void global_start (void) { /* this must be called once in the program, it is mostly for the server. */ gnutls_global_init (); gnutls_anon_allocate_server_credentials (&anoncred); success ("Launched, generating DH parameters...\n"); generate_dh_params (); gnutls_anon_set_server_dh_params (anoncred, dh_params); if (TLS_SESSION_CACHE != 0) { wrap_db_init (); } /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); if (err == -1) { perror ("socket"); fail ("server: socket failed\n"); return; } memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); if (err == -1) { perror ("bind"); fail ("server: bind failed\n"); return; } err = listen (listen_sd, 1024); if (err == -1) { perror ("listen"); fail ("server: listen failed\n"); return; } success ("server: ready. Listening to port '%d'.\n", PORT); }
static Ecore_Con_Ssl_Error _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr, int ssl_type) { int ret; if (ssl_type & ECORE_CON_USE_SSL2) return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED; switch (ssl_type) { case ECORE_CON_USE_SSL3: case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_TLS: case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_MIXED: case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT: break; default: return ECORE_CON_SSL_ERROR_NONE; } SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert)); if ((!svr->use_cert) && svr->created) { SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params)); INF("Generating DH params"); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s)); /* TODO: implement PSK */ // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s)); gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params); gnutls_certificate_set_dh_params(svr->cert, svr->dh_params); //gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params); INF("DH params successfully generated and applied!"); } else if (!svr->use_cert) { //SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c)); } return ECORE_CON_SSL_ERROR_NONE; error: _gnutls_print_errors(ret); _ecore_con_ssl_server_shutdown_gnutls(svr); return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED; }
static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void) { gnutls_anon_server_credentials_t anon_cred; int ret; if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) { VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret)); return NULL; } gnutls_anon_set_server_dh_params(anon_cred, dh_params); return anon_cred; }
static int qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, Error **errp) { char *dhparams = NULL; int ret; int rv = -1; trace_qcrypto_tls_creds_anon_load(creds, creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>"); if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { if (qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_DH_PARAMS, false, &dhparams, errp) < 0) { goto cleanup; } ret = gnutls_anon_allocate_server_credentials(&creds->data.server); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); goto cleanup; } if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams, &creds->parent_obj.dh_params, errp) < 0) { goto cleanup; } gnutls_anon_set_server_dh_params(creds->data.server, creds->parent_obj.dh_params); } else { ret = gnutls_anon_allocate_client_credentials(&creds->data.client); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); goto cleanup; } } rv = 0; cleanup: g_free(dhparams); return rv; }
int server_create(prelude_client_profile_t *cp, const char *addr, unsigned int port, prelude_bool_t keepalive, const char *pass, gnutls_x509_privkey_t key, gnutls_x509_crt_t cacrt, gnutls_x509_crt_t crt) { int sock; size_t size; struct pollfd pfd[128]; gnutls_dh_params_t dh_params; #ifdef GNUTLS_SRP_ENABLED int ret; ret = gnutls_srp_allocate_server_credentials(&srpcred); if ( ret < 0 ) { fprintf(stderr, "error creating SRP credentials: %s.\n", gnutls_strerror(ret)); return -1; } gnutls_srp_set_server_credentials_function(srpcred, srp_callback); #endif one_shot_passwd = pass; gnutls_anon_allocate_server_credentials(&anoncred); fprintf(stderr, "Generating %d bits Diffie-Hellman key for anonymous authentication...", ANON_DH_BITS); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, ANON_DH_BITS); gnutls_anon_set_server_dh_params(anoncred, dh_params); fprintf(stderr, "\n"); size = sizeof(pfd) / sizeof(*pfd); sock = setup_server(addr, port, pfd, &size); if ( sock < 0 ) return -1; wait_connection(cp, sock, pfd, size, keepalive, key, cacrt, crt); #ifdef GNUTLS_SRP_ENABLED gnutls_srp_free_server_credentials(srpcred); #endif gnutls_anon_free_server_credentials(anoncred); return 0; }
bool GnuTLSServerAnon::init( const std::string&, const std::string&, const StringList& ) { const int protocolPriority[] = { GNUTLS_TLS1, 0 }; const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 }; const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 }; const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; if( m_initLib && gnutls_global_init() != 0 ) return false; if( gnutls_anon_allocate_server_credentials( &m_anoncred ) < 0 ) return false; generateDH(); gnutls_anon_set_server_dh_params( m_anoncred, m_dhParams ); if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 ) return false; gnutls_protocol_set_priority( *m_session, protocolPriority ); gnutls_cipher_set_priority( *m_session, cipherPriority ); gnutls_compression_set_priority( *m_session, compPriority ); gnutls_kx_set_priority( *m_session, kxPriority ); gnutls_mac_set_priority( *m_session, macPriority ); gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred ); gnutls_dh_set_prime_bits( *m_session, m_dhBits ); gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this ); gnutls_transport_set_push_function( *m_session, pushFunc ); gnutls_transport_set_pull_function( *m_session, pullFunc ); m_valid = true; return true; }
bool SslContext::post_config() { TRACE("SslContext.postConfig()"); if (error_) return false; if (!enabled) return false; // if (rsaParams_) // gnutls_certificate_set_rsa_export_params(certs_, rsaParams_); if (dhParams_) { TRACE("setting DH params"); gnutls_certificate_set_dh_params(certs_, dhParams_); gnutls_anon_set_server_dh_params(anonCreds_, dhParams_); } gnutls_certificate_server_set_retrieve_function(certs_, &SslContext::onRetrieveCert); // SRP... return true; }
void anon_server_credentials::set_dh_params (const dh_params & params) { gnutls_anon_set_server_dh_params (cred, params.get_params_t ()); }
int main (void) { fprintf(stderr, "sizeof(evcom_server): %d\n", (int)sizeof(evcom_server)); fprintf(stderr, "sizeof(evcom_stream): %d\n", (int)sizeof(evcom_stream)); fprintf(stderr, "sizeof(evcom_reader): %d\n", (int)sizeof(evcom_reader)); fprintf(stderr, "sizeof(evcom_writer): %d\n", (int)sizeof(evcom_writer)); evcom_ignore_sigpipe(); #if EVCOM_HAVE_GNUTLS gnutls_global_init(); gnutls_dh_params_init (&dh_params); fsync(fileno(stderr)); gnutls_dh_params_generate2 (dh_params, DH_BITS); gnutls_anon_allocate_server_credentials (&server_credentials); gnutls_anon_set_server_dh_params (server_credentials, dh_params); #endif struct sockaddr_in tcp_address; memset(&tcp_address, 0, sizeof(struct sockaddr_in)); tcp_address.sin_family = AF_INET; tcp_address.sin_port = htons(PORT); tcp_address.sin_addr.s_addr = INADDR_ANY; use_tls = 0; fprintf(stderr, "pair_pingpong use_pipe=1: "); assert(pair_pingpong(1) == 0); fprintf(stderr, "\n"); fprintf(stderr, "pair_pingpong use_pipe=0: "); assert(pair_pingpong(0) == 0); fprintf(stderr, "\n"); fprintf(stderr, "zero_stream tcp: "); assert(zero_stream((struct sockaddr*)&tcp_address, 5*1024*1024) == 0); fprintf(stderr, "\n"); fprintf(stderr, "pipe_stream: "); assert(pipe_stream() == 0); fprintf(stderr, "\n"); fprintf(stderr, "pingpong tcp: "); assert(pingpong((struct sockaddr*)&tcp_address) == 0); fprintf(stderr, "\n"); fprintf(stderr, "connint tcp: "); assert(connint((struct sockaddr*)&tcp_address) == 0); fprintf(stderr, "\n"); #if EVCOM_HAVE_GNUTLS use_tls = 1; fprintf(stderr, "zero_stream ssl: "); assert(zero_stream((struct sockaddr*)&tcp_address, 50*1024) == 0); fprintf(stderr, "\n"); fprintf(stderr, "pair_pingpong ssl use_pipe=1: "); assert(pair_pingpong(1) == 0); fprintf(stderr, "\n"); fprintf(stderr, "pair_pingpong ssl use_pipe=0: "); assert(pair_pingpong(0) == 0); fprintf(stderr, "\n"); fprintf(stderr, "pingpong ssl: "); assert(pingpong((struct sockaddr*)&tcp_address) == 0); fprintf(stderr, "\n"); fprintf(stderr, "connint ssl: "); assert(connint((struct sockaddr*)&tcp_address) == 0); fprintf(stderr, "\n"); #endif struct sockaddr *unix_address; use_tls = 0; fprintf(stderr, "pingpong unix: "); unix_address = create_unix_address(); assert(pingpong(unix_address) == 0); free_unix_address(unix_address); fprintf(stderr, "\n"); fprintf(stderr, "connint unix: "); unix_address = create_unix_address(); assert(connint(unix_address) == 0); free_unix_address(unix_address); fprintf(stderr, "\n"); #if EVCOM_HAVE_GNUTLS use_tls = 1; fprintf(stderr, "pingpong unix ssl: "); unix_address = create_unix_address(); assert(pingpong(unix_address) == 0); free_unix_address(unix_address); fprintf(stderr, "\n"); fprintf(stderr, "connint unix ssl: "); unix_address = create_unix_address(); assert(connint(unix_address) == 0); free_unix_address(unix_address); fprintf(stderr, "\n"); #endif return 0; }
static void server (struct params_res *params) { size_t t; /* this must be called once in the program, it is mostly for the server. */ if (debug) { gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (2); } gnutls_global_init (); gnutls_anon_allocate_server_credentials (&anoncred); if (debug) success ("Launched, generating DH parameters...\n"); generate_dh_params (); gnutls_anon_set_server_dh_params (anoncred, dh_params); if (params->enable_db) { wrap_db_init (); } if (params->enable_session_ticket_server) gnutls_session_ticket_key_generate (&session_ticket_key); for (t = 0; t < 2; t++) { client_len = sizeof (sa_cli); session = initialize_tls_session (params); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); if (debug) success ("server: connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); return; } if (debug) success ("server: Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail ("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); } close (listen_sd); if (params->enable_db) { wrap_db_deinit (); } gnutls_free (session_ticket_key.data); session_ticket_key.data = NULL; if (debug) success ("server: finished\n"); }
static void test_ciphersuite(const char *cipher_prio, int size) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; const gnutls_datum_t p3 = { (char *) pkcs3, strlen(pkcs3) }; static gnutls_dh_params_t dh_params; gnutls_session_t server; int sret, cret; const char *str; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; /* Need to enable anonymous KX specifically. */ int ret; struct benchmark_st st; /* Init server */ gnutls_anon_allocate_server_credentials(&s_anoncred); gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params(s_anoncred, dh_params); gnutls_init(&server, GNUTLS_SERVER); ret = gnutls_priority_set_direct(server, cipher_prio, &str); if (ret < 0) { fprintf(stderr, "Error in %s\n", str); exit(1); } gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); gnutls_dh_set_prime_bits(server, 1024); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server); reset_buffers(); /* Init client */ gnutls_anon_allocate_client_credentials(&c_anoncred); gnutls_init(&client, GNUTLS_CLIENT); ret = gnutls_priority_set_direct(client, cipher_prio, &str); if (ret < 0) { fprintf(stderr, "Error in %s\n", str); exit(1); } gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client); HANDSHAKE(client, server); fprintf(stdout, "Testing %s with %d packet size: ", gnutls_cipher_suite_get_name(gnutls_kx_get(server), gnutls_cipher_get(server), gnutls_mac_get(server)), size); fflush(stdout); gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer)); start_benchmark(&st); do { do { ret = gnutls_record_send(client, buffer, size); } while (ret == GNUTLS_E_AGAIN); if (ret < 0) { fprintf(stderr, "Failed sending to server\n"); exit(1); } do { ret = gnutls_record_recv(server, buffer, sizeof(buffer)); } while (ret == GNUTLS_E_AGAIN); if (ret < 0) { fprintf(stderr, "Failed receiving from client\n"); exit(1); } st.size += size; } while (benchmark_must_finish == 0); stop_benchmark(&st, NULL); gnutls_bye(client, GNUTLS_SHUT_WR); gnutls_bye(server, GNUTLS_SHUT_WR); gnutls_deinit(client); gnutls_deinit(server); gnutls_anon_free_client_credentials(c_anoncred); gnutls_anon_free_server_credentials(s_anoncred); gnutls_dh_params_deinit(dh_params); }
static void test_ciphersuite_kx(const char *cipher_prio) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; const gnutls_datum_t p3 = { (char *) pkcs3, strlen(pkcs3) }; static gnutls_dh_params_t dh_params; gnutls_session_t server; int sret, cret; const char *str; const char *suite = NULL; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; /* Need to enable anonymous KX specifically. */ int ret; struct benchmark_st st; /* Init server */ gnutls_anon_allocate_server_credentials(&s_anoncred); gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params(s_anoncred, dh_params); start_benchmark(&st); do { gnutls_init(&server, GNUTLS_SERVER); ret = gnutls_priority_set_direct(server, cipher_prio, &str); if (ret < 0) { fprintf(stderr, "Error in %s\n", str); exit(1); } gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server); reset_buffers(); /* Init client */ gnutls_anon_allocate_client_credentials(&c_anoncred); gnutls_init(&client, GNUTLS_CLIENT); ret = gnutls_priority_set_direct(client, cipher_prio, &str); if (ret < 0) { fprintf(stderr, "Error in %s\n", str); exit(1); } gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client); HANDSHAKE(client, server); if (suite == NULL) suite = gnutls_cipher_suite_get_name(gnutls_kx_get(server), gnutls_cipher_get(server), gnutls_mac_get(server)); gnutls_deinit(client); gnutls_deinit(server); st.size += 1; } while (benchmark_must_finish == 0); fprintf(stdout, "Tested %s: ", suite); stop_benchmark(&st, "transactions"); gnutls_anon_free_client_credentials(c_anoncred); gnutls_anon_free_server_credentials(s_anoncred); gnutls_dh_params_deinit(dh_params); }
const struct remote_security_filter *load_security_filter(int tType, const char **dData, load_reference lLoad) { if (initialized) return NULL; #ifdef HAVE_GCRYPT_H if (!gcry_control(GCRYCTL_ANY_INITIALIZATION_P)) { gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); gcry_check_version(NULL); //no need to check as of now gcry_control(GCRYCTL_DISABLE_SECMEM, 0); gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); } #endif gnutls_global_set_log_function(&gnutls_logging); gnutls_global_set_log_level(PARAM_RSVX_TLS_LOGGING); gnutls_global_init(); forwarder_type = tType; const char **initializers = dData, **current = initializers; int argument_count = 0; if (current) while (*current++) argument_count++; if (argument_count > 0 && (current = initializers)) //srp initialization { use_srp_auth = true; const char *passwd = (*current)? *current++ : NULL; const char *srp_passwd = (*current)? *current++ : NULL; const char *srp_passwd_conf = (*current)? *current++ : NULL; if (passwd && strlen(passwd)) { srp_file = passwd; if (!parse_passwd()) { gnutls_global_deinit(); return NULL; } } gnutls_global_init_extra(); if (srp_passwd && strlen(srp_passwd) && srp_passwd_conf && strlen(srp_passwd_conf)) { gnutls_srp_allocate_server_credentials(&srp_server); gnutls_srp_set_server_credentials_file(srp_server, srp_passwd, srp_passwd_conf); } } else //anonymouns initialization { gnutls_anon_allocate_server_credentials(&credentials); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, 1024); gnutls_anon_set_server_dh_params(credentials, dh_params); } return &internal_filter; }
FusionTLSConnection* fusion_tls_connection_construct (GType object_type, GSocketConnection* connection, GError** error) { FusionTLSConnection * self = NULL; GSocketConnection* _tmp0_ = NULL; GSocketConnection* _tmp1_ = NULL; GSocket* _tmp2_ = NULL; GSocket* _tmp3_ = NULL; struct gnutls_anon_server_credentials_st* anon_creds = NULL; struct gnutls_anon_server_credentials_st* _tmp4_ = NULL; struct gnutls_dh_params_int* dh_params = NULL; struct gnutls_dh_params_int* _tmp5_ = NULL; struct gnutls_dh_params_int* _tmp6_ = NULL; struct gnutls_anon_server_credentials_st* _tmp7_ = NULL; struct gnutls_dh_params_int* _tmp8_ = NULL; struct gnutls_session_int* _tmp9_ = NULL; gchar* err = NULL; struct gnutls_session_int* _tmp10_ = NULL; const gchar* _tmp11_ = NULL; gint _tmp12_ = 0; gchar* _tmp13_ = NULL; struct gnutls_session_int* _tmp16_ = NULL; struct gnutls_anon_server_credentials_st* _tmp17_ = NULL; struct gnutls_session_int* _tmp18_ = NULL; GSocket* _tmp19_ = NULL; gint _tmp20_ = 0; FusionTLSInputStream* _tmp21_ = NULL; FusionTLSInputStream* _tmp22_ = NULL; FusionTLSOutputStream* _tmp23_ = NULL; FusionTLSOutputStream* _tmp24_ = NULL; GError * _inner_error_ = NULL; g_return_val_if_fail (connection != NULL, NULL); _tmp0_ = connection; self = (FusionTLSConnection*) g_object_new (object_type, "socket-connection", _tmp0_, NULL); _tmp1_ = self->priv->_socket_connection; _tmp2_ = g_socket_connection_get_socket (_tmp1_); _tmp3_ = _g_object_ref0 (_tmp2_); _g_object_unref0 (self->priv->socket); self->priv->socket = _tmp3_; _tmp4_ = gnutls_anon_server_credentials_create (); anon_creds = _tmp4_; _tmp5_ = gnutls_dh_params_create (); dh_params = _tmp5_; _tmp6_ = dh_params; gnutls_dh_params_generate2 (_tmp6_, (guint) FUSION_TLS_CONNECTION_DH_BITS); _tmp7_ = anon_creds; _tmp8_ = dh_params; gnutls_anon_set_server_dh_params (_tmp7_, _tmp8_); _tmp9_ = gnutls_create (); _gnutls_deinit0 (self->tls_session); self->tls_session = _tmp9_; _tmp10_ = self->tls_session; _tmp12_ = gnutls_priority_set_direct (_tmp10_, "NORMAL:+ANON-DH", &_tmp11_); _g_free0 (err); _tmp13_ = g_strdup (_tmp11_); err = _tmp13_; if (_tmp12_ < 0) { const gchar* _tmp14_ = NULL; GError* _tmp15_ = NULL; _tmp14_ = err; _tmp15_ = g_error_new (G_IO_ERROR, G_IO_ERROR_FAILED, "Invalid chipers priority: %s", _tmp14_); _inner_error_ = _tmp15_; g_propagate_error (error, _inner_error_); _g_free0 (err); _gnutls_dh_params_deinit0 (dh_params); _gnutls_anon_free_server_credentials0 (anon_creds); _g_object_unref0 (self); return NULL; } _tmp16_ = self->tls_session; _tmp17_ = anon_creds; anon_creds = NULL; gnutls_credentials_set (_tmp16_, GNUTLS_CRD_ANON, _tmp17_); _tmp18_ = self->tls_session; _tmp19_ = self->priv->socket; _tmp20_ = g_socket_get_fd (_tmp19_); gnutls_transport_set_ptr (_tmp18_, (void*) ((glong) _tmp20_)); _tmp21_ = fusion_tls_input_stream_new (self); _tmp22_ = _tmp21_; fusion_tls_connection_set_input_stream (self, (GInputStream*) _tmp22_); _g_object_unref0 (_tmp22_); _tmp23_ = fusion_tls_output_stream_new (self); _tmp24_ = _tmp23_; fusion_tls_connection_set_output_stream (self, (GOutputStream*) _tmp24_); _g_object_unref0 (_tmp24_); _g_free0 (err); _gnutls_dh_params_deinit0 (dh_params); _gnutls_anon_free_server_credentials0 (anon_creds); return self; }
static void server(int fd) { int ret; gnutls_session_t session; gnutls_anon_server_credentials_t anoncred; gnutls_dh_params_t dh_params; char buf[128]; const gnutls_datum_t p3 = { (unsigned char *) pkcs3, strlen(pkcs3) }; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_server_credentials(&anoncred); gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params(anoncred, dh_params); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ ret = gnutls_priority_set_direct(session, "NORMAL:+ANON-DH:+ANON-ECDH", NULL); if (ret < 0) { fail("server: priority set failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); do { ret = gnutls_record_recv(session, buf, sizeof(buf)); } while(ret > 0); if (ret < 0) { fail("error: %s\n", gnutls_strerror(ret)); } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_server_credentials(anoncred); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
static void server(int sds[], struct params_res *params) { gnutls_anon_server_credentials_t anoncred; static gnutls_datum_t session_ticket_key = { NULL, 0 }; int ret; size_t t; gnutls_session_t session; /* this must be called once in the program, it is mostly for the server. */ if (debug) { gnutls_global_set_log_function(tls_log_func); gnutls_global_set_log_level(3); } global_init(); gnutls_anon_allocate_server_credentials(&anoncred); if (debug) success("Launched, generating DH parameters...\n"); gnutls_anon_set_server_dh_params(anoncred, dh_params); if (params->enable_db) { wrap_db_init(); } if (params->enable_session_ticket_server) gnutls_session_ticket_key_generate(&session_ticket_key); for (t = 0; t < SESSIONS; t++) { int sd = sds[t]; gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits(session, DH_BITS); if (params->enable_db) { gnutls_db_set_retrieve_function(session, wrap_db_fetch); gnutls_db_set_remove_function(session, wrap_db_delete); gnutls_db_set_store_function(session, wrap_db_store); gnutls_db_set_ptr(session, NULL); } if (params->enable_session_ticket_server) gnutls_session_ticket_enable_server(session, &session_ticket_key); gnutls_transport_set_int(session, sd); gnutls_dtls_set_timeouts(session, 3*1000, 240 * 1000); do { ret = gnutls_handshake(session); } while (ret < 0 && (ret == GNUTLS_E_INTERRUPTED||ret == GNUTLS_E_AGAIN)); if (ret < 0) { close(sd); gnutls_deinit(session); kill(child, SIGTERM); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); return; } if (debug) success("server: Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { memset(buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { kill(child, SIGTERM); fail("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send(session, buffer, strlen(buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(sd); gnutls_deinit(session); } if (params->enable_db) { wrap_db_deinit(); } gnutls_free(session_ticket_key.data); session_ticket_key.data = NULL; gnutls_anon_free_server_credentials(anoncred); if (debug) success("server: finished\n"); }
/** * Initiates a new TLS session. * * @return 0 on success, -1 on error. */ int tls_init(struct gnutella_socket *s) { /** * ANON-DH is enabled because we don't use PKI. * DEFLATE is disabled because it seems to cause crashes. * ARCFOUR-40 is disabled because it is deprecated. */ static const char prio_want[] = "NORMAL:+ANON-DH:-ARCFOUR-40:-COMP-DEFLATE"; /* "-COMP-DEFLATE" is causing an error on MinGW with GnuTLS 2.10.2 */ static const char prio_must[] = "NORMAL:+ANON-DH:-ARCFOUR-40"; const bool server = SOCK_CONN_INCOMING == s->direction; struct tls_context *ctx; const char *fn; int e; #define TRY(function) (fn = (#function)), e = function socket_check(s); WALLOC0(ctx); ctx->s = s; s->tls.ctx = ctx; if ( TRY(gnutls_init)(&ctx->session, server ? GNUTLS_SERVER : GNUTLS_CLIENT) ) { ctx->session = NULL; goto failure; } if (TRY(gnutls_priority_set_direct)(ctx->session, prio_want, NULL)) { const char *error; if (TRY(gnutls_priority_set_direct)(ctx->session, prio_must, &error)) { g_warning("%s() failed at \"%s\"", fn, error); goto failure; } } if (TRY(gnutls_credentials_set)(ctx->session, GNUTLS_CRD_CERTIFICATE, cert_cred)) goto failure; gnutls_dh_set_prime_bits(ctx->session, TLS_DH_BITS); #ifdef USE_TLS_CUSTOM_IO gnutls_transport_set_ptr(ctx->session, s); gnutls_transport_set_push_function(ctx->session, tls_push); gnutls_transport_set_pull_function(ctx->session, tls_pull); #if !HAS_TLS(2, 12) /* * This routine has been removed starting TLS 3.0. It was used to disable * the lowat feature, and apparently this is now always the case in recent * TLS versions. --RAM, 2011-09-28 * * It's also flagged as deprecated in 2.12.x, so don't use it there. * --RAM, 2011-12-15 */ gnutls_transport_set_lowat(ctx->session, 0); #endif #else /* !USE_TLS_CUSTOM_IO */ g_assert(is_valid_fd(s->file_desc)); gnutls_transport_set_ptr(ctx->session, int_to_pointer(s->file_desc)); #endif /* USE_TLS_CUSTOM_IO */ if (server) { if (TRY(gnutls_anon_allocate_server_credentials)(&ctx->server_cred)) goto failure; gnutls_anon_set_server_dh_params(ctx->server_cred, get_dh_params()); if (TRY(gnutls_credentials_set)(ctx->session, GNUTLS_CRD_ANON, ctx->server_cred)) goto failure; } else { if (TRY(gnutls_anon_allocate_client_credentials)(&ctx->client_cred)) goto failure; if (TRY(gnutls_credentials_set)(ctx->session, GNUTLS_CRD_ANON, ctx->client_cred)) goto failure; } return 0; failure: g_warning("%s() failed: %s", EMPTY_STRING(fn), gnutls_strerror(e)); tls_free(s); return -1; #undef TRY }
int init_remote_listener(int port, gboolean encrypted) { int rc; int *ssock = NULL; struct sockaddr_in saddr; int optval; static struct mainloop_fd_callbacks remote_listen_fd_callbacks = { .dispatch = cib_remote_listen, .destroy = remote_connection_destroy, }; if (port <= 0) { /* don't start it */ return 0; } if (encrypted) { #ifndef HAVE_GNUTLS_GNUTLS_H crm_warn("TLS support is not available"); return 0; #else crm_notice("Starting TLS listener on port %d", port); crm_gnutls_global_init(); /* gnutls_global_set_log_level (10); */ gnutls_global_set_log_function(debug_log); if (pcmk__init_tls_dh(&dh_params) != GNUTLS_E_SUCCESS) { return -1; } gnutls_anon_allocate_server_credentials(&anon_cred_s); gnutls_anon_set_server_dh_params(anon_cred_s, dh_params); #endif } else { crm_warn("Starting plain-text listener on port %d", port); } #ifndef HAVE_PAM crm_warn("PAM is _not_ enabled!"); #endif /* create server socket */ ssock = malloc(sizeof(int)); if(ssock == NULL) { crm_perror(LOG_ERR, "Listener socket allocation failed"); return -1; } *ssock = socket(AF_INET, SOCK_STREAM, 0); if (*ssock == -1) { crm_perror(LOG_ERR, "Listener socket creation failed"); free(ssock); return -1; } /* reuse address */ optval = 1; rc = setsockopt(*ssock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)); if (rc < 0) { crm_perror(LOG_WARNING, "Local address reuse not allowed on listener socket"); } /* bind server socket */ memset(&saddr, '\0', sizeof(saddr)); saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = INADDR_ANY; saddr.sin_port = htons(port); if (bind(*ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) { crm_perror(LOG_ERR, "Cannot bind to listener socket"); close(*ssock); free(ssock); return -2; } if (listen(*ssock, 10) == -1) { crm_perror(LOG_ERR, "Cannot listen on socket"); close(*ssock); free(ssock); return -3; } mainloop_add_fd("cib-remote", G_PRIORITY_DEFAULT, *ssock, ssock, &remote_listen_fd_callbacks); crm_debug("Started listener on port %d", port); return *ssock; }
void doit(void) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; const gnutls_datum_t p3 = { (unsigned char *) pkcs3, strlen(pkcs3) }; static gnutls_dh_params_t dh_params; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN, i; /* Need to enable anonymous KX specifically. */ ssize_t ns; int ret, transferred = 0; /* General init. */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); /* Init server */ gnutls_anon_allocate_server_credentials(&s_anoncred); gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params(s_anoncred, dh_params); gnutls_init(&server, GNUTLS_SERVER); gnutls_priority_set_direct(server, "NONE:+VERS-TLS-ALL:+ARCFOUR-128:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+ANON-DH", NULL); gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); /* Init client */ gnutls_anon_allocate_client_credentials(&c_anoncred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_priority_set_direct(client, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+ARCFOUR-128:+MAC-ALL:+SIGN-ALL:+COMP-NULL:+ANON-DH", NULL); gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); memset(b1, 0, sizeof(b1)); HANDSHAKE(client, server); if (debug) success("Handshake established\n"); memset(b1, 1, MAX_BUF); /* try the maximum allowed */ ret = gnutls_record_send(client, b1, MAX_BUF); if (ret < 0) { fprintf(stderr, "Error sending %d bytes: %s\n", (int) MAX_BUF, gnutls_strerror(ret)); exit(1); } if (ret != MAX_BUF) { fprintf(stderr, "Couldn't send %d bytes\n", (int) MAX_BUF); exit(1); } ret = gnutls_record_recv(server, buffer, MAX_BUF); if (ret < 0) { fprintf(stderr, "Error receiving %d bytes: %s\n", (int) MAX_BUF, gnutls_strerror(ret)); exit(1); } if (ret != MAX_BUF) { fprintf(stderr, "Couldn't receive %d bytes, received %d\n", (int) MAX_BUF, ret); exit(1); } if (memcmp(b1, buffer, MAX_BUF) != 0) { fprintf(stderr, "Buffers do not match!\n"); exit(1); } /* Try sending various other sizes */ for (i = 1; i < 128; i++) { TRANSFER(client, server, b1, i, buffer, MAX_BUF); } if (debug) fputs("\n", stdout); gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_anon_free_client_credentials(c_anoncred); gnutls_anon_free_server_credentials(s_anoncred); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); }
int init_remote_listener(int port, gboolean encrypted) { int ssock; struct sockaddr_in saddr; int optval; if (port <= 0) { /* dont start it */ return 0; } if (encrypted) { #ifndef HAVE_GNUTLS_GNUTLS_H crm_warn("TLS support is not available"); return 0; #else crm_notice("Starting a tls listener on port %d.", port); gnutls_global_init(); /* gnutls_global_set_log_level (10); */ gnutls_global_set_log_function(debug_log); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, DH_BITS); gnutls_anon_allocate_server_credentials(&anon_cred_s); gnutls_anon_set_server_dh_params(anon_cred_s, dh_params); #endif } else { crm_warn("Starting a plain_text listener on port %d.", port); } #ifndef HAVE_PAM crm_warn("PAM is _not_ enabled!"); #endif /* create server socket */ ssock = socket(AF_INET, SOCK_STREAM, 0); if (ssock == -1) { crm_perror(LOG_ERR, "Can not create server socket." ERROR_SUFFIX); return -1; } /* reuse address */ optval = 1; setsockopt(ssock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)); /* bind server socket */ memset(&saddr, '\0', sizeof(saddr)); saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = INADDR_ANY; saddr.sin_port = htons(port); if (bind(ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) { crm_perror(LOG_ERR, "Can not bind server socket." ERROR_SUFFIX); return -2; } if (listen(ssock, 10) == -1) { crm_perror(LOG_ERR, "Can not start listen." ERROR_SUFFIX); return -3; } G_main_add_fd(G_PRIORITY_HIGH, ssock, FALSE, cib_remote_listen, NULL, default_ipc_connection_destroy); return ssock; }
void try_with_key_ks(const char *name, const char *client_prio, gnutls_kx_algorithm_t client_kx, gnutls_sign_algorithm_t server_sign_algo, gnutls_sign_algorithm_t client_sign_algo, const gnutls_datum_t *serv_cert, const gnutls_datum_t *serv_key, const gnutls_datum_t *client_cert, const gnutls_datum_t *client_key, unsigned cert_flags, unsigned exp_group, gnutls_certificate_type_t server_ctype, gnutls_certificate_type_t client_ctype) { int ret; char buffer[256]; /* Server stuff. */ gnutls_certificate_credentials_t server_cred; gnutls_anon_server_credentials_t s_anoncred; gnutls_dh_params_t dh_params; const gnutls_datum_t p3 = { (unsigned char *) pkcs3, strlen(pkcs3) }; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t client_cred; gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN, version; const char *err; /* General init. */ gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); reset_buffers(); /* Init server */ assert(gnutls_anon_allocate_server_credentials(&s_anoncred)>=0); assert(gnutls_certificate_allocate_credentials(&server_cred)>=0); // Set server crt creds based on ctype switch (server_ctype) { case GNUTLS_CRT_X509: ret = gnutls_certificate_set_x509_key_mem(server_cred, serv_cert, serv_key, GNUTLS_X509_FMT_PEM); break; case GNUTLS_CRT_RAWPK: ret = gnutls_certificate_set_rawpk_key_mem(server_cred, serv_cert, serv_key, GNUTLS_X509_FMT_PEM, NULL, 0, NULL, 0, 0); break; default: ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; } if (ret < 0) { fail("Could not set key/cert: %s\n", gnutls_strerror(ret)); } gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_dh_params(server_cred, dh_params); gnutls_anon_set_server_dh_params(s_anoncred, dh_params); assert(gnutls_init(&server, GNUTLS_SERVER | GNUTLS_ENABLE_RAWPK)>=0); assert(gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, server_cred)>=0); assert(gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred)>=0); if (server_priority) assert(gnutls_priority_set_direct(server, server_priority, NULL) >= 0); else assert(gnutls_priority_set_direct(server, "NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519:+CTYPE-ALL", NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); /* Init client */ ret = gnutls_certificate_allocate_credentials(&client_cred); if (ret < 0) exit(1); if (cert_flags == USE_CERT) { // Set client crt creds based on ctype switch (client_ctype) { case GNUTLS_CRT_X509: gnutls_certificate_set_x509_key_mem(client_cred, client_cert, client_key, GNUTLS_X509_FMT_PEM); break; case GNUTLS_CRT_RAWPK: gnutls_certificate_set_rawpk_key_mem(client_cred, client_cert, client_key, GNUTLS_X509_FMT_PEM, NULL, 0, NULL, 0, 0); break; default: fail("Illegal client certificate type given\n"); } gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE); } else if (cert_flags == ASK_CERT) { gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); } #if 0 ret = gnutls_certificate_set_x509_trust_mem(client_cred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); #endif ret = gnutls_init(&client, GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK); if (ret < 0) exit(1); assert(gnutls_anon_allocate_client_credentials(&c_anoncred)>=0); assert(gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred)>=0); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, client_cred); if (ret < 0) exit(1); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); ret = gnutls_priority_set_direct(client, client_prio, &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) fprintf(stderr, "Error in %s\n", err); exit(1); } success("negotiating %s\n", name); HANDSHAKE(client, server); if (gnutls_kx_get(client) != client_kx) { fail("%s: got unexpected key exchange algorithm: %s (expected %s)\n", name, gnutls_kx_get_name(gnutls_kx_get(client)), gnutls_kx_get_name(client_kx)); exit(1); } /* test signature algorithm match */ version = gnutls_protocol_get_version(client); if (version >= GNUTLS_TLS1_2) { ret = gnutls_sign_algorithm_get(server); if (ret != (int)server_sign_algo) { fail("%s: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } ret = gnutls_sign_algorithm_get_client(server); if (ret != (int)client_sign_algo) { fail("%s: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } ret = gnutls_sign_algorithm_get(client); if (ret != (int)server_sign_algo) { fail("%s: cl: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } ret = gnutls_sign_algorithm_get_client(client); if (ret != (int)client_sign_algo) { fail("%s: cl: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } } if (exp_group != 0) { ret = gnutls_group_get(server); if (ret != (int)exp_group) { fail("%s: got unexpected server group: %d/%s\n", name, ret, gnutls_group_get_name(ret)); } ret = gnutls_group_get(client); if (ret != (int)exp_group) { fail("%s: got unexpected client group: %d/%s\n", name, ret, gnutls_group_get_name(ret)); } } gnutls_record_send(server, MSG, strlen(MSG)); ret = gnutls_record_recv(client, buffer, sizeof(buffer)); if (ret == 0) { fail("client: Peer has closed the TLS connection\n"); exit(1); } else if (ret < 0) { fail("client: Error: %s\n", gnutls_strerror(ret)); exit(1); } if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) { fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret); exit(1); } gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(server_cred); gnutls_certificate_free_credentials(client_cred); gnutls_anon_free_server_credentials(s_anoncred); gnutls_anon_free_client_credentials(c_anoncred); gnutls_dh_params_deinit(dh_params); }
int main (void) { int err, listen_sd; int sd, ret; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; int client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; /* this must be called once in the program */ gnutls_global_init (); gnutls_anon_allocate_server_credentials (&anoncred); generate_dh_params (); gnutls_anon_set_server_dh_params (anoncred, dh_params); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); SOCKET_ERR (listen_sd, "socket"); memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); SOCKET_ERR (err, "bind"); err = listen (listen_sd, 1024); SOCKET_ERR (err, "listen"); printf ("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof (sa_cli); for (;;) { session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); printf ("- connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fprintf (stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror (ret)); continue; } printf ("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("\n- Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fprintf (stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } printf ("\n"); /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); } close (listen_sd); gnutls_anon_free_server_credentials (anoncred); gnutls_global_deinit (); return 0; }
void dtls_try_with_key_mtu(const char *name, const char *client_prio, gnutls_kx_algorithm_t client_kx, gnutls_sign_algorithm_t server_sign_algo, gnutls_sign_algorithm_t client_sign_algo, const gnutls_datum_t *serv_cert, const gnutls_datum_t *serv_key, const gnutls_datum_t *client_cert, const gnutls_datum_t *client_key, unsigned cert_flags, unsigned smtu) { int ret; char buffer[256]; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_anon_server_credentials_t s_anoncred; gnutls_dh_params_t dh_params; const gnutls_datum_t p3 = { (unsigned char *) pkcs3, strlen(pkcs3) }; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN, version; /* General init. */ gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); reset_buffers(); /* Init server */ gnutls_anon_allocate_server_credentials(&s_anoncred); gnutls_certificate_allocate_credentials(&serverx509cred); ret = gnutls_certificate_set_x509_key_mem(serverx509cred, serv_cert, serv_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("Could not set key/cert: %s\n", gnutls_strerror(ret)); } gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_dh_params(serverx509cred, dh_params); gnutls_anon_set_server_dh_params(s_anoncred, dh_params); assert(gnutls_init(&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK)>=0); assert(gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred)>=0); assert(gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred)>=0); assert(gnutls_priority_set_direct(server, "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519", NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_pull_timeout_function(server, server_pull_timeout_func); gnutls_transport_set_ptr(server, server); if (smtu) gnutls_dtls_set_mtu (server, smtu); /* Init client */ ret = gnutls_certificate_allocate_credentials(&clientx509cred); if (ret < 0) exit(1); if (cert_flags == USE_CERT) { ret = gnutls_certificate_set_x509_key_mem(clientx509cred, client_cert, client_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("Could not set key/cert: %s\n", gnutls_strerror(ret)); } gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE); } else if (cert_flags == ASK_CERT) { gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); } #if 0 ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); #endif ret = gnutls_init(&client, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK); if (ret < 0) exit(1); assert(gnutls_anon_allocate_client_credentials(&c_anoncred)>=0); assert(gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred)>=0); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) exit(1); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_pull_timeout_function(client, client_pull_timeout_func); gnutls_transport_set_ptr(client, client); if (smtu) gnutls_dtls_set_mtu (client, smtu); ret = gnutls_priority_set_direct(client, client_prio, NULL); if (ret < 0) { exit(1); } success("negotiating %s\n", name); HANDSHAKE_DTLS(client, server); if (gnutls_kx_get(client) != client_kx) { fail("%s: got unexpected key exchange algorithm: %s (expected %s)\n", name, gnutls_kx_get_name(gnutls_kx_get(client)), gnutls_kx_get_name(client_kx)); exit(1); } /* test signature algorithm match */ version = gnutls_protocol_get_version(client); if (version >= GNUTLS_DTLS1_2) { ret = gnutls_sign_algorithm_get(server); if (ret != (int)server_sign_algo) { fail("%s: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } ret = gnutls_sign_algorithm_get_client(server); if (ret != (int)client_sign_algo) { fail("%s: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } ret = gnutls_sign_algorithm_get(client); if (ret != (int)server_sign_algo) { fail("%s: cl: got unexpected server signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } ret = gnutls_sign_algorithm_get_client(client); if (ret != (int)client_sign_algo) { fail("%s: cl: got unexpected client signature algorithm: %d/%s\n", name, ret, gnutls_sign_get_name(ret)); exit(1); } } gnutls_record_send(server, MSG, strlen(MSG)); ret = gnutls_record_recv(client, buffer, sizeof(buffer)); if (ret == 0) { fail("client: Peer has closed the TLS connection\n"); exit(1); } else if (ret < 0) { fail("client: Error: %s\n", gnutls_strerror(ret)); exit(1); } if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) { fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret); exit(1); } gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_anon_free_server_credentials(s_anoncred); gnutls_anon_free_client_credentials(c_anoncred); gnutls_dh_params_deinit(dh_params); }
void doit (void) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; const gnutls_datum_t p3 = { (void *) pkcs3, strlen (pkcs3) }; static gnutls_dh_params_t dh_params; gnutls_session_t server; int sret, cret; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; /* Need to enable anonymous KX specifically. */ char buffer[MAX_BUF + 1]; ssize_t ns; int ret, transferred = 0, msglen; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (99); /* Init server */ gnutls_anon_allocate_server_credentials (&s_anoncred); gnutls_dh_params_init (&dh_params); gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params (s_anoncred, dh_params); gnutls_init (&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK); ret = gnutls_priority_set_direct (server, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); if (ret < 0) exit(1); gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred); gnutls_dh_set_prime_bits (server, 1024); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_pull_timeout_function (server, server_pull_timeout_func); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_anon_allocate_client_credentials (&c_anoncred); gnutls_init (&client, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK); cret = gnutls_priority_set_direct (client, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); if (cret < 0) exit(1); gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_pull_timeout_function (client, client_pull_timeout_func); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); handshake = 1; HANDSHAKE(client, server); handshake = 0; if (debug) success ("Handshake established\n"); do { ret = gnutls_record_send (client, MSG, strlen (MSG)); } while(ret == GNUTLS_E_AGAIN); //success ("client: sent %d\n", ns); msglen = strlen(MSG); TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF); if (debug) fputs ("\n", stdout); gnutls_bye (client, GNUTLS_SHUT_WR); gnutls_bye (server, GNUTLS_SHUT_WR); gnutls_deinit (client); gnutls_deinit (server); gnutls_anon_free_client_credentials (c_anoncred); gnutls_anon_free_server_credentials (s_anoncred); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); }
void doit (void) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; const gnutls_datum_t p3 = { (char *) pkcs3, strlen (pkcs3) }; static gnutls_dh_params_t dh_params; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; int n, cret = GNUTLS_E_AGAIN; /* Need to enable anonymous KX specifically. */ const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; char buffer[MAX_BUF + 1]; ssize_t ns; int ret; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); /* Init server */ gnutls_anon_allocate_server_credentials (&s_anoncred); gnutls_dh_params_init (&dh_params); gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params (s_anoncred, dh_params); gnutls_init (&server, GNUTLS_SERVER); gnutls_set_default_priority (server); gnutls_kx_set_priority (server, kx_prio); gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred); gnutls_dh_set_prime_bits (server, 1024); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_session_set_finished_function (server, server_finished_callback); /* Init client */ gnutls_anon_allocate_client_credentials (&c_anoncred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_set_default_priority (client); gnutls_kx_set_priority (client, kx_prio); gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_session_set_finished_function (client, client_finished_callback); do { if (cret == GNUTLS_E_AGAIN) { if (debug) success ("loop invoking client:\n"); cret = gnutls_handshake (client); if (debug) success ("client %d: %s\n", cret, gnutls_strerror (cret)); } if (sret == GNUTLS_E_AGAIN) { if (debug) success ("loop invoking server:\n"); sret = gnutls_handshake (server); if (debug) success ("server %d: %s\n", sret, gnutls_strerror (sret)); } } while (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN); if (debug) success ("Handshake established\n"); ns = gnutls_record_send (client, MSG, strlen (MSG)); if (debug) success ("client: sent %d\n", (int) ns); ret = gnutls_record_recv (server, buffer, MAX_BUF); if (ret == 0) fail ("server: didn't receive any data\n"); else if (ret < 0) fail ("server: error: %s\n", gnutls_strerror (ret)); else if (debug) { printf ("server: received %d: ", ret); for (n = 0; n < ret; n++) fputc (buffer[n], stdout); fputs ("\n", stdout); } ns = gnutls_record_send (server, MSG, strlen (MSG)); if (debug) success ("server: sent %d\n", (int) ns); ret = gnutls_record_recv (client, buffer, MAX_BUF); if (ret == 0) { fail ("client: Peer has closed the TLS connection\n"); } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); } else if (debug) { printf ("client: received %d: ", ret); for (n = 0; n < ret; n++) fputc (buffer[n], stdout); fputs ("\n", stdout); } gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); free (to_server); free (to_client); gnutls_anon_free_client_credentials (c_anoncred); gnutls_anon_free_server_credentials (s_anoncred); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); }