static int turn_on_raw_ssl(SOCKET sfd)
{
#ifdef HAVE_OPENSSL
int
rc=(-1);
SSL
*ssl;
ssl=msock_get_ssl();
if (ssl)
{
if (!SSL_set_fd(ssl,sfd))
{
errorMsg("turn_on_raw_ssl: failed to set socket %d to SSL\n",sfd);
return(-1);
}
/* must set back to msock's static */
msock_set_ssl(ssl);
rc=SSL_connect(ssl);
if (rc < 1)
{
errorMsg("turn_on_raw_ssl: SSL connection failed\n");
ERR_print_errors_fp(stderr);
return(-1);
}
print_cert_info(ssl);
/* tell msock everything is ssl after that */
msock_turn_ssl_on();
rc=0;
return(0);
}
#endif /* HAVE_OPENSSL */
return(-1);
}
test_code_t
test_certificate (gnutls_session session)
{
int ret;
if (verbose == 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
printf ("\n");
print_cert_info (session, hostname);
return TEST_SUCCEED;
}
int smtp_start_tls(int sfd)
{
int
rc=(-1);
#ifdef HAVE_OPENSSL
SSL
*ssl=NULL;
#endif /* HAVE_OPENSSL */
memset(buf,0,sizeof(buf));
(void) snprintf(buf,sizeof(buf)-1,"%s\r\n","STARTTLS");
showVerbose("[C] %s",buf);
msock_puts(buf);
rc=read_smtp_line();
if (smtp_code != 220)
{
errorMsg("Unknown STARTTLS response code %d\n",smtp_code);
return(-1);
}
#ifdef HAVE_OPENSSL
ssl=msock_get_ssl();
if (ssl)
{
if (!SSL_set_fd(ssl,sfd))
{
errorMsg("failed to set socket to SSL\n");
return(-1);
}
/* must set back to msock's static */
msock_set_ssl(ssl);
rc=SSL_connect(ssl);
if (rc < 1)
{
errorMsg("SSL connection failed\n");
ERR_print_errors_fp(stderr);
return(-1);
}
print_cert_info(ssl);
/* tell msock everything is ssl after that */
msock_turn_ssl_on();
rc=0;
}
else
{
errorMsg("Could not start STARTTLS, SSL not initialized properly");
rc=(-1);
}
#else
errorMsg("Not Compiled with OpenSSL, will not try STARTTLS");
rc=(-1);
#endif /*HAVE_OPENSSL */
return(rc);
}
static int list_certificates(void)
{
int r, i;
struct sc_pkcs15_object *objs[32];
r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_CERT_X509, objs, 32);
if (r < 0) {
fprintf(stderr, "Certificate enumeration failed: %s\n", sc_strerror(r));
return 1;
}
if (verbose)
printf("Card has %d certificate(s).\n\n", r);
for (i = 0; i < r; i++) {
print_cert_info(objs[i]);
printf("\n");
}
return 0;
}
test_code_t
test_certificate (gnutls_session_t session)
{
int ret;
if (verbose == 0)
return TEST_IGNORE;
sprintf (prio_str,
INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS
":" ALL_KX ":%s", protocol_str, rest);
_gnutls_priority_set_direct (session, prio_str);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
printf ("\n");
print_cert_info (session, hostname, 1);
return TEST_SUCCEED;
}
int
print_info (gnutls_session_t session, int print_cert)
{
const char *tmp;
gnutls_credentials_type_t cred;
gnutls_kx_algorithm_t kx;
unsigned char session_id[33];
size_t session_id_size = sizeof (session_id);
/* print session ID */
gnutls_session_get_id (session, session_id, &session_id_size);
printf ("- Session ID: %s\n",
raw_to_string (session_id, session_id_size));
/* print the key exchange's algorithm name
*/
kx = gnutls_kx_get (session);
cred = gnutls_auth_get_type (session);
switch (cred)
{
#ifdef ENABLE_ANON
case GNUTLS_CRD_ANON:
if (kx == GNUTLS_KX_ANON_ECDH)
print_ecdh_info (session, "Anonymous ");
else
print_dh_info (session, "Anonymous ", verbose);
break;
#endif
#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
/* This should be only called in server
* side.
*/
if (gnutls_srp_server_get_username (session) != NULL)
printf ("- SRP authentication. Connected as '%s'\n",
gnutls_srp_server_get_username (session));
break;
#endif
#ifdef ENABLE_PSK
case GNUTLS_CRD_PSK:
/* This returns NULL in server side.
*/
if (gnutls_psk_client_get_hint (session) != NULL)
printf ("- PSK authentication. PSK hint '%s'\n",
gnutls_psk_client_get_hint (session));
/* This returns NULL in client side.
*/
if (gnutls_psk_server_get_username (session) != NULL)
printf ("- PSK authentication. Connected as '%s'\n",
gnutls_psk_server_get_username (session));
if (kx == GNUTLS_KX_DHE_PSK)
print_dh_info (session, "Ephemeral ", verbose);
if (kx == GNUTLS_KX_ECDHE_PSK)
print_ecdh_info (session, "Ephemeral ");
break;
#endif
case GNUTLS_CRD_IA:
printf ("- TLS/IA authentication\n");
break;
case GNUTLS_CRD_CERTIFICATE:
{
char dns[256];
size_t dns_size = sizeof (dns);
unsigned int type;
/* This fails in client side */
if (gnutls_server_name_get
(session, dns, &dns_size, &type, 0) == 0)
{
printf ("- Given server name[%d]: %s\n", type, dns);
}
}
print_cert_info (session,
verbose?GNUTLS_CRT_PRINT_FULL:GNUTLS_CRT_PRINT_COMPACT,
print_cert);
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
print_dh_info (session, "Ephemeral ", verbose);
else if (kx == GNUTLS_KX_ECDHE_RSA
|| kx == GNUTLS_KX_ECDHE_ECDSA)
print_ecdh_info (session, "Ephemeral ");
}
tmp =
SU (gnutls_protocol_get_name
(gnutls_protocol_get_version (session)));
printf ("- Version: %s\n", tmp);
tmp = SU (gnutls_kx_get_name (kx));
printf ("- Key Exchange: %s\n", tmp);
tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session)));
printf ("- Cipher: %s\n", tmp);
tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session)));
printf ("- MAC: %s\n", tmp);
tmp =
SU (gnutls_compression_get_name
(gnutls_compression_get (session)));
printf ("- Compression: %s\n", tmp);
if (verbose)
{
gnutls_datum_t cb;
int rc;
rc = gnutls_session_channel_binding (session,
GNUTLS_CB_TLS_UNIQUE, &cb);
if (rc)
fprintf (stderr, "Channel binding error: %s\n",
gnutls_strerror (rc));
else
{
size_t i;
printf ("- Channel binding 'tls-unique': ");
for (i = 0; i < cb.size; i++)
printf ("%02x", cb.data[i]);
printf ("\n");
}
}
/* Warning: Do not print anything more here. The 'Compression:'
output MUST be the last non-verbose output. This is used by
Emacs starttls.el code. */
fflush (stdout);
return 0;
}
/*
** print info about SMTP server on stdout
** return 0 on success -1 on error
*/
int show_smtp_info(char *smtp_server,int port,char *domain)
{
int
fd,
rc = (-1);
#ifdef HAVE_OPENSSL
SSL
*ssl=NULL;
#endif /* HAVE_OPENSSL */
g_verbose=1;
print_info("Connecting to SMTP server: %s at Port: %d\n",smtp_server,port);
print_info("Connection timeout: %d secs\n",g_connect_timeout);
/* connect */
fd=smtpConnect(smtp_server,port);
if (fd == INVALID_SOCKET)
{
rc = (-1);
goto ExitProcessing;
}
#ifdef HAVE_OPENSSL
if (g_do_ssl)
{
ssl=msock_get_ssl();
if (ssl)
{
if (!SSL_set_fd(ssl,fd))
{
errorMsg("failed to set socket to SSL\n");
goto ExitProcessing;
}
/* must set back to msock's static */
msock_set_ssl(ssl);
rc=SSL_connect(ssl);
if (rc < 1)
{
errorMsg("SSL connection failed\n");
ERR_print_errors_fp(stderr);
goto ExitProcessing;
}
print_cert_info(ssl);
/* tell msock everything is ssl after that */
msock_turn_ssl_on();
rc=0;
}
}
#endif /* HAVE_OPENSSL */
/* read greeting */
rc=read_greetings();
if (rc < 0)
{
errorMsg("Could not read greetings\n");
goto ExitProcessing;
}
/* say HELO/EHLO */
say_helo(domain);
/* check if server supports STARTTLS */
if (check_server_cap("STARTTLS") ||
check_server_cap("TLS"))
{
rc=smtp_start_tls(fd);
if (rc == 0)
say_helo(domain);
else
goto ExitProcessing;
}
smtp_QUIT();
smtpDisconnect();
ExitProcessing:
return (rc);
}
int
print_info (gnutls_session_t session, const char *hostname, int insecure)
{
const char *tmp;
gnutls_credentials_type_t cred;
gnutls_kx_algorithm_t kx;
/* print the key exchange's algorithm name
*/
kx = gnutls_kx_get (session);
cred = gnutls_auth_get_type (session);
switch (cred)
{
#ifdef ENABLE_ANON
case GNUTLS_CRD_ANON:
print_dh_info (session, "Anonymous ");
break;
#endif
#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
/* This should be only called in server
* side.
*/
if (gnutls_srp_server_get_username (session) != NULL)
printf ("- SRP authentication. Connected as '%s'\n",
gnutls_srp_server_get_username (session));
break;
#endif
#ifdef ENABLE_PSK
case GNUTLS_CRD_PSK:
/* This returns NULL in server side.
*/
if (gnutls_psk_client_get_hint (session) != NULL)
printf ("- PSK authentication. PSK hint '%s'\n",
gnutls_psk_client_get_hint (session));
/* This returns NULL in client side.
*/
if (gnutls_psk_server_get_username (session) != NULL)
printf ("- PSK authentication. Connected as '%s'\n",
gnutls_psk_server_get_username (session));
if (kx == GNUTLS_KX_DHE_PSK)
print_dh_info (session, "Ephemeral ");
break;
#endif
case GNUTLS_CRD_IA:
printf ("- TLS/IA authentication\n");
break;
case GNUTLS_CRD_CERTIFICATE:
{
char dns[256];
size_t dns_size = sizeof (dns);
unsigned int type;
/* This fails in client side */
if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
{
printf ("- Given server name[%d]: %s\n", type, dns);
}
}
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
print_dh_info (session, "Ephemeral ");
print_cert_info (session, hostname, insecure);
print_cert_vrfy (session);
}
tmp = SU (gnutls_protocol_get_name (gnutls_protocol_get_version (session)));
printf ("- Version: %s\n", tmp);
tmp = SU (gnutls_kx_get_name (kx));
printf ("- Key Exchange: %s\n", tmp);
tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session)));
printf ("- Cipher: %s\n", tmp);
tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session)));
printf ("- MAC: %s\n", tmp);
tmp = SU (gnutls_compression_get_name (gnutls_compression_get (session)));
printf ("- Compression: %s\n", tmp);
if (verbose)
{
char id[32];
size_t id_size = sizeof (id);
gnutls_session_get_id (session, id, &id_size);
printf ("- Session ID: %s\n", raw_to_string (id, id_size));
}
fflush (stdout);
return 0;
}
static int
cert_verify_callback (gnutls_session_t session)
{
int rc;
unsigned int status = 0;
int ssh = ENABLED_OPT(TOFU);
#ifdef HAVE_DANE
int dane = ENABLED_OPT(DANE);
#endif
int ca_verify = ENABLED_OPT(CA_VERIFICATION);
const char* txt_service;
print_cert_info (session, verbose, print_cert);
if (ca_verify)
{
rc = cert_verify(session, hostname);
if (rc == 0)
{
printf ("*** Verifying server certificate failed...\n");
if (!insecure && !ssh)
return -1;
}
else if (ENABLED_OPT(OCSP) && gnutls_ocsp_status_request_is_checked(session, 0) == 0)
{ /* off-line verification succeeded. Try OCSP */
rc = cert_verify_ocsp(session);
if (rc == 0)
{
printf ("*** Verifying (with OCSP) server certificate failed...\n");
if (!insecure && !ssh)
return -1;
}
else if (rc == -1)
printf("*** OCSP response ignored\n");
}
}
if (ssh) /* try ssh auth */
{
unsigned int list_size;
const gnutls_datum_t * cert;
cert = gnutls_certificate_get_peers(session, &list_size);
if (cert == NULL)
{
fprintf(stderr, "Cannot obtain peer's certificate!\n");
return -1;
}
txt_service = port_to_service(service);
rc = gnutls_verify_stored_pubkey(NULL, NULL, hostname, txt_service,
GNUTLS_CRT_X509, cert, 0);
if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND)
{
print_cert_info_compact(session);
fprintf(stderr, "Host %s (%s) has never been contacted before.\n", hostname, txt_service);
if (status == 0)
fprintf(stderr, "Its certificate is valid for %s.\n", hostname);
rc = read_yesno("Are you sure you want to trust it? (y/N): ");
if (rc == 0)
return -1;
}
else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH)
{
print_cert_info_compact(session);
fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", hostname);
fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n");
if (status == 0)
fprintf(stderr, "Its certificate is valid for %s.\n", hostname);
rc = read_yesno("Do you trust the received key? (y/N): ");
if (rc == 0)
return -1;
}
else if (rc < 0)
{
fprintf(stderr, "gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(rc));
return -1;
}
if (rc != 0)
{
rc = gnutls_store_pubkey(NULL, NULL, hostname, txt_service,
GNUTLS_CRT_X509, cert, 0, 0);
if (rc < 0)
fprintf(stderr, "Could not store key: %s\n", gnutls_strerror(rc));
}
}
#ifdef HAVE_DANE
if (dane) /* try DANE auth */
{
unsigned int sflags = ENABLED_OPT(LOCAL_DNS)?0:DANE_F_IGNORE_LOCAL_RESOLVER;
rc = dane_verify_session_crt( NULL, session, hostname, udp?"udp":"tcp", atoi(service),
sflags, 0, &status);
if (rc < 0)
{
fprintf(stderr, "*** DANE verification error: %s\n", dane_strerror(rc));
if (!insecure)
return -1;
}
else
{
gnutls_datum_t out;
rc = dane_verification_status_print( status, &out, 0);
if (rc < 0)
{
fprintf(stderr, "*** DANE error: %s\n", dane_strerror(rc));
if (!insecure)
return -1;
}
fprintf(stderr, "- %s\n", out.data);
gnutls_free(out.data);
}
}
#endif
return 0;
}
