void
global_start (void)
{
/* this must be called once in the program, it is mostly for the server.
*/
gnutls_global_init ();
gnutls_anon_allocate_server_credentials (&anoncred);
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_anon_set_server_dh_params (anoncred, dh_params);
if (TLS_SESSION_CACHE != 0)
{
wrap_db_init ();
}
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
if (err == -1)
{
perror ("socket");
fail ("server: socket failed\n");
return;
}
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
if (err == -1)
{
perror ("bind");
fail ("server: bind failed\n");
return;
}
err = listen (listen_sd, 1024);
if (err == -1)
{
perror ("listen");
fail ("server: listen failed\n");
return;
}
success ("server: ready. Listening to port '%d'.\n", PORT);
}
static Ecore_Con_Ssl_Error
_ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr,
int ssl_type)
{
int ret;
if (ssl_type & ECORE_CON_USE_SSL2)
return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
switch (ssl_type)
{
case ECORE_CON_USE_SSL3:
case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
case ECORE_CON_USE_TLS:
case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
case ECORE_CON_USE_MIXED:
case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
break;
default:
return ECORE_CON_SSL_ERROR_NONE;
}
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert));
if ((!svr->use_cert) && svr->created)
{
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params));
INF("Generating DH params");
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024));
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s));
/* TODO: implement PSK */
// SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s));
gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params);
gnutls_certificate_set_dh_params(svr->cert, svr->dh_params);
//gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params);
INF("DH params successfully generated and applied!");
}
else if (!svr->use_cert)
{
//SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c));
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c));
}
return ECORE_CON_SSL_ERROR_NONE;
error:
_gnutls_print_errors(ret);
_ecore_con_ssl_server_shutdown_gnutls(svr);
return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
}
static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void)
{
gnutls_anon_server_credentials_t anon_cred;
int ret;
if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
return NULL;
}
gnutls_anon_set_server_dh_params(anon_cred, dh_params);
return anon_cred;
}
static int
qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,
Error **errp)
{
char *dhparams = NULL;
int ret;
int rv = -1;
trace_qcrypto_tls_creds_anon_load(creds,
creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
if (qcrypto_tls_creds_get_path(&creds->parent_obj,
QCRYPTO_TLS_CREDS_DH_PARAMS,
false, &dhparams, errp) < 0) {
goto cleanup;
}
ret = gnutls_anon_allocate_server_credentials(&creds->data.server);
if (ret < 0) {
error_setg(errp, "Cannot allocate credentials: %s",
gnutls_strerror(ret));
goto cleanup;
}
if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams,
&creds->parent_obj.dh_params,
errp) < 0) {
goto cleanup;
}
gnutls_anon_set_server_dh_params(creds->data.server,
creds->parent_obj.dh_params);
} else {
ret = gnutls_anon_allocate_client_credentials(&creds->data.client);
if (ret < 0) {
error_setg(errp, "Cannot allocate credentials: %s",
gnutls_strerror(ret));
goto cleanup;
}
}
rv = 0;
cleanup:
g_free(dhparams);
return rv;
}
int server_create(prelude_client_profile_t *cp, const char *addr, unsigned int port,
prelude_bool_t keepalive, const char *pass, gnutls_x509_privkey_t key, gnutls_x509_crt_t cacrt, gnutls_x509_crt_t crt)
{
int sock;
size_t size;
struct pollfd pfd[128];
gnutls_dh_params_t dh_params;
#ifdef GNUTLS_SRP_ENABLED
int ret;
ret = gnutls_srp_allocate_server_credentials(&srpcred);
if ( ret < 0 ) {
fprintf(stderr, "error creating SRP credentials: %s.\n", gnutls_strerror(ret));
return -1;
}
gnutls_srp_set_server_credentials_function(srpcred, srp_callback);
#endif
one_shot_passwd = pass;
gnutls_anon_allocate_server_credentials(&anoncred);
fprintf(stderr, "Generating %d bits Diffie-Hellman key for anonymous authentication...", ANON_DH_BITS);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, ANON_DH_BITS);
gnutls_anon_set_server_dh_params(anoncred, dh_params);
fprintf(stderr, "\n");
size = sizeof(pfd) / sizeof(*pfd);
sock = setup_server(addr, port, pfd, &size);
if ( sock < 0 )
return -1;
wait_connection(cp, sock, pfd, size, keepalive, key, cacrt, crt);
#ifdef GNUTLS_SRP_ENABLED
gnutls_srp_free_server_credentials(srpcred);
#endif
gnutls_anon_free_server_credentials(anoncred);
return 0;
}
bool GnuTLSServerAnon::init( const std::string&,
const std::string&,
const StringList& )
{
const int protocolPriority[] = { GNUTLS_TLS1, 0 };
const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 };
const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
if( m_initLib && gnutls_global_init() != 0 )
return false;
if( gnutls_anon_allocate_server_credentials( &m_anoncred ) < 0 )
return false;
generateDH();
gnutls_anon_set_server_dh_params( m_anoncred, m_dhParams );
if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 )
return false;
gnutls_protocol_set_priority( *m_session, protocolPriority );
gnutls_cipher_set_priority( *m_session, cipherPriority );
gnutls_compression_set_priority( *m_session, compPriority );
gnutls_kx_set_priority( *m_session, kxPriority );
gnutls_mac_set_priority( *m_session, macPriority );
gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred );
gnutls_dh_set_prime_bits( *m_session, m_dhBits );
gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this );
gnutls_transport_set_push_function( *m_session, pushFunc );
gnutls_transport_set_pull_function( *m_session, pullFunc );
m_valid = true;
return true;
}
bool SslContext::post_config()
{
TRACE("SslContext.postConfig()");
if (error_) return false;
if (!enabled) return false;
// if (rsaParams_)
// gnutls_certificate_set_rsa_export_params(certs_, rsaParams_);
if (dhParams_) {
TRACE("setting DH params");
gnutls_certificate_set_dh_params(certs_, dhParams_);
gnutls_anon_set_server_dh_params(anonCreds_, dhParams_);
}
gnutls_certificate_server_set_retrieve_function(certs_, &SslContext::onRetrieveCert);
// SRP...
return true;
}
void anon_server_credentials::set_dh_params (const dh_params & params)
{
gnutls_anon_set_server_dh_params (cred, params.get_params_t ());
}
int
main (void)
{
fprintf(stderr, "sizeof(evcom_server): %d\n", (int)sizeof(evcom_server));
fprintf(stderr, "sizeof(evcom_stream): %d\n", (int)sizeof(evcom_stream));
fprintf(stderr, "sizeof(evcom_reader): %d\n", (int)sizeof(evcom_reader));
fprintf(stderr, "sizeof(evcom_writer): %d\n", (int)sizeof(evcom_writer));
evcom_ignore_sigpipe();
#if EVCOM_HAVE_GNUTLS
gnutls_global_init();
gnutls_dh_params_init (&dh_params);
fsync(fileno(stderr));
gnutls_dh_params_generate2 (dh_params, DH_BITS);
gnutls_anon_allocate_server_credentials (&server_credentials);
gnutls_anon_set_server_dh_params (server_credentials, dh_params);
#endif
struct sockaddr_in tcp_address;
memset(&tcp_address, 0, sizeof(struct sockaddr_in));
tcp_address.sin_family = AF_INET;
tcp_address.sin_port = htons(PORT);
tcp_address.sin_addr.s_addr = INADDR_ANY;
use_tls = 0;
fprintf(stderr, "pair_pingpong use_pipe=1: ");
assert(pair_pingpong(1) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "pair_pingpong use_pipe=0: ");
assert(pair_pingpong(0) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "zero_stream tcp: ");
assert(zero_stream((struct sockaddr*)&tcp_address, 5*1024*1024) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "pipe_stream: ");
assert(pipe_stream() == 0);
fprintf(stderr, "\n");
fprintf(stderr, "pingpong tcp: ");
assert(pingpong((struct sockaddr*)&tcp_address) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "connint tcp: ");
assert(connint((struct sockaddr*)&tcp_address) == 0);
fprintf(stderr, "\n");
#if EVCOM_HAVE_GNUTLS
use_tls = 1;
fprintf(stderr, "zero_stream ssl: ");
assert(zero_stream((struct sockaddr*)&tcp_address, 50*1024) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "pair_pingpong ssl use_pipe=1: ");
assert(pair_pingpong(1) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "pair_pingpong ssl use_pipe=0: ");
assert(pair_pingpong(0) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "pingpong ssl: ");
assert(pingpong((struct sockaddr*)&tcp_address) == 0);
fprintf(stderr, "\n");
fprintf(stderr, "connint ssl: ");
assert(connint((struct sockaddr*)&tcp_address) == 0);
fprintf(stderr, "\n");
#endif
struct sockaddr *unix_address;
use_tls = 0;
fprintf(stderr, "pingpong unix: ");
unix_address = create_unix_address();
assert(pingpong(unix_address) == 0);
free_unix_address(unix_address);
fprintf(stderr, "\n");
fprintf(stderr, "connint unix: ");
unix_address = create_unix_address();
assert(connint(unix_address) == 0);
free_unix_address(unix_address);
fprintf(stderr, "\n");
#if EVCOM_HAVE_GNUTLS
use_tls = 1;
fprintf(stderr, "pingpong unix ssl: ");
unix_address = create_unix_address();
assert(pingpong(unix_address) == 0);
free_unix_address(unix_address);
fprintf(stderr, "\n");
fprintf(stderr, "connint unix ssl: ");
unix_address = create_unix_address();
assert(connint(unix_address) == 0);
free_unix_address(unix_address);
fprintf(stderr, "\n");
#endif
return 0;
}
static void
server (struct params_res *params)
{
size_t t;
/* this must be called once in the program, it is mostly for the server.
*/
if (debug)
{
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (2);
}
gnutls_global_init ();
gnutls_anon_allocate_server_credentials (&anoncred);
if (debug)
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_anon_set_server_dh_params (anoncred, dh_params);
if (params->enable_db)
{
wrap_db_init ();
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_key_generate (&session_ticket_key);
for (t = 0; t < 2; t++)
{
client_len = sizeof (sa_cli);
session = initialize_tls_session (params);
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
if (debug)
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
return;
}
if (debug)
success ("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
i = 0;
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("server: Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
if (params->enable_db)
{
wrap_db_deinit ();
}
gnutls_free (session_ticket_key.data);
session_ticket_key.data = NULL;
if (debug)
success ("server: finished\n");
}
static void test_ciphersuite(const char *cipher_prio, int size)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char *) pkcs3, strlen(pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret, cret;
const char *str;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
gnutls_init(&server, GNUTLS_SERVER);
ret = gnutls_priority_set_direct(server, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits(server, 1024);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
reset_buffers();
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
HANDSHAKE(client, server);
fprintf(stdout, "Testing %s with %d packet size: ",
gnutls_cipher_suite_get_name(gnutls_kx_get(server),
gnutls_cipher_get(server),
gnutls_mac_get(server)), size);
fflush(stdout);
gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer));
start_benchmark(&st);
do {
do {
ret = gnutls_record_send(client, buffer, size);
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed sending to server\n");
exit(1);
}
do {
ret = gnutls_record_recv(server, buffer, sizeof(buffer));
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed receiving from client\n");
exit(1);
}
st.size += size;
}
while (benchmark_must_finish == 0);
stop_benchmark(&st, NULL);
gnutls_bye(client, GNUTLS_SHUT_WR);
gnutls_bye(server, GNUTLS_SHUT_WR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_dh_params_deinit(dh_params);
}
static void test_ciphersuite_kx(const char *cipher_prio)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char *) pkcs3, strlen(pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret, cret;
const char *str;
const char *suite = NULL;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
start_benchmark(&st);
do {
gnutls_init(&server, GNUTLS_SERVER);
ret = gnutls_priority_set_direct(server, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
reset_buffers();
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
HANDSHAKE(client, server);
if (suite == NULL)
suite = gnutls_cipher_suite_get_name(gnutls_kx_get(server),
gnutls_cipher_get(server),
gnutls_mac_get(server));
gnutls_deinit(client);
gnutls_deinit(server);
st.size += 1;
}
while (benchmark_must_finish == 0);
fprintf(stdout, "Tested %s: ", suite);
stop_benchmark(&st, "transactions");
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_dh_params_deinit(dh_params);
}
const struct remote_security_filter *load_security_filter(int tType, const char **dData, load_reference lLoad)
{
if (initialized) return NULL;
#ifdef HAVE_GCRYPT_H
if (!gcry_control(GCRYCTL_ANY_INITIALIZATION_P))
{
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
gcry_check_version(NULL); //no need to check as of now
gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
}
#endif
gnutls_global_set_log_function(&gnutls_logging);
gnutls_global_set_log_level(PARAM_RSVX_TLS_LOGGING);
gnutls_global_init();
forwarder_type = tType;
const char **initializers = dData, **current = initializers;
int argument_count = 0;
if (current) while (*current++) argument_count++;
if (argument_count > 0 && (current = initializers))
//srp initialization
{
use_srp_auth = true;
const char *passwd = (*current)? *current++ : NULL;
const char *srp_passwd = (*current)? *current++ : NULL;
const char *srp_passwd_conf = (*current)? *current++ : NULL;
if (passwd && strlen(passwd))
{
srp_file = passwd;
if (!parse_passwd())
{
gnutls_global_deinit();
return NULL;
}
}
gnutls_global_init_extra();
if (srp_passwd && strlen(srp_passwd) && srp_passwd_conf &&
strlen(srp_passwd_conf))
{
gnutls_srp_allocate_server_credentials(&srp_server);
gnutls_srp_set_server_credentials_file(srp_server, srp_passwd,
srp_passwd_conf);
}
}
else
//anonymouns initialization
{
gnutls_anon_allocate_server_credentials(&credentials);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, 1024);
gnutls_anon_set_server_dh_params(credentials, dh_params);
}
return &internal_filter;
}
FusionTLSConnection* fusion_tls_connection_construct (GType object_type, GSocketConnection* connection, GError** error) {
FusionTLSConnection * self = NULL;
GSocketConnection* _tmp0_ = NULL;
GSocketConnection* _tmp1_ = NULL;
GSocket* _tmp2_ = NULL;
GSocket* _tmp3_ = NULL;
struct gnutls_anon_server_credentials_st* anon_creds = NULL;
struct gnutls_anon_server_credentials_st* _tmp4_ = NULL;
struct gnutls_dh_params_int* dh_params = NULL;
struct gnutls_dh_params_int* _tmp5_ = NULL;
struct gnutls_dh_params_int* _tmp6_ = NULL;
struct gnutls_anon_server_credentials_st* _tmp7_ = NULL;
struct gnutls_dh_params_int* _tmp8_ = NULL;
struct gnutls_session_int* _tmp9_ = NULL;
gchar* err = NULL;
struct gnutls_session_int* _tmp10_ = NULL;
const gchar* _tmp11_ = NULL;
gint _tmp12_ = 0;
gchar* _tmp13_ = NULL;
struct gnutls_session_int* _tmp16_ = NULL;
struct gnutls_anon_server_credentials_st* _tmp17_ = NULL;
struct gnutls_session_int* _tmp18_ = NULL;
GSocket* _tmp19_ = NULL;
gint _tmp20_ = 0;
FusionTLSInputStream* _tmp21_ = NULL;
FusionTLSInputStream* _tmp22_ = NULL;
FusionTLSOutputStream* _tmp23_ = NULL;
FusionTLSOutputStream* _tmp24_ = NULL;
GError * _inner_error_ = NULL;
g_return_val_if_fail (connection != NULL, NULL);
_tmp0_ = connection;
self = (FusionTLSConnection*) g_object_new (object_type, "socket-connection", _tmp0_, NULL);
_tmp1_ = self->priv->_socket_connection;
_tmp2_ = g_socket_connection_get_socket (_tmp1_);
_tmp3_ = _g_object_ref0 (_tmp2_);
_g_object_unref0 (self->priv->socket);
self->priv->socket = _tmp3_;
_tmp4_ = gnutls_anon_server_credentials_create ();
anon_creds = _tmp4_;
_tmp5_ = gnutls_dh_params_create ();
dh_params = _tmp5_;
_tmp6_ = dh_params;
gnutls_dh_params_generate2 (_tmp6_, (guint) FUSION_TLS_CONNECTION_DH_BITS);
_tmp7_ = anon_creds;
_tmp8_ = dh_params;
gnutls_anon_set_server_dh_params (_tmp7_, _tmp8_);
_tmp9_ = gnutls_create ();
_gnutls_deinit0 (self->tls_session);
self->tls_session = _tmp9_;
_tmp10_ = self->tls_session;
_tmp12_ = gnutls_priority_set_direct (_tmp10_, "NORMAL:+ANON-DH", &_tmp11_);
_g_free0 (err);
_tmp13_ = g_strdup (_tmp11_);
err = _tmp13_;
if (_tmp12_ < 0) {
const gchar* _tmp14_ = NULL;
GError* _tmp15_ = NULL;
_tmp14_ = err;
_tmp15_ = g_error_new (G_IO_ERROR, G_IO_ERROR_FAILED, "Invalid chipers priority: %s", _tmp14_);
_inner_error_ = _tmp15_;
g_propagate_error (error, _inner_error_);
_g_free0 (err);
_gnutls_dh_params_deinit0 (dh_params);
_gnutls_anon_free_server_credentials0 (anon_creds);
_g_object_unref0 (self);
return NULL;
}
_tmp16_ = self->tls_session;
_tmp17_ = anon_creds;
anon_creds = NULL;
gnutls_credentials_set (_tmp16_, GNUTLS_CRD_ANON, _tmp17_);
_tmp18_ = self->tls_session;
_tmp19_ = self->priv->socket;
_tmp20_ = g_socket_get_fd (_tmp19_);
gnutls_transport_set_ptr (_tmp18_, (void*) ((glong) _tmp20_));
_tmp21_ = fusion_tls_input_stream_new (self);
_tmp22_ = _tmp21_;
fusion_tls_connection_set_input_stream (self, (GInputStream*) _tmp22_);
_g_object_unref0 (_tmp22_);
_tmp23_ = fusion_tls_output_stream_new (self);
_tmp24_ = _tmp23_;
fusion_tls_connection_set_output_stream (self, (GOutputStream*) _tmp24_);
_g_object_unref0 (_tmp24_);
_g_free0 (err);
_gnutls_dh_params_deinit0 (dh_params);
_gnutls_anon_free_server_credentials0 (anon_creds);
return self;
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
gnutls_dh_params_t dh_params;
char buf[128];
const gnutls_datum_t p3 =
{ (unsigned char *) pkcs3, strlen(pkcs3) };
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(anoncred, dh_params);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
ret = gnutls_priority_set_direct(session,
"NORMAL:+ANON-DH:+ANON-ECDH", NULL);
if (ret < 0) {
fail("server: priority set failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
ret = gnutls_record_recv(session, buf, sizeof(buf));
} while(ret > 0);
if (ret < 0) {
fail("error: %s\n", gnutls_strerror(ret));
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int sds[], struct params_res *params)
{
gnutls_anon_server_credentials_t anoncred;
static gnutls_datum_t session_ticket_key = { NULL, 0 };
int ret;
size_t t;
gnutls_session_t session;
/* this must be called once in the program, it is mostly for the server.
*/
if (debug) {
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(3);
}
global_init();
gnutls_anon_allocate_server_credentials(&anoncred);
if (debug)
success("Launched, generating DH parameters...\n");
gnutls_anon_set_server_dh_params(anoncred, dh_params);
if (params->enable_db) {
wrap_db_init();
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_key_generate(&session_ticket_key);
for (t = 0; t < SESSIONS; t++) {
int sd = sds[t];
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits(session, DH_BITS);
if (params->enable_db) {
gnutls_db_set_retrieve_function(session, wrap_db_fetch);
gnutls_db_set_remove_function(session, wrap_db_delete);
gnutls_db_set_store_function(session, wrap_db_store);
gnutls_db_set_ptr(session, NULL);
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_enable_server(session,
&session_ticket_key);
gnutls_transport_set_int(session, sd);
gnutls_dtls_set_timeouts(session, 3*1000, 240 * 1000);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && (ret == GNUTLS_E_INTERRUPTED||ret == GNUTLS_E_AGAIN));
if (ret < 0) {
close(sd);
gnutls_deinit(session);
kill(child, SIGTERM);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
kill(child, SIGTERM);
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
}
if (params->enable_db) {
wrap_db_deinit();
}
gnutls_free(session_ticket_key.data);
session_ticket_key.data = NULL;
gnutls_anon_free_server_credentials(anoncred);
if (debug)
success("server: finished\n");
}
/**
* Initiates a new TLS session.
*
* @return 0 on success, -1 on error.
*/
int
tls_init(struct gnutella_socket *s)
{
/**
* ANON-DH is enabled because we don't use PKI.
* DEFLATE is disabled because it seems to cause crashes.
* ARCFOUR-40 is disabled because it is deprecated.
*/
static const char prio_want[] = "NORMAL:+ANON-DH:-ARCFOUR-40:-COMP-DEFLATE";
/* "-COMP-DEFLATE" is causing an error on MinGW with GnuTLS 2.10.2 */
static const char prio_must[] = "NORMAL:+ANON-DH:-ARCFOUR-40";
const bool server = SOCK_CONN_INCOMING == s->direction;
struct tls_context *ctx;
const char *fn;
int e;
#define TRY(function) (fn = (#function)), e = function
socket_check(s);
WALLOC0(ctx);
ctx->s = s;
s->tls.ctx = ctx;
if (
TRY(gnutls_init)(&ctx->session, server ? GNUTLS_SERVER : GNUTLS_CLIENT)
) {
ctx->session = NULL;
goto failure;
}
if (TRY(gnutls_priority_set_direct)(ctx->session, prio_want, NULL)) {
const char *error;
if (TRY(gnutls_priority_set_direct)(ctx->session, prio_must, &error)) {
g_warning("%s() failed at \"%s\"", fn, error);
goto failure;
}
}
if (TRY(gnutls_credentials_set)(ctx->session,
GNUTLS_CRD_CERTIFICATE, cert_cred))
goto failure;
gnutls_dh_set_prime_bits(ctx->session, TLS_DH_BITS);
#ifdef USE_TLS_CUSTOM_IO
gnutls_transport_set_ptr(ctx->session, s);
gnutls_transport_set_push_function(ctx->session, tls_push);
gnutls_transport_set_pull_function(ctx->session, tls_pull);
#if !HAS_TLS(2, 12)
/*
* This routine has been removed starting TLS 3.0. It was used to disable
* the lowat feature, and apparently this is now always the case in recent
* TLS versions. --RAM, 2011-09-28
*
* It's also flagged as deprecated in 2.12.x, so don't use it there.
* --RAM, 2011-12-15
*/
gnutls_transport_set_lowat(ctx->session, 0);
#endif
#else /* !USE_TLS_CUSTOM_IO */
g_assert(is_valid_fd(s->file_desc));
gnutls_transport_set_ptr(ctx->session, int_to_pointer(s->file_desc));
#endif /* USE_TLS_CUSTOM_IO */
if (server) {
if (TRY(gnutls_anon_allocate_server_credentials)(&ctx->server_cred))
goto failure;
gnutls_anon_set_server_dh_params(ctx->server_cred, get_dh_params());
if (TRY(gnutls_credentials_set)(ctx->session,
GNUTLS_CRD_ANON, ctx->server_cred))
goto failure;
} else {
if (TRY(gnutls_anon_allocate_client_credentials)(&ctx->client_cred))
goto failure;
if (TRY(gnutls_credentials_set)(ctx->session,
GNUTLS_CRD_ANON, ctx->client_cred))
goto failure;
}
return 0;
failure:
g_warning("%s() failed: %s", EMPTY_STRING(fn), gnutls_strerror(e));
tls_free(s);
return -1;
#undef TRY
}
int
init_remote_listener(int port, gboolean encrypted)
{
int rc;
int *ssock = NULL;
struct sockaddr_in saddr;
int optval;
static struct mainloop_fd_callbacks remote_listen_fd_callbacks = {
.dispatch = cib_remote_listen,
.destroy = remote_connection_destroy,
};
if (port <= 0) {
/* don't start it */
return 0;
}
if (encrypted) {
#ifndef HAVE_GNUTLS_GNUTLS_H
crm_warn("TLS support is not available");
return 0;
#else
crm_notice("Starting TLS listener on port %d", port);
crm_gnutls_global_init();
/* gnutls_global_set_log_level (10); */
gnutls_global_set_log_function(debug_log);
if (pcmk__init_tls_dh(&dh_params) != GNUTLS_E_SUCCESS) {
return -1;
}
gnutls_anon_allocate_server_credentials(&anon_cred_s);
gnutls_anon_set_server_dh_params(anon_cred_s, dh_params);
#endif
} else {
crm_warn("Starting plain-text listener on port %d", port);
}
#ifndef HAVE_PAM
crm_warn("PAM is _not_ enabled!");
#endif
/* create server socket */
ssock = malloc(sizeof(int));
if(ssock == NULL) {
crm_perror(LOG_ERR, "Listener socket allocation failed");
return -1;
}
*ssock = socket(AF_INET, SOCK_STREAM, 0);
if (*ssock == -1) {
crm_perror(LOG_ERR, "Listener socket creation failed");
free(ssock);
return -1;
}
/* reuse address */
optval = 1;
rc = setsockopt(*ssock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
if (rc < 0) {
crm_perror(LOG_WARNING,
"Local address reuse not allowed on listener socket");
}
/* bind server socket */
memset(&saddr, '\0', sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons(port);
if (bind(*ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) {
crm_perror(LOG_ERR, "Cannot bind to listener socket");
close(*ssock);
free(ssock);
return -2;
}
if (listen(*ssock, 10) == -1) {
crm_perror(LOG_ERR, "Cannot listen on socket");
close(*ssock);
free(ssock);
return -3;
}
mainloop_add_fd("cib-remote", G_PRIORITY_DEFAULT, *ssock, ssock, &remote_listen_fd_callbacks);
crm_debug("Started listener on port %d", port);
return *ssock;
}
void doit(void)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 =
{ (unsigned char *) pkcs3, strlen(pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN, i;
/* Need to enable anonymous KX specifically. */
ssize_t ns;
int ret, transferred = 0;
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_priority_set_direct(server,
"NONE:+VERS-TLS-ALL:+ARCFOUR-128:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+ANON-DH",
NULL);
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_priority_set_direct(client,
"NONE:+VERS-TLS-ALL:+CIPHER-ALL:+ARCFOUR-128:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+ANON-DH",
NULL);
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
memset(b1, 0, sizeof(b1));
HANDSHAKE(client, server);
if (debug)
success("Handshake established\n");
memset(b1, 1, MAX_BUF);
/* try the maximum allowed */
ret = gnutls_record_send(client, b1, MAX_BUF);
if (ret < 0) {
fprintf(stderr, "Error sending %d bytes: %s\n",
(int) MAX_BUF, gnutls_strerror(ret));
exit(1);
}
if (ret != MAX_BUF) {
fprintf(stderr, "Couldn't send %d bytes\n", (int) MAX_BUF);
exit(1);
}
ret = gnutls_record_recv(server, buffer, MAX_BUF);
if (ret < 0) {
fprintf(stderr, "Error receiving %d bytes: %s\n",
(int) MAX_BUF, gnutls_strerror(ret));
exit(1);
}
if (ret != MAX_BUF) {
fprintf(stderr, "Couldn't receive %d bytes, received %d\n",
(int) MAX_BUF, ret);
exit(1);
}
if (memcmp(b1, buffer, MAX_BUF) != 0) {
fprintf(stderr, "Buffers do not match!\n");
exit(1);
}
/* Try sending various other sizes */
for (i = 1; i < 128; i++) {
TRANSFER(client, server, b1, i, buffer, MAX_BUF);
}
if (debug)
fputs("\n", stdout);
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
}
int
init_remote_listener(int port, gboolean encrypted)
{
int ssock;
struct sockaddr_in saddr;
int optval;
if (port <= 0) {
/* dont start it */
return 0;
}
if (encrypted) {
#ifndef HAVE_GNUTLS_GNUTLS_H
crm_warn("TLS support is not available");
return 0;
#else
crm_notice("Starting a tls listener on port %d.", port);
gnutls_global_init();
/* gnutls_global_set_log_level (10); */
gnutls_global_set_log_function(debug_log);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, DH_BITS);
gnutls_anon_allocate_server_credentials(&anon_cred_s);
gnutls_anon_set_server_dh_params(anon_cred_s, dh_params);
#endif
} else {
crm_warn("Starting a plain_text listener on port %d.", port);
}
#ifndef HAVE_PAM
crm_warn("PAM is _not_ enabled!");
#endif
/* create server socket */
ssock = socket(AF_INET, SOCK_STREAM, 0);
if (ssock == -1) {
crm_perror(LOG_ERR, "Can not create server socket." ERROR_SUFFIX);
return -1;
}
/* reuse address */
optval = 1;
setsockopt(ssock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
/* bind server socket */
memset(&saddr, '\0', sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons(port);
if (bind(ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) {
crm_perror(LOG_ERR, "Can not bind server socket." ERROR_SUFFIX);
return -2;
}
if (listen(ssock, 10) == -1) {
crm_perror(LOG_ERR, "Can not start listen." ERROR_SUFFIX);
return -3;
}
G_main_add_fd(G_PRIORITY_HIGH, ssock, FALSE,
cib_remote_listen, NULL, default_ipc_connection_destroy);
return ssock;
}
void try_with_key_ks(const char *name, const char *client_prio, gnutls_kx_algorithm_t client_kx,
gnutls_sign_algorithm_t server_sign_algo,
gnutls_sign_algorithm_t client_sign_algo,
const gnutls_datum_t *serv_cert,
const gnutls_datum_t *serv_key,
const gnutls_datum_t *client_cert,
const gnutls_datum_t *client_key,
unsigned cert_flags,
unsigned exp_group,
gnutls_certificate_type_t server_ctype,
gnutls_certificate_type_t client_ctype)
{
int ret;
char buffer[256];
/* Server stuff. */
gnutls_certificate_credentials_t server_cred;
gnutls_anon_server_credentials_t s_anoncred;
gnutls_dh_params_t dh_params;
const gnutls_datum_t p3 =
{ (unsigned char *) pkcs3, strlen(pkcs3) };
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t client_cred;
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN, version;
const char *err;
/* General init. */
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
reset_buffers();
/* Init server */
assert(gnutls_anon_allocate_server_credentials(&s_anoncred)>=0);
assert(gnutls_certificate_allocate_credentials(&server_cred)>=0);
// Set server crt creds based on ctype
switch (server_ctype) {
case GNUTLS_CRT_X509:
ret = gnutls_certificate_set_x509_key_mem(server_cred,
serv_cert, serv_key,
GNUTLS_X509_FMT_PEM);
break;
case GNUTLS_CRT_RAWPK:
ret = gnutls_certificate_set_rawpk_key_mem(server_cred,
serv_cert, serv_key, GNUTLS_X509_FMT_PEM, NULL, 0,
NULL, 0, 0);
break;
default:
ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
}
if (ret < 0) {
fail("Could not set key/cert: %s\n", gnutls_strerror(ret));
}
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_dh_params(server_cred, dh_params);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
assert(gnutls_init(&server, GNUTLS_SERVER | GNUTLS_ENABLE_RAWPK)>=0);
assert(gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
server_cred)>=0);
assert(gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred)>=0);
if (server_priority)
assert(gnutls_priority_set_direct(server, server_priority, NULL) >= 0);
else
assert(gnutls_priority_set_direct(server,
"NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519:+CTYPE-ALL",
NULL)>=0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
ret = gnutls_certificate_allocate_credentials(&client_cred);
if (ret < 0)
exit(1);
if (cert_flags == USE_CERT) {
// Set client crt creds based on ctype
switch (client_ctype) {
case GNUTLS_CRT_X509:
gnutls_certificate_set_x509_key_mem(client_cred,
client_cert, client_key,
GNUTLS_X509_FMT_PEM);
break;
case GNUTLS_CRT_RAWPK:
gnutls_certificate_set_rawpk_key_mem(client_cred,
client_cert, client_key, GNUTLS_X509_FMT_PEM, NULL, 0,
NULL, 0, 0);
break;
default:
fail("Illegal client certificate type given\n");
}
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE);
} else if (cert_flags == ASK_CERT) {
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
}
#if 0
ret = gnutls_certificate_set_x509_trust_mem(client_cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
#endif
ret = gnutls_init(&client, GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK);
if (ret < 0)
exit(1);
assert(gnutls_anon_allocate_client_credentials(&c_anoncred)>=0);
assert(gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred)>=0);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
client_cred);
if (ret < 0)
exit(1);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
ret = gnutls_priority_set_direct(client, client_prio, &err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST)
fprintf(stderr, "Error in %s\n", err);
exit(1);
}
success("negotiating %s\n", name);
HANDSHAKE(client, server);
if (gnutls_kx_get(client) != client_kx) {
fail("%s: got unexpected key exchange algorithm: %s (expected %s)\n", name, gnutls_kx_get_name(gnutls_kx_get(client)),
gnutls_kx_get_name(client_kx));
exit(1);
}
/* test signature algorithm match */
version = gnutls_protocol_get_version(client);
if (version >= GNUTLS_TLS1_2) {
ret = gnutls_sign_algorithm_get(server);
if (ret != (int)server_sign_algo) {
fail("%s: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
ret = gnutls_sign_algorithm_get_client(server);
if (ret != (int)client_sign_algo) {
fail("%s: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
ret = gnutls_sign_algorithm_get(client);
if (ret != (int)server_sign_algo) {
fail("%s: cl: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
ret = gnutls_sign_algorithm_get_client(client);
if (ret != (int)client_sign_algo) {
fail("%s: cl: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
}
if (exp_group != 0) {
ret = gnutls_group_get(server);
if (ret != (int)exp_group) {
fail("%s: got unexpected server group: %d/%s\n", name, ret, gnutls_group_get_name(ret));
}
ret = gnutls_group_get(client);
if (ret != (int)exp_group) {
fail("%s: got unexpected client group: %d/%s\n", name, ret, gnutls_group_get_name(ret));
}
}
gnutls_record_send(server, MSG, strlen(MSG));
ret = gnutls_record_recv(client, buffer, sizeof(buffer));
if (ret == 0) {
fail("client: Peer has closed the TLS connection\n");
exit(1);
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
exit(1);
}
if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) {
fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret);
exit(1);
}
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(server_cred);
gnutls_certificate_free_credentials(client_cred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_dh_params_deinit(dh_params);
}
int
main (void)
{
int err, listen_sd;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
gnutls_session_t session;
char buffer[MAX_BUF + 1];
int optval = 1;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_anon_allocate_server_credentials (&anoncred);
generate_dh_params ();
gnutls_anon_set_server_dh_params (anoncred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
SOCKET_ERR (listen_sd, "socket");
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
SOCKET_ERR (err, "bind");
err = listen (listen_sd, 1024);
SOCKET_ERR (err, "listen");
printf ("Server ready. Listening to port '%d'.\n\n", PORT);
client_len = sizeof (sa_cli);
for (;;)
{
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
printf ("- connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
continue;
}
printf ("- Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("\n- Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fprintf (stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
printf ("\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_anon_free_server_credentials (anoncred);
gnutls_global_deinit ();
return 0;
}
void dtls_try_with_key_mtu(const char *name, const char *client_prio, gnutls_kx_algorithm_t client_kx,
gnutls_sign_algorithm_t server_sign_algo,
gnutls_sign_algorithm_t client_sign_algo,
const gnutls_datum_t *serv_cert,
const gnutls_datum_t *serv_key,
const gnutls_datum_t *client_cert,
const gnutls_datum_t *client_key,
unsigned cert_flags,
unsigned smtu)
{
int ret;
char buffer[256];
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_anon_server_credentials_t s_anoncred;
gnutls_dh_params_t dh_params;
const gnutls_datum_t p3 =
{ (unsigned char *) pkcs3, strlen(pkcs3) };
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN, version;
/* General init. */
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
reset_buffers();
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_certificate_allocate_credentials(&serverx509cred);
ret = gnutls_certificate_set_x509_key_mem(serverx509cred,
serv_cert, serv_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("Could not set key/cert: %s\n", gnutls_strerror(ret));
}
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_dh_params(serverx509cred, dh_params);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
assert(gnutls_init(&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK)>=0);
assert(gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred)>=0);
assert(gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred)>=0);
assert(gnutls_priority_set_direct(server,
"NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519",
NULL)>=0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_pull_timeout_function(server, server_pull_timeout_func);
gnutls_transport_set_ptr(server, server);
if (smtu)
gnutls_dtls_set_mtu (server, smtu);
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
if (cert_flags == USE_CERT) {
ret = gnutls_certificate_set_x509_key_mem(clientx509cred,
client_cert, client_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("Could not set key/cert: %s\n", gnutls_strerror(ret));
}
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE);
} else if (cert_flags == ASK_CERT) {
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
}
#if 0
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
#endif
ret = gnutls_init(&client, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK);
if (ret < 0)
exit(1);
assert(gnutls_anon_allocate_client_credentials(&c_anoncred)>=0);
assert(gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred)>=0);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_pull_timeout_function(client, client_pull_timeout_func);
gnutls_transport_set_ptr(client, client);
if (smtu)
gnutls_dtls_set_mtu (client, smtu);
ret = gnutls_priority_set_direct(client, client_prio, NULL);
if (ret < 0) {
exit(1);
}
success("negotiating %s\n", name);
HANDSHAKE_DTLS(client, server);
if (gnutls_kx_get(client) != client_kx) {
fail("%s: got unexpected key exchange algorithm: %s (expected %s)\n", name, gnutls_kx_get_name(gnutls_kx_get(client)),
gnutls_kx_get_name(client_kx));
exit(1);
}
/* test signature algorithm match */
version = gnutls_protocol_get_version(client);
if (version >= GNUTLS_DTLS1_2) {
ret = gnutls_sign_algorithm_get(server);
if (ret != (int)server_sign_algo) {
fail("%s: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
ret = gnutls_sign_algorithm_get_client(server);
if (ret != (int)client_sign_algo) {
fail("%s: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
ret = gnutls_sign_algorithm_get(client);
if (ret != (int)server_sign_algo) {
fail("%s: cl: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
ret = gnutls_sign_algorithm_get_client(client);
if (ret != (int)client_sign_algo) {
fail("%s: cl: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret));
exit(1);
}
}
gnutls_record_send(server, MSG, strlen(MSG));
ret = gnutls_record_recv(client, buffer, sizeof(buffer));
if (ret == 0) {
fail("client: Peer has closed the TLS connection\n");
exit(1);
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
exit(1);
}
if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) {
fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret);
exit(1);
}
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_dh_params_deinit(dh_params);
}
void
doit (void)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (void *) pkcs3, strlen (pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret, cret;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
char buffer[MAX_BUF + 1];
ssize_t ns;
int ret, transferred = 0, msglen;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (99);
/* Init server */
gnutls_anon_allocate_server_credentials (&s_anoncred);
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
gnutls_init (&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK);
ret = gnutls_priority_set_direct (server, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
if (ret < 0)
exit(1);
gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits (server, 1024);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_transport_set_pull_timeout_function (server, server_pull_timeout_func);
gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_init (&client, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK);
cret = gnutls_priority_set_direct (client, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
if (cret < 0)
exit(1);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_transport_set_pull_timeout_function (client, client_pull_timeout_func);
gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);
handshake = 1;
HANDSHAKE(client, server);
handshake = 0;
if (debug)
success ("Handshake established\n");
do
{
ret = gnutls_record_send (client, MSG, strlen (MSG));
}
while(ret == GNUTLS_E_AGAIN);
//success ("client: sent %d\n", ns);
msglen = strlen(MSG);
TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF);
if (debug)
fputs ("\n", stdout);
gnutls_bye (client, GNUTLS_SHUT_WR);
gnutls_bye (server, GNUTLS_SHUT_WR);
gnutls_deinit (client);
gnutls_deinit (server);
gnutls_anon_free_client_credentials (c_anoncred);
gnutls_anon_free_server_credentials (s_anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
void
doit (void)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char *) pkcs3, strlen (pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
int n, cret = GNUTLS_E_AGAIN;
/* Need to enable anonymous KX specifically. */
const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
char buffer[MAX_BUF + 1];
ssize_t ns;
int ret;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
/* Init server */
gnutls_anon_allocate_server_credentials (&s_anoncred);
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_set_default_priority (server);
gnutls_kx_set_priority (server, kx_prio);
gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits (server, 1024);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_session_set_finished_function (server, server_finished_callback);
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_set_default_priority (client);
gnutls_kx_set_priority (client, kx_prio);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_session_set_finished_function (client, client_finished_callback);
do
{
if (cret == GNUTLS_E_AGAIN)
{
if (debug)
success ("loop invoking client:\n");
cret = gnutls_handshake (client);
if (debug)
success ("client %d: %s\n", cret, gnutls_strerror (cret));
}
if (sret == GNUTLS_E_AGAIN)
{
if (debug)
success ("loop invoking server:\n");
sret = gnutls_handshake (server);
if (debug)
success ("server %d: %s\n", sret, gnutls_strerror (sret));
}
}
while (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN);
if (debug)
success ("Handshake established\n");
ns = gnutls_record_send (client, MSG, strlen (MSG));
if (debug)
success ("client: sent %d\n", (int) ns);
ret = gnutls_record_recv (server, buffer, MAX_BUF);
if (ret == 0)
fail ("server: didn't receive any data\n");
else if (ret < 0)
fail ("server: error: %s\n", gnutls_strerror (ret));
else if (debug)
{
printf ("server: received %d: ", ret);
for (n = 0; n < ret; n++)
fputc (buffer[n], stdout);
fputs ("\n", stdout);
}
ns = gnutls_record_send (server, MSG, strlen (MSG));
if (debug)
success ("server: sent %d\n", (int) ns);
ret = gnutls_record_recv (client, buffer, MAX_BUF);
if (ret == 0)
{
fail ("client: Peer has closed the TLS connection\n");
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
}
else if (debug)
{
printf ("client: received %d: ", ret);
for (n = 0; n < ret; n++)
fputc (buffer[n], stdout);
fputs ("\n", stdout);
}
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
free (to_server);
free (to_client);
gnutls_anon_free_client_credentials (c_anoncred);
gnutls_anon_free_server_credentials (s_anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
