+static int nc_tls_init (nc_peer_t *peer) /* {{{ */
+{
+ if (peer == NULL)
+ return (EINVAL);
+
+ if ((peer->tls_cert_file == NULL)
+ || (peer->tls_key_file == NULL))
+ return (0);
+
+ /* Initialize the structure holding our certificate information. */
+ gnutls_certificate_allocate_credentials (&peer->tls_credentials);
+
+ /* Set up the configured certificates. */
+ if (peer->tls_ca_file != NULL)
+ gnutls_certificate_set_x509_trust_file (peer->tls_credentials,
+ peer->tls_ca_file, GNUTLS_X509_FMT_PEM);
+ if (peer->tls_crl_file != NULL)
+ gnutls_certificate_set_x509_crl_file (peer->tls_credentials,
+ peer->tls_crl_file, GNUTLS_X509_FMT_PEM);
+ gnutls_certificate_set_x509_key_file (peer->tls_credentials,
+ peer->tls_cert_file, peer->tls_key_file, GNUTLS_X509_FMT_PEM);
+
+ /* Initialize Diffie-Hellman parameters. */
+ gnutls_dh_params_init (&peer->tls_dh_params);
+ gnutls_dh_params_generate2 (peer->tls_dh_params, NC_TLS_DH_BITS);
+ gnutls_certificate_set_dh_params (peer->tls_credentials,
+ peer->tls_dh_params);
+
+ /* Initialize a "priority cache". This will tell GNUTLS which algorithms to
+ * use and which to avoid. We use the "NORMAL" method for now. */
+ gnutls_priority_init (&peer->tls_priority,
+ /* priority = */ "NORMAL", /* errpos = */ NULL);
+
+ return (0);
+} /* }}} int nc_tls_init */
+
+static gnutls_session_t nc_tls_get_session (nc_peer_t *peer) /* {{{ */
+{
+ gnutls_session_t session;
+
+ if (peer->tls_credentials == NULL)
+ return (NULL);
+
+ /* Initialize new session. */
+ gnutls_init (&session, GNUTLS_SERVER);
+
+ /* Set cipher priority and credentials based on the information stored with
+ * the peer. */
+ gnutls_priority_set (session, peer->tls_priority);
+ gnutls_credentials_set (session,
+ GNUTLS_CRD_CERTIFICATE, peer->tls_credentials);
+
+ /* Request the client certificate. */
+ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
+
+ return (session);
+} /* }}} gnutls_session_t nc_tls_get_session */
+