED,
+ ERROR_IN_FINISHED_PACKET,
+ UNEXPECTED_HANDSHAKE_PACKET,
+ UNKNOWN_CIPHER_SUITE, // GNUTLS_A_HANDSHAKE_FAILURE
+ UNWANTED_ALGORITHM,
+ MPI_SCAN_FAILED,
+ DECRYPTION_FAILED, // GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_BAD_RECORD_MAC
+ MEMORY_ERROR,
+ DECOMPRESSION_FAILED, // GNUTLS_A_DECOMPRESSION_FAILURE
+ COMPRESSION_FAILED,
+ AGAIN,
+ EXPIRED,
+ DB_ERROR,
+ SRP_PWD_ERROR,
+ INSUFFICIENT_CREDENTIALS,
+ HASH_FAILED,
+ BASE64_DECODING_ERROR,
+ MPI_PRINT_FAILED,
+ REHANDSHAKE, // GNUTLS_A_NO_RENEGOTIATION
+ GOT_APPLICATION_DATA,
+ RECORD_LIMIT_REACHED,
+ ENCRYPTION_FAILED,
+ PK_ENCRYPTION_FAILED,
+ PK_DECRYPTION_FAILED,
+ PK_SIGN_FAILED,
+ X509_UNSUPPORTED_CRITICAL_EXTENSION,
+ KEY_USAGE_VIOLATION,
+ NO_CERTIFICATE_FOUND, // GNUTLS_A_BAD_CERTIFICATE
+ INVALID_REQUEST,
+ SHORT_MEMORY_BUFFER,
+ INTERRUPTED,
+ PUSH_ERROR,
+ PULL_ERROR,
+ RECEIVED_ILLEGAL_PARAMETER, // GNUTLS_A_ILLEGAL_PARAMETER
+ REQUESTED_DATA_NOT_AVAILABLE,
+ PKCS1_WRONG_PAD,
+ RECEIVED_ILLEGAL_EXTENSION,
+ INTERNAL_ERROR,
+ DH_PRIME_UNACCEPTABLE,
+ FILE_ERROR,
+ TOO_MANY_EMPTY_PACKETS,
+ UNKNOWN_PK_ALGORITHM,
+ // returned if libextra functionality was requested but
+ // gnutls_global_init_extra() was not called.
+
+ INIT_LIBEXTRA,
+ LIBRARY_VERSION_MISMATCH,
+ // returned if you need to generate temporary RSA
+ // parameters. These are needed for export cipher suites.
+
+ NO_TEMPORARY_RSA_PARAMS,
+ LZO_INIT_FAILED,
+ NO_COMPRESSION_ALGORITHMS,
+ NO_CIPHER_SUITES,
+ OPENPGP_GETKEY_FAILED,
+ PK_SIG_VERIFY_FAILED,
+ ILLEGAL_SRP_USERNAME,
+ SRP_PWD_PARSING_ERROR,
+ NO_TEMPORARY_DH_PARAMS,
+ // For certificate and key stuff
+
+ ASN1_ELEMENT_NOT_FOUND,
+ ASN1_IDENTIFIER_NOT_FOUND,
+ ASN1_DER_ERROR,
+ ASN1_VALUE_NOT_FOUND,
+ ASN1_GENERIC_ERROR,
+ ASN1_VALUE_NOT_VALID,
+ ASN1_TAG_ERROR,
+ ASN1_TAG_IMPLICIT,
+ ASN1_TYPE_ANY_ERROR,
+ ASN1_SYNTAX_ERROR,
+ ASN1_DER_OVERFLOW,
+ OPENPGP_UID_REVOKED,
+ CERTIFICATE_ERROR,
+ CERTIFICATE_KEY_MISMATCH,
+ UNSUPPORTED_CERTIFICATE_TYPE, // GNUTLS_A_UNSUPPORTED_CERTIFICATE
+ X509_UNKNOWN_SAN,
+ OPENPGP_FINGERPRINT_UNSUPPORTED,
+ X509_UNSUPPORTED_ATTRIBUTE,
+ UNKNOWN_HASH_ALGORITHM,
+ UNKNOWN_PKCS_CONTENT_TYPE,
+ UNKNOWN_PKCS_BAG_TYPE,
+ INVALID_PASSWORD,
+ MAC_VERIFY_FAILED, // for PKCS #12 MAC
+ CONSTRAINT_ERROR,
+ WARNING_IA_IPHF_RECEIVED,
+ WARNING_IA_FPHF_RECEIVED,
+ IA_VERIFY_FAILED,
+ UNKNOWN_ALGORITHM,
+ BASE64_ENCODING_ERROR,
+ INCOMPATIBLE_CRYPTO_LIBRARY,
+ INCOMPATIBLE_LIBTASN1_LIBRARY,
+ OPENPGP_KEYRING_ERROR,
+ X509_UNSUPPORTED_OID,
+ RANDOM_FAILED,
+ BASE64_UNEXPECTED_HEADER_ERROR,
+ OPENPGP_SUBKEY_ERROR,
+ CRYPTO_ALREADY_REGISTERED,
+ HANDSHAKE_TOO_LARGE,
+ UNIMPLEMENTED_FEATURE,
+ APPLICATION_ERROR_MAX, // -65000
+ APPLICATION_ERROR_MIN; // -65500
+
+ [CCode (cname = "gnutls_error_is_fatal")]
+ public bool is_fatal();
+
+ [CCode (cname = "gnutls_perror")]
+ public void print();
+
+ [CCode (cname = "gnutls_strerror")]
+ public unowned string to_string();
+ }
+
+ public void throw_if_error(int err_int) throws GLib.Error {
+ ErrorCode error = (ErrorCode)err_int;
+ if (error != ErrorCode.SUCCESS) {
+ throw new GLib.Error(-1, error, "%s%s", error.to_string(), error.is_fatal() ? " fatal" : "");
+ }
+ }
+} \ No newline at end of file