static void
tls_print_session_info(const host_addr_t addr, uint16 port,
gnutls_session session, bool incoming)
{
const char *proto, *cert, *kx, *ciph, *mac, *comp;
g_return_if_fail(session);
proto = gnutls_protocol_get_name(gnutls_protocol_get_version(session));
cert = gnutls_certificate_type_get_name(
gnutls_certificate_type_get(session));
kx = gnutls_kx_get_name(gnutls_kx_get(session));
comp = gnutls_compression_get_name(gnutls_compression_get(session));
ciph = gnutls_cipher_get_name(gnutls_cipher_get(session));
mac = gnutls_mac_get_name(gnutls_mac_get (session));
g_debug(
"TLS session info (%s):\n"
" Host: %s\n"
" Protocol: %s\n"
" Certificate: %s\n"
" Key Exchange: %s\n"
" Cipher: %s\n"
" MAC: %s\n"
" Compression: %s",
incoming ? "incoming" : "outgoing",
host_addr_port_to_string(addr, port),
NULL_STRING(proto),
NULL_STRING(cert),
NULL_STRING(kx),
NULL_STRING(ciph),
NULL_STRING(mac),
NULL_STRING(comp)
);
}
unsigned char *
get_ssl_connection_cipher(struct socket *socket)
{
ssl_t *ssl = socket->ssl;
struct string str;
if (!init_string(&str)) return NULL;
#ifdef USE_OPENSSL
add_format_to_string(&str, "%ld-bit %s %s",
SSL_get_cipher_bits(ssl, NULL),
SSL_get_cipher_version(ssl),
SSL_get_cipher_name(ssl));
#elif defined(CONFIG_GNUTLS)
/* XXX: How to get other relevant parameters? */
add_format_to_string(&str, "%s - %s - %s - %s - %s (compr: %s)",
gnutls_protocol_get_name(gnutls_protocol_get_version(*ssl)),
gnutls_kx_get_name(gnutls_kx_get(*ssl)),
gnutls_cipher_get_name(gnutls_cipher_get(*ssl)),
gnutls_mac_get_name(gnutls_mac_get(*ssl)),
gnutls_certificate_type_get_name(gnutls_certificate_type_get(*ssl)),
gnutls_compression_get_name(gnutls_compression_get(*ssl)));
#endif
return str.source;
}
void
_gnutls_session_cert_type_set (gnutls_session_t session,
gnutls_certificate_type_t ct)
{
_gnutls_handshake_log("HSK[%p]: Selected certificate type %s (%d)\n", session,
gnutls_certificate_type_get_name(ct), ct);
session->security_parameters.cert_type = ct;
}
/* This function will log some details of the given session. */
static void
logtlsinfo (gnutls_session_t session)
{
gnutls_credentials_type_t cred;
const char *protocol =
gnutls_protocol_get_name (gnutls_protocol_get_version (session));
gnutls_kx_algorithm_t kx = gnutls_kx_get (session);
const char *keyexchange = gnutls_kx_get_name (kx);
const char *certtype =
gnutls_certificate_type_get_name (gnutls_certificate_type_get (session));
const char *cipher = gnutls_cipher_get_name (gnutls_cipher_get (session));
const char *mac = gnutls_mac_get_name (gnutls_mac_get (session));
const char *compression =
gnutls_compression_get_name (gnutls_compression_get (session));
int resumedp = gnutls_session_is_resumed (session);
/* This message can arguably belong to LOG_AUTH. */
syslog (LOG_INFO, "TLS handshake negotiated protocol `%s', "
"key exchange `%s', certficate type `%s', cipher `%s', "
"mac `%s', compression `%s', %s",
protocol ? protocol : "N/A",
keyexchange ? keyexchange : "N/A",
certtype ? certtype : "N/A",
cipher ? cipher : "N/A",
mac ? mac : "N/A", compression ? compression : "N/A",
resumedp ? "resumed session" : "session not resumed");
cred = gnutls_auth_get_type (session);
switch (cred)
{
case GNUTLS_CRD_ANON:
syslog (LOG_INFO | LOG_DAEMON,
"TLS anonymous authentication with %d bit Diffie-Hellman",
gnutls_dh_get_prime_bits (session));
break;
case GNUTLS_CRD_CERTIFICATE:
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
syslog (LOG_INFO | LOG_DAEMON,
"TLS certificate authentication with %d bits "
"ephemeral Diffie-Hellman",
gnutls_dh_get_prime_bits (session));
logcertinfo (session);
break;
case GNUTLS_CRD_SRP:
case GNUTLS_CRD_PSK:
case GNUTLS_CRD_IA:
default:
syslog (LOG_ERR | LOG_DAEMON, "Unknown TLS authentication (%d)", cred);
break;
}
}
void
print_list (const char *priorities, int verbose)
{
size_t i;
int ret;
unsigned int idx;
const char *name;
const char *err;
unsigned char id[2];
gnutls_kx_algorithm_t kx;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
gnutls_priority_t pcache;
const unsigned int *list;
if (priorities != NULL)
{
printf ("Cipher suites for %s\n", priorities);
ret = gnutls_priority_init (&pcache, priorities, &err);
if (ret < 0)
{
fprintf (stderr, "Syntax error at: %s\n", err);
exit (1);
}
for (i = 0;; i++)
{
ret =
gnutls_priority_get_cipher_suite_index (pcache, i,
&idx);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
break;
if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
continue;
name =
gnutls_cipher_suite_info (idx, id, NULL, NULL, NULL,
&version);
if (name != NULL)
printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
name, (unsigned char) id[0],
(unsigned char) id[1],
gnutls_protocol_get_name (version));
}
printf("\n");
{
ret = gnutls_priority_certificate_type_list (pcache, &list);
printf ("Certificate types: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("CTYPE-%s",
gnutls_certificate_type_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_protocol_list (pcache, &list);
printf ("Protocols: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("VERS-%s", gnutls_protocol_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_compression_list (pcache, &list);
printf ("Compression: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("COMP-%s",
gnutls_compression_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_ecc_curve_list (pcache, &list);
printf ("Elliptic curves: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("CURVE-%s",
gnutls_ecc_curve_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_sign_list (pcache, &list);
printf ("PK-signatures: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("SIGN-%s",
gnutls_sign_algorithm_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
return;
}
printf ("Cipher suites:\n");
for (i = 0; (name = gnutls_cipher_suite_info
(i, id, &kx, &cipher, &mac, &version)); i++)
{
printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
name,
(unsigned char) id[0], (unsigned char) id[1],
gnutls_protocol_get_name (version));
if (verbose)
printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
gnutls_kx_get_name (kx),
gnutls_cipher_get_name (cipher),
gnutls_mac_get_name (mac));
}
printf("\n");
{
const gnutls_certificate_type_t *p =
gnutls_certificate_type_list ();
printf ("Certificate types: ");
for (; *p; p++)
{
printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_protocol_t *p = gnutls_protocol_list ();
printf ("Protocols: ");
for (; *p; p++)
{
printf ("VERS-%s", gnutls_protocol_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
printf ("Ciphers: ");
for (; *p; p++)
{
printf ("%s", gnutls_cipher_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
printf ("MACs: ");
for (; *p; p++)
{
printf ("%s", gnutls_mac_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
printf ("Key exchange algorithms: ");
for (; *p; p++)
{
printf ("%s", gnutls_kx_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_compression_method_t *p = gnutls_compression_list ();
printf ("Compression: ");
for (; *p; p++)
{
printf ("COMP-%s", gnutls_compression_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list ();
printf ("Elliptic curves: ");
for (; *p; p++)
{
printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
printf ("Public Key Systems: ");
for (; *p; p++)
{
printf ("%s", gnutls_pk_algorithm_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
printf ("PK-signatures: ");
for (; *p; p++)
{
printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
}
void gtlsGeneric::logSessionInfo(LogWrapperType _logwrapper,
gnutls_session_t _session)
{
const char *tmp;
gnutls_credentials_type_t cred;
gnutls_kx_algorithm_t kx;
// print the key exchange's algorithm name
kx = gnutls_kx_get(_session);
tmp = gnutls_kx_get_name(kx);
BTG_NOTICE(_logwrapper, "- Key Exchange: " << tmp);
// Check the authentication type used and switch
// to the appropriate.
cred = gnutls_auth_get_type(_session);
switch (cred)
{
case GNUTLS_CRD_SRP:
{
BTG_NOTICE(_logwrapper, "- SRP session");
break;
}
case GNUTLS_CRD_ANON:
{
BTG_NOTICE(_logwrapper, "- Anonymous DH using prime of " << gnutls_dh_get_prime_bits (_session) << " bits");
break;
}
case GNUTLS_CRD_CERTIFICATE:
{
// Check if we have been using ephemeral Diffie Hellman.
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
{
BTG_NOTICE(_logwrapper, "- Ephemeral DH using prime of " << gnutls_dh_get_prime_bits(_session) << " bits");
}
/* if the certificate list is available, then
* print some information about it.
*/
gtlsGeneric::logX509CertificateInfo(_logwrapper, _session);
break;
}
default:
{
BTG_NOTICE(_logwrapper, "Unknown cred.");
}
}
/* print the protocol's name (ie TLS 1.0)
*/
tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(_session));
BTG_NOTICE(_logwrapper, "- Protocol: " << tmp);
/* print the certificate type of the peer.
* ie X.509
*/
tmp = gnutls_certificate_type_get_name(gnutls_certificate_type_get(_session));
BTG_NOTICE(_logwrapper, "- Certificate Type: " << tmp);
/* print the compression algorithm (if any)
*/
tmp = gnutls_compression_get_name(gnutls_compression_get(_session));
BTG_NOTICE(_logwrapper, "- Compression: " << tmp);
/* print the name of the cipher used.
* ie 3DES.
*/
tmp = gnutls_cipher_get_name(gnutls_cipher_get(_session));
BTG_NOTICE(_logwrapper, "- Cipher: " << tmp);
/* Print the MAC algorithms name.
* ie SHA1
*/
tmp = gnutls_mac_get_name(gnutls_mac_get(_session));
BTG_NOTICE(_logwrapper, "- MAC: " << tmp);
}
/**
* gnutls_session_get_desc:
* @session: is a gnutls session
*
* This function returns a string describing the current session.
* The string is null terminated and allocated using gnutls_malloc().
*
* Returns: a description of the protocols and algorithms in the current session.
*
* Since: 3.1.10
**/
char *gnutls_session_get_desc(gnutls_session_t session)
{
gnutls_kx_algorithm_t kx;
unsigned type;
char kx_name[32];
char proto_name[32];
const char *curve_name = NULL;
unsigned dh_bits = 0;
unsigned mac_id;
char *desc;
kx = session->security_parameters.kx_algorithm;
if (kx == GNUTLS_KX_ANON_ECDH || kx == GNUTLS_KX_ECDHE_PSK ||
kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA) {
curve_name =
gnutls_ecc_curve_get_name(gnutls_ecc_curve_get
(session));
} else if (kx == GNUTLS_KX_ANON_DH || kx == GNUTLS_KX_DHE_PSK
|| kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) {
dh_bits = gnutls_dh_get_prime_bits(session);
}
if (curve_name != NULL)
snprintf(kx_name, sizeof(kx_name), "%s-%s",
gnutls_kx_get_name(kx), curve_name);
else if (dh_bits != 0)
snprintf(kx_name, sizeof(kx_name), "%s-%u",
gnutls_kx_get_name(kx), dh_bits);
else
snprintf(kx_name, sizeof(kx_name), "%s",
gnutls_kx_get_name(kx));
type = gnutls_certificate_type_get(session);
if (type == GNUTLS_CRT_X509)
snprintf(proto_name, sizeof(proto_name), "%s",
gnutls_protocol_get_name(get_num_version
(session)));
else
snprintf(proto_name, sizeof(proto_name), "%s-%s",
gnutls_protocol_get_name(get_num_version
(session)),
gnutls_certificate_type_get_name(type));
gnutls_protocol_get_name(get_num_version(session)),
desc = gnutls_malloc(DESC_SIZE);
if (desc == NULL)
return NULL;
mac_id = gnutls_mac_get(session);
if (mac_id == GNUTLS_MAC_AEAD) { /* no need to print */
snprintf(desc, DESC_SIZE,
"(%s)-(%s)-(%s)",
proto_name,
kx_name,
gnutls_cipher_get_name(gnutls_cipher_get(session)));
} else {
snprintf(desc, DESC_SIZE,
"(%s)-(%s)-(%s)-(%s)",
proto_name,
kx_name,
gnutls_cipher_get_name(gnutls_cipher_get(session)),
gnutls_mac_get_name(mac_id));
}
return desc;
}
static void main_texinfo (void)
{
{
size_t i;
const char *name;
char id[2];
gnutls_kx_algorithm_t kx;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
printf ("@heading Ciphersuites\n");
printf ("@multitable @columnfractions .60 .20 .20\n");
printf("@headitem Ciphersuite name @tab TLS ID @tab Since\n");
for (i = 0; (name = gnutls_cipher_suite_info
(i, id, &kx, &cipher, &mac, &version)); i++)
{
printf ("@item %s\n@tab 0x%02X 0x%02X\n@tab %s\n",
escape_texi_string(name, buffer, sizeof(buffer)),
(unsigned char) id[0], (unsigned char) id[1],
gnutls_protocol_get_name (version));
}
printf ("@end multitable\n");
}
{
const gnutls_certificate_type_t *p = gnutls_certificate_type_list ();
printf ("\n\n@heading Certificate types\n");
printf ("@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_certificate_type_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_protocol_t *p = gnutls_protocol_list ();
printf ("\n@heading Protocols\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_protocol_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
printf ("\n@heading Ciphers\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_cipher_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
printf ("\n@heading MAC algorithms\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_mac_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
printf ("\n@heading Key exchange methods\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_kx_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
printf ("\n@heading Public key algorithms\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_pk_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
printf ("\n@heading Public key signature algorithms\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_sign_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list ();
printf ("\n@heading Elliptic curves\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_ecc_curve_get_name (*p));
}
printf ("@end table\n");
}
{
const gnutls_compression_method_t *p = gnutls_compression_list ();
printf ("\n@heading Compression methods\n@table @code\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_compression_get_name (*p));
}
printf ("@end table\n");
}
}
/**
* gnutls_session_get_desc:
* @session: is a gnutls session
*
* This function returns a string describing the current session.
* The string is null terminated and allocated using gnutls_malloc().
*
* If initial negotiation is not complete when this function is called,
* %NULL will be returned.
*
* Returns: a description of the protocols and algorithms in the current session.
*
* Since: 3.1.10
**/
char *gnutls_session_get_desc(gnutls_session_t session)
{
gnutls_kx_algorithm_t kx;
const char *kx_str;
unsigned type;
char kx_name[32];
char proto_name[32];
const char *curve_name = NULL;
unsigned dh_bits = 0;
unsigned mac_id;
char *desc;
if (session->internals.initial_negotiation_completed == 0)
return NULL;
kx = session->security_parameters.kx_algorithm;
if (kx == GNUTLS_KX_ANON_ECDH || kx == GNUTLS_KX_ECDHE_PSK ||
kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA) {
curve_name =
gnutls_ecc_curve_get_name(gnutls_ecc_curve_get
(session));
#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
} else if (kx == GNUTLS_KX_ANON_DH || kx == GNUTLS_KX_DHE_PSK
|| kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) {
dh_bits = gnutls_dh_get_prime_bits(session);
#endif
}
kx_str = gnutls_kx_get_name(kx);
if (kx_str) {
if (curve_name != NULL)
snprintf(kx_name, sizeof(kx_name), "%s-%s",
kx_str, curve_name);
else if (dh_bits != 0)
snprintf(kx_name, sizeof(kx_name), "%s-%u",
kx_str, dh_bits);
else
snprintf(kx_name, sizeof(kx_name), "%s",
kx_str);
} else {
strcpy(kx_name, "NULL");
}
type = gnutls_certificate_type_get(session);
if (type == GNUTLS_CRT_X509)
snprintf(proto_name, sizeof(proto_name), "%s",
gnutls_protocol_get_name(get_num_version
(session)));
else
snprintf(proto_name, sizeof(proto_name), "%s-%s",
gnutls_protocol_get_name(get_num_version
(session)),
gnutls_certificate_type_get_name(type));
desc = gnutls_malloc(DESC_SIZE);
if (desc == NULL)
return NULL;
mac_id = gnutls_mac_get(session);
if (mac_id == GNUTLS_MAC_AEAD) { /* no need to print */
snprintf(desc, DESC_SIZE,
"(%s)-(%s)-(%s)",
proto_name,
kx_name,
gnutls_cipher_get_name(gnutls_cipher_get(session)));
} else {
snprintf(desc, DESC_SIZE,
"(%s)-(%s)-(%s)-(%s)",
proto_name,
kx_name,
gnutls_cipher_get_name(gnutls_cipher_get(session)),
gnutls_mac_get_name(mac_id));
}
return desc;
}
void
print_list (int verbose)
{
{
size_t i;
const char *name;
char id[2];
gnutls_kx_algorithm_t kx;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
printf ("Cipher suites:\n");
for (i = 0; (name = gnutls_cipher_suite_info
(i, id, &kx, &cipher, &mac, &version)); i++)
{
printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
name,
(unsigned char) id[0], (unsigned char) id[1],
gnutls_protocol_get_name (version));
if (verbose)
printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
gnutls_kx_get_name (kx),
gnutls_cipher_get_name (cipher), gnutls_mac_get_name (mac));
}
}
{
const gnutls_certificate_type_t *p = gnutls_certificate_type_list ();
printf ("Certificate types: ");
for (; *p; p++)
{
printf ("%s", gnutls_certificate_type_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_protocol_t *p = gnutls_protocol_list ();
printf ("Protocols: ");
for (; *p; p++)
{
printf ("%s", gnutls_protocol_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
printf ("Ciphers: ");
for (; *p; p++)
{
printf ("%s", gnutls_cipher_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
printf ("MACs: ");
for (; *p; p++)
{
printf ("%s", gnutls_mac_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
printf ("Key exchange algorithms: ");
for (; *p; p++)
{
printf ("%s", gnutls_kx_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_compression_method_t *p = gnutls_compression_list ();
printf ("Compression: ");
for (; *p; p++)
{
printf ("%s", gnutls_compression_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
printf ("Public Key Systems: ");
for (; *p; p++)
{
printf ("%s", gnutls_pk_algorithm_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
printf ("PK-signatures: ");
for (; *p; p++)
{
printf ("%s", gnutls_sign_algorithm_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
}
/* This function will print some details of the
* given session.
*/
int
print_info (gnutls_session_t session)
{
const char *tmp;
gnutls_credentials_type_t cred;
gnutls_kx_algorithm_t kx;
/* print the key exchange's algorithm name
*/
kx = gnutls_kx_get (session);
tmp = gnutls_kx_get_name (kx);
printf ("- Key Exchange: %s\n", tmp);
/* Check the authentication type used and switch
* to the appropriate.
*/
cred = gnutls_auth_get_type (session);
switch (cred)
{
case GNUTLS_CRD_IA:
printf ("- TLS/IA session\n");
break;
#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
printf ("- SRP session with username %s\n",
gnutls_srp_server_get_username (session));
break;
#endif
case GNUTLS_CRD_PSK:
/* This returns NULL in server side.
*/
if (gnutls_psk_client_get_hint (session) != NULL)
printf ("- PSK authentication. PSK hint '%s'\n",
gnutls_psk_client_get_hint (session));
/* This returns NULL in client side.
*/
if (gnutls_psk_server_get_username (session) != NULL)
printf ("- PSK authentication. Connected as '%s'\n",
gnutls_psk_server_get_username (session));
break;
case GNUTLS_CRD_ANON: /* anonymous authentication */
printf ("- Anonymous DH using prime of %d bits\n",
gnutls_dh_get_prime_bits (session));
break;
case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */
/* Check if we have been using ephemeral Diffie-Hellman.
*/
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
{
printf ("\n- Ephemeral DH using prime of %d bits\n",
gnutls_dh_get_prime_bits (session));
}
/* if the certificate list is available, then
* print some information about it.
*/
print_x509_certificate_info (session);
} /* switch */
/* print the protocol's name (ie TLS 1.0)
*/
tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session));
printf ("- Protocol: %s\n", tmp);
/* print the certificate type of the peer.
* ie X.509
*/
tmp =
gnutls_certificate_type_get_name (gnutls_certificate_type_get (session));
printf ("- Certificate Type: %s\n", tmp);
/* print the compression algorithm (if any)
*/
tmp = gnutls_compression_get_name (gnutls_compression_get (session));
printf ("- Compression: %s\n", tmp);
/* print the name of the cipher used.
* ie 3DES.
*/
tmp = gnutls_cipher_get_name (gnutls_cipher_get (session));
printf ("- Cipher: %s\n", tmp);
/* Print the MAC algorithms name.
* ie SHA1
*/
tmp = gnutls_mac_get_name (gnutls_mac_get (session));
printf ("- MAC: %s\n", tmp);
return 0;
}
/**
* @brief Get info pertaining to a socket.
* @naslfn{get_sock_info}
*
* This function is used to retrieve various information about an
* active socket. It requires the NASL socket number and a string to
* select the information to retrieve.
*
* Supported keywords are:
*
* - @a dport Return the destination port. This is an integer. NOTE:
* Not yet implemented.
*
* - @a sport Return the source port. This is an integer. NOTE: Not
* yet implemented.
*
* - @a encaps Return the encapsulation of the socket. Example
* output: "TLScustom".
*
* - @a tls-proto Return a string with the actual TLS protocol in use.
* n/a" is returned if no SSL/TLS session is active. Example
* output: "TLSv1".
*
* - @a tls-kx Return a string describing the key exchange algorithm.
* Example output: "RSA".
*
* - @a tls-certtype Return the type of the certificate in use by the
* session. Example output: "X.509"
*
* - @a tls-cipher Return the cipher algorithm in use by the session;
* Example output: "AES-256-CBC".
*
* - @a tls-mac Return the message authentication algorithms used by
* the session. Example output: "SHA1".
*
* - @a tls-comp Return the compression algorithms in use by the
* session. Example output: "DEFLATE".
*
* - @a tls-auth Return the peer's authentication type. Example
* output: "CERT".
*
* - @a tls-cert Return the peer's certificates for an SSL or TLS
* connection. This is an array of binary strings or NULL if no
* certificate is known.
*
* @nasluparam
*
* - A NASL socket
*
* - A string keyword; see above.
*
* @naslnparam
*
* - @a asstring If true return a human readable string instead of
* an integer. Used only with these keywords: encaps.
*
* @naslret An integer or a string or NULL on error.
*
* @param[in] lexic Lexical context of the NASL interpreter.
*
* @return A tree cell.
*/
tree_cell *
nasl_get_sock_info (lex_ctxt * lexic)
{
int sock;
int type;
int err;
const char *keyword, *s;
tree_cell *retc;
int as_string;
int transport;
gnutls_session_t tls_session;
char *strval;
int intval;
sock = get_int_var_by_num (lexic, 0, -1);
if (sock <= 0)
{
nasl_perror (lexic, "error: socket %d is not valid\n");
return NULL;
}
keyword = get_str_var_by_num (lexic, 1);
if (!keyword || !((type = get_var_type_by_num (lexic, 1)) == VAR2_STRING
|| type == VAR2_DATA))
{
nasl_perror (lexic, "error: second argument is not of type string\n");
return NULL;
}
as_string = !!get_int_local_var_by_name (lexic, "asstring", 0);
transport = 0;
strval = NULL;
intval = 0;
retc = FAKE_CELL; /* Dummy value to detect retc == NULL. */
{
void *tmp = NULL;
err = get_sock_infos (sock, &transport, &tmp);
tls_session = tmp;
}
if (err)
{
nasl_perror (lexic, "error retrieving infos for socket %d: %s\n",
sock, strerror (err));
retc = NULL;
}
else if (!strcmp (keyword, "encaps"))
{
if (as_string)
strval = estrdup (get_encaps_name (transport));
else
intval = transport;
}
else if (!strcmp (keyword, "tls-proto"))
{
if (!tls_session)
s = "n/a";
else
s = gnutls_protocol_get_name
(gnutls_protocol_get_version (tls_session));
strval = estrdup (s?s:"[?]");
}
else if (!strcmp (keyword, "tls-kx"))
{
if (!tls_session)
s = "n/a";
else
s = gnutls_kx_get_name (gnutls_kx_get (tls_session));
strval = estrdup (s?s:"");
}
else if (!strcmp (keyword, "tls-certtype"))
{
if (!tls_session)
s = "n/a";
else
s = gnutls_certificate_type_get_name
(gnutls_certificate_type_get (tls_session));
strval = estrdup (s?s:"");
}
else if (!strcmp (keyword, "tls-cipher"))
{
if (!tls_session)
s = "n/a";
else
s = gnutls_cipher_get_name (gnutls_cipher_get (tls_session));
strval = estrdup (s?s:"");
}
else if (!strcmp (keyword, "tls-mac"))
{
if (!tls_session)
s = "n/a";
else
s = gnutls_mac_get_name (gnutls_mac_get (tls_session));
strval = estrdup (s?s:"");
}
else if (!strcmp (keyword, "tls-comp"))
{
if (!tls_session)
s = "n/a";
else
s = gnutls_compression_get_name
(gnutls_compression_get (tls_session));
strval = estrdup (s?s:"");
}
else if (!strcmp (keyword, "tls-auth"))
{
if (!tls_session)
s = "n/a";
else
{
switch (gnutls_auth_get_type (tls_session))
{
case GNUTLS_CRD_ANON: s = "ANON"; break;
case GNUTLS_CRD_CERTIFICATE: s = "CERT"; break;
case GNUTLS_CRD_PSK: s = "PSK"; break;
case GNUTLS_CRD_SRP: s = "SRP"; break;
default: s = "[?]"; break;
}
}
strval = estrdup (s?s:"");
}
else if (!strcmp (keyword, "tls-cert"))
{
/* We only support X.509 for now. GNUTLS also allows for
OpenPGP, but we are not prepared for that. */
if (!tls_session
|| gnutls_certificate_type_get (tls_session) != GNUTLS_CRT_X509)
s = "n/a";
else
{
const gnutls_datum_t *list;
unsigned int nlist = 0;
int i;
nasl_array *a;
anon_nasl_var v;
list = gnutls_certificate_get_peers (tls_session, &nlist);
if (!list)
retc = NULL; /* No certificate or other error. */
else
{
retc = alloc_tree_cell (0, NULL);
retc->type = DYN_ARRAY;
retc->x.ref_val = a = emalloc (sizeof *a);
for (i=0; i < nlist; i++)
{
memset (&v, 0, sizeof v);
v.var_type = VAR2_DATA;
v.v.v_str.s_val = list[i].data;
v.v.v_str.s_siz = list[i].size;
add_var_to_list (a, i, &v);
}
}
}
}
else
{
nasl_perror (lexic, "unknown keyword '%s'\n", keyword);
retc = NULL;
}
if (!retc)
;
else if (retc != FAKE_CELL)
; /* Already allocated. */
else if (strval)
{
retc = alloc_typed_cell (CONST_STR);
retc->x.str_val = strval;
retc->size = strlen (strval);
}
else
{
retc = alloc_typed_cell (CONST_INT);
retc->x.i_val = intval;
}
return retc;
}
static int _gnutls_server_cert_type_send_params(gnutls_session_t session,
gnutls_buffer_st* data)
{
int ret;
uint8_t cert_type; // Holds an IANA cert type ID
uint8_t i = 0, num_cert_types = 0;
priority_st* cert_priorities;
gnutls_datum_t tmp_cert_types; // For type conversion
uint8_t cert_types[GNUTLS_CRT_MAX]; // The list with supported cert types. Inv: 0 <= cert type Id < 256
/* Only activate this extension if we have cert credentials set
* and alternative cert types are allowed */
if (!are_alternative_cert_types_allowed(session) ||
(_gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE) == NULL))
return 0;
if (!IS_SERVER(session)) { // Client mode
// For brevity
cert_priorities =
&session->internals.priorities->server_ctype;
/* Retrieve server certificate type priorities if any. If no
* priorities are set then the default server certificate type
* initialization values apply. This default is currently set to
* X.509 in which case we don't enable this extension.
*/
if (cert_priorities->num_priorities > 0) { // Priorities are explicitly set
/* If the certificate priority is explicitly set to only
* X.509 (default) then, according to spec we don't send
* this extension. We check this here to avoid further work in
* this routine. We also check it below after pruning supported
* types.
*/
if (cert_priorities->num_priorities == 1 &&
cert_priorities->priorities[0] == DEFAULT_CERT_TYPE) {
_gnutls_handshake_log
("EXT[%p]: Server certificate type was set to default cert type (%s). "
"We therefore do not send this extension.\n",
session,
gnutls_certificate_type_get_name(DEFAULT_CERT_TYPE));
// Explicitly set but default ctype, so don't send anything
return 0;
}
/* We are only allowed to send certificate types that we support.
* Therefore we check this here and prune our original list.
* This check might seem redundant now because we don't check for
* credentials (they are not needed for a client) and only check the
* priorities over which we already iterate. In the future,
* additional checks might be necessary and they can be easily
* added in the ..type_supported() routine without modifying the
* structure of the code here.
*/
for (i = 0; i < cert_priorities->num_priorities; i++) {
if (_gnutls_session_cert_type_supported
(session, cert_priorities->priorities[i],
false, GNUTLS_CTYPE_SERVER) == 0) {
/* Check whether we are allowed to store another cert type
* in our buffer. In other words, prevent a possible buffer
* overflow. This situation can occur when a user sets
* duplicate cert types in the priority strings. */
if (num_cert_types >= GNUTLS_CRT_MAX)
return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
// Convert to IANA representation
ret = cert_type2IANA(cert_priorities->priorities[i]);
if (ret < 0)
return gnutls_assert_val(ret);
cert_type = ret; // For readability
// Add this cert type to our list with supported types
cert_types[num_cert_types] = cert_type;
num_cert_types++;
_gnutls_handshake_log
("EXT[%p]: Server certificate type %s (%d) was queued.\n",
session,
gnutls_certificate_type_get_name(cert_priorities->priorities[i]),
cert_type);
}
}
/* Check whether there are any supported certificate types left
* after the previous pruning step. If not, we do not send this
* extension. Also, if the only supported type is the default type
* we do not send this extension (according to RFC7250).
*/
if (num_cert_types == 0) { // For now, this should not occur since we only check priorities while pruning.
_gnutls_handshake_log
("EXT[%p]: Server certificate types were set but none of them is supported. "
"We do not send this extension.\n",
session);
return 0;
} else if (num_cert_types == 1 &&
IANA2cert_type(cert_types[0]) == DEFAULT_CERT_TYPE) {
_gnutls_handshake_log
("EXT[%p]: The only supported server certificate type is (%s) which is the default. "
"We therefore do not send this extension.\n",
session,
gnutls_certificate_type_get_name(DEFAULT_CERT_TYPE));
return 0;
}
/* We have data to send and store a copy internally. We convert
* our list with supported cert types to a datum_t in order to
* be able to make the ..._set_datum call.
*/
tmp_cert_types.data = cert_types;
tmp_cert_types.size = num_cert_types;
_gnutls_hello_ext_set_datum(session,
GNUTLS_EXTENSION_SERVER_CERT_TYPE,
&tmp_cert_types);
/* Serialize the certificate types into a sequence of octets
* uint8: length of sequence of cert types (1 octet)
* uint8: cert types (0 <= #octets <= 255)
*/
ret = _gnutls_buffer_append_data_prefix(data, 8,
cert_types,
num_cert_types);
// Check for errors and cleanup in case of error
if (ret < 0) {
return gnutls_assert_val(ret);
} else {
// Number of bytes we are sending
return num_cert_types + 1;
}
}
} else { // Server mode
// Retrieve negotiated server certificate type and send it
ret = cert_type2IANA(get_certificate_type(
session, GNUTLS_CTYPE_SERVER));
if (ret < 0)
return gnutls_assert_val(ret);
cert_type = ret; // For readability
ret = gnutls_buffer_append_data(data, &cert_type, 1);
if (ret < 0)
return gnutls_assert_val(ret);
return 1; // sent one byte
}
// In all other cases don't enable this extension
return 0;
}
int
main (void)
{
{
size_t i;
const char *name;
char id[2];
gnutls_kx_algorithm_t kx;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
printf ("Available cipher suites:\n");
printf ("@multitable @columnfractions .60 .20 .20\n");
for (i = 0; (name = gnutls_cipher_suite_info
(i, id, &kx, &cipher, &mac, &version)); i++)
{
printf ("@item %s\n@tab 0x%02x 0x%02x\n@tab %s\n",
name,
(unsigned char) id[0], (unsigned char) id[1],
gnutls_protocol_get_name (version));
}
printf ("@end multitable\n");
}
{
const gnutls_certificate_type_t *p = gnutls_certificate_type_list ();
printf ("\n\nAvailable certificate types:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_certificate_type_get_name (*p));
}
printf ("@end itemize\n");
}
{
const gnutls_protocol_t *p = gnutls_protocol_list ();
printf ("\nAvailable protocols:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_protocol_get_name (*p));
}
printf ("@end itemize\n");
}
{
const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
printf ("\nAvailable ciphers:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_cipher_get_name (*p));
}
printf ("@end itemize\n");
}
{
const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
printf ("\nAvailable MAC algorithms:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_mac_get_name (*p));
}
printf ("@end itemize\n");
}
{
const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
printf ("\nAvailable key exchange methods:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_kx_get_name (*p));
}
printf ("@end itemize\n");
}
{
const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
printf ("\nAvailable public key algorithms:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_pk_get_name (*p));
}
printf ("@end itemize\n");
}
{
const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
printf ("\nAvailable public key signature algorithms:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_sign_get_name (*p));
}
printf ("@end itemize\n");
}
{
const gnutls_compression_method_t *p = gnutls_compression_list ();
printf ("\nAvailable compression methods:\n@itemize\n");
for (; *p; p++)
{
printf ("@item %s\n", gnutls_compression_get_name (*p));
}
printf ("@end itemize\n");
}
}
