int
SSL_accept (SSL * ssl)
{
X509_STORE_CTX *store;
int cert_list_size = 0;
int err;
char x_priority[256];
/* take options into account before connecting */
memset (x_priority, 0, sizeof (x_priority));
if (ssl->options & SSL_OP_NO_TLSv1)
{
snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string);
err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL);
if (err < 0)
{
last_error = err;
return 0;
}
}
/* FIXME: dh params, do we want client cert? */
err = gnutls_handshake (ssl->gnutls_state);
ssl->last_error = err;
if (err < 0)
{
last_error = err;
return 0;
}
store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX));
store->ssl = ssl;
store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
&cert_list_size);
if (ssl->verify_callback)
{
ssl->verify_callback (1 /*FIXME*/, store);
}
ssl->state = SSL_ST_OK;
err = store->error;
free (store);
/* FIXME: deal with error from callback */
return 1;
}
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL)>=0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
gboolean
xfce_mailwatch_net_conn_make_secure(XfceMailwatchNetConn *net_conn,
GError **error)
{
g_return_val_if_fail(net_conn && (!error || !*error), FALSE);
g_return_val_if_fail(net_conn->fd != -1, FALSE);
g_return_val_if_fail(!net_conn->is_secure, TRUE);
#ifdef HAVE_SSL_SUPPORT
/* init the x509 cert */
gnutls_certificate_allocate_credentials(&net_conn->gt_creds);
gnutls_certificate_set_x509_trust_file(net_conn->gt_creds,
GNUTLS_CA_FILE,
GNUTLS_X509_FMT_PEM);
/* init the session and set it up */
gnutls_init(&net_conn->gt_session, GNUTLS_CLIENT);
gnutls_priority_set_direct (net_conn->gt_session, "NORMAL", NULL);
gnutls_credentials_set(net_conn->gt_session, GNUTLS_CRD_CERTIFICATE,
net_conn->gt_creds);
gnutls_transport_set_ptr(net_conn->gt_session,
(gnutls_transport_ptr_t)net_conn->fd);
#if GNUTLS_VERSION_NUMBER < 0x020c00
if(fcntl(net_conn->fd, F_GETFL) & O_NONBLOCK)
gnutls_transport_set_lowat(net_conn->gt_session, 0);
#endif
if(!xfce_mailwatch_net_conn_tls_handshake(net_conn, error)) {
#if 0
gnutls_bye(net_conn->gt_session, GNUTLS_SHUT_RDWR);
#endif
gnutls_deinit(net_conn->gt_session);
gnutls_certificate_free_credentials(net_conn->gt_creds);
return FALSE;
}
net_conn->is_secure = TRUE;
return TRUE;
#else
if(error) {
g_set_error(error, XFCE_MAILWATCH_ERROR, 0,
_("Not compiled with SSL/TLS support"));
}
g_critical("XfceMailwatch: TLS handshake failed: not compiled with SSL support.");
return FALSE;
#endif
}
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA:%COMPAT",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, odd_push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret >= 0) {
fail("client: Handshake succeeded!\n");
exit(1);
}
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
}
int
main (void)
{
/* credentials */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_certificate_credentials_t c_certcred;
gnutls_session_t client;
int sd;
/* General init. */
gnutls_global_init ();
ecore_init();
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (6);
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_certificate_allocate_credentials (&c_certcred);
gnutls_init (&client, GNUTLS_CLIENT);
/* set very specific priorities */
gnutls_priority_set_direct(client, "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0", NULL);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, c_certcred);
gnutls_server_name_set(client, GNUTLS_NAME_DNS, "www.verisign.com", strlen("www.verisign.com"));
/* connect to the peer
*/
sd = tcp_connect ();
/* associate gnutls with socket */
gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t) sd);
/* add a callback for data being available for send/receive on socket */
if (!ecore_main_fd_handler_add(sd, ECORE_FD_READ | ECORE_FD_WRITE, (Ecore_Fd_Cb)_process_data, client, NULL, NULL))
{
print("could not create fd handler!");
exit(1);
}
/* begin main loop */
ecore_main_loop_begin();
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
tcp_close (sd);
return 0;
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set_direct (session, "NORMAL:+ANON-DH", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits (session, DH_BITS);
return session;
}
static gnutls_session_t initialize_tls_session(const char *prio)
{
gnutls_session_t session;
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, prio, NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
return session;
}
SSL *
SSL_new (SSL_CTX * ctx)
{
SSL *ssl;
int err;
ssl = (SSL *) calloc (1, sizeof (SSL));
if (!ssl)
return NULL;
err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred);
if (err < 0)
{
last_error = err;
free (ssl);
return NULL;
}
gnutls_init (&ssl->gnutls_state, ctx->method->connend);
gnutls_priority_set_direct (ssl->gnutls_state,
ctx->method->priority_string, NULL);
gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE,
ssl->gnutls_cred);
if (ctx->certfile)
gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred,
ctx->certfile,
ctx->certfile_type);
if (ctx->keyfile)
gnutls_certificate_set_x509_key_file (ssl->gnutls_cred,
ctx->certfile, ctx->keyfile,
ctx->keyfile_type);
ssl->ctx = ctx;
ssl->verify_mode = ctx->verify_mode;
ssl->verify_callback = ctx->verify_callback;
ssl->options = ctx->options;
ssl->rfd = (gnutls_transport_ptr_t) - 1;
ssl->wfd = (gnutls_transport_ptr_t) - 1;
ssl->ssl_peek_buffer = NULL;
ssl->ssl_peek_buffer_size = ssl->ssl_peek_avail = 0;
return ssl;
}
static gnutls_session_t initialize_tls_session(void)
{
gnutls_session_t session;
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
return session;
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER|GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu( session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct (session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
return session;
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set_direct (session, "NORMAL", NULL);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits (session, DH_BITS);
return session;
}
static gnutls_session_t new_tls_session(int sock)
{
int ret;
gnutls_session_t session;
const char *err;
#if defined LIBGNUTLS_VERSION_MAJOR && LIBGNUTLS_VERSION_MAJOR >= 3
# define TLS_DH_STR "+ANON-ECDH:+ANON-DH"
#else
# define TLS_DH_STR "+ANON-DH"
#endif
#ifdef GNUTLS_SRP_ENABLED
const char *pstring = "NORMAL:+SRP:+SRP-DSS:+SRP-RSA:" TLS_DH_STR;
#else
const char *pstring = "NORMAL:" TLS_DH_STR;
#endif
gnutls_init(&session, GNUTLS_SERVER);
gnutls_set_default_priority(session);
ret = gnutls_priority_set_direct(session, pstring, &err);
if (ret < 0) {
fprintf(stderr, "TLS priority syntax error at: %s\n", err);
return NULL;
}
#ifdef GNUTLS_SRP_ENABLED
gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred);
gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE);
#endif
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr(session, fd_to_ptr(sock));
gnutls_transport_set_pull_function(session, tls_pull);
gnutls_transport_set_push_function(session, tls_push);
ret = gnutls_handshake(session);
if ( ret < 0 ) {
fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret));
gnutls_alert_send_appropriate(session, ret);
return NULL;
}
return session;
}
bool GnuTLSClientAnon::init( const std::string&,
const std::string&,
const StringList& )
{
if( m_initLib && gnutls_global_init() != 0 )
return false;
if( gnutls_anon_allocate_client_credentials( &m_anoncred ) < 0 )
return false;
if( gnutls_init( m_session, GNUTLS_CLIENT ) != 0 )
return false;
#if GNUTLS_VERSION_NUMBER >= 0x020600
int ret = gnutls_priority_set_direct( *m_session, "SECURE128:+PFS:+COMP-ALL:+VERS-TLS-ALL:-VERS-SSL3.0:+SIGN-ALL:+CURVE-ALL", 0 );
if( ret != GNUTLS_E_SUCCESS )
return false;
#else
const int protocolPriority[] = {
#ifdef GNUTLS_TLS1_2
GNUTLS_TLS1_2,
#endif
GNUTLS_TLS1_1, GNUTLS_TLS1, 0 };
const int protocolPriority[] = { GNUTLS_TLS1, 0 };
const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 };
const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
gnutls_protocol_set_priority( *m_session, protocolPriority );
gnutls_cipher_set_priority( *m_session, cipherPriority );
gnutls_compression_set_priority( *m_session, compPriority );
gnutls_kx_set_priority( *m_session, kxPriority );
gnutls_mac_set_priority( *m_session, macPriority );
#endif
gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred );
gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this );
gnutls_transport_set_push_function( *m_session, pushFunc );
gnutls_transport_set_pull_function( *m_session, pullFunc );
m_valid = true;
return true;
}
static int rfbssl_init_session(struct rfbssl_ctx *ctx, int fd)
{
gnutls_session_t session;
int ret;
if (!GNUTLS_E_SUCCESS == (ret = gnutls_init(&session, GNUTLS_SERVER))) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_priority_set_direct(session, "EXPORT", NULL))) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred))) {
/* */
} else {
gnutls_session_enable_compatibility_mode(session);
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)fd);
ctx->session = session;
}
return ret;
}
int
setup_session (gnutls_session_t * session,
gnutls_datum_t * key,
gnutls_datum_t * cert,
gnutls_certificate_credentials_t * xcred)
{
int ret;
const char *err_pos;
gnutls_certificate_allocate_credentials (xcred);
key->size = strlen (srv_key_pem) + 1;
key->data = malloc (key->size);
if (NULL == key->data)
{
gnutls_certificate_free_credentials (*xcred);
return -1;
}
memcpy (key->data, srv_key_pem, key->size);
cert->size = strlen (srv_self_signed_cert_pem) + 1;
cert->data = malloc (cert->size);
if (NULL == cert->data)
{
gnutls_certificate_free_credentials (*xcred);
free (key->data);
return -1;
}
memcpy (cert->data, srv_self_signed_cert_pem, cert->size);
gnutls_certificate_set_x509_key_mem (*xcred, cert, key,
GNUTLS_X509_FMT_PEM);
gnutls_init (session, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct (*session,
"NORMAL", &err_pos);
if (ret < 0)
{
gnutls_deinit (*session);
gnutls_certificate_free_credentials (*xcred);
free (key->data);
return -1;
}
gnutls_credentials_set (*session,
GNUTLS_CRD_CERTIFICATE,
*xcred);
return 0;
}
void TLSClient::init (
const std::string& ca,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_cert = cert;
_key = key;
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&_credentials);
if (_ca != "" &&
gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CA file.");
if (_cert != "" &&
_key != "" &&
gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CERT file.");
#if GNUTLS_VERSION_NUMBER >= 0x02090a
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
gnutls_init (&_session, GNUTLS_CLIENT);
// Use default priorities unless overridden.
if (_ciphers == "")
_ciphers = "NORMAL";
const char *err;
int ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err);
if (ret < 0)
{
if (_debug && ret == GNUTLS_E_INVALID_REQUEST)
std::cout << "c: ERROR Priority error at: " << err << "\n";
throw std::string ("Error initializing TLS.");
}
// Apply the x509 credentials to the current session.
gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials);
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set_direct (session, "NORMAL:+SRP:+SRP-DSS:+SRP-RSA", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
/* for the certificate authenticated ciphersuites.
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);
return session;
}
gnutls_session_t context::session(context *ctx)
{
SSL ssl = NULL;
if(ctx && ctx->xcred && ctx->err() == secure::OK) {
gnutls_init(&ssl, ctx->connect);
switch(ctx->connect) {
case GNUTLS_CLIENT:
gnutls_priority_set_direct(ssl, "PERFORMANCE", NULL);
break;
case GNUTLS_SERVER:
gnutls_priority_set(ssl, context::priority_cache);
gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
gnutls_session_enable_compatibility_mode(ssl);
default:
break;
}
gnutls_credentials_set(ssl, ctx->xtype, ctx->xcred);
}
return ssl;
}
/* Refuse to negotiate TLS 1.0 and later protocols on @socket->ssl.
* Without this, connecting to <https://www-s.uiuc.edu/> with GnuTLS
* 1.3.5 would result in an SSL error. The bug may be in the server
* (Netscape-Enterprise/3.6 SP3), in GnuTLS, or in ELinks; please log
* your findings to ELinks bug 712. */
static void
ssl_set_no_tls(struct socket *socket)
{
#ifdef CONFIG_OPENSSL
((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
#elif defined(CONFIG_GNUTLS)
/* There is another gnutls_priority_set_direct call elsewhere
* in ELinks. If you change the priorities here, please check
* whether that one needs to be changed as well.
*
* GnuTLS 2.12.x is said to support "-VERS-TLS-ALL" too, but
* that version hasn't yet been released as of May 2011. */
gnutls_priority_set_direct(*(ssl_t *) socket->ssl,
"SECURE:-CTYPE-OPENPGP"
":+VERS-SSL3.0:-VERS-TLS1.0"
":-VERS-TLS1.1:-VERS-TLS1.2"
":%SSL3_RECORD_VERSION",
NULL);
#endif
}
bool CTlsSocket::InitSession()
{
if (!m_certCredentials) {
Uninit();
return false;
}
int res = gnutls_init(&m_session, GNUTLS_CLIENT);
if (res) {
LogError(res, _T("gnutls_init"));
Uninit();
return false;
}
// For use in callbacks
gnutls_session_set_ptr(m_session, this);
// Even though the name gnutls_db_set_cache_expiration
// implies expiration of some cache, it also governs
// the actual session lifetime, independend whether the
// session is cached or not.
gnutls_db_set_cache_expiration(m_session, 100000000);
res = gnutls_priority_set_direct(m_session, ciphers, 0);
if (res) {
LogError(res, _T("gnutls_priority_set_direct"));
Uninit();
return false;
}
gnutls_dh_set_prime_bits(m_session, 1024);
gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials);
// Setup transport functions
gnutls_transport_set_push_function(m_session, PushFunction);
gnutls_transport_set_pull_function(m_session, PullFunction);
gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
return true;
}
static gnutls_session_t initialize_tls_session(void)
{
gnutls_session_t session;
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
Moved to later on to be able to test re-handshakes.
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
*/
gnutls_dh_set_prime_bits(session, DH_BITS);
return session;
}
static gnutls_session_t initialize_tls_session(void)
{
gnutls_session_t session;
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, pgp_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits(session, DH_BITS);
return session;
}
static int tls_gnutls_init_session(struct tls_global *global,
struct tls_connection *conn)
{
const char *err;
int ret;
ret = gnutls_init(&conn->session,
global->server ? GNUTLS_SERVER : GNUTLS_CLIENT);
if (ret < 0) {
wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS "
"connection: %s", gnutls_strerror(ret));
return -1;
}
ret = gnutls_set_default_priority(conn->session);
if (ret < 0)
goto fail;
ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0",
&err);
if (ret < 0) {
wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at "
"'%s'", err);
goto fail;
}
gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func);
gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr_t) conn);
gnutls_session_set_ptr(conn->session, conn);
return 0;
fail:
wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s",
gnutls_strerror(ret));
gnutls_deinit(conn->session);
return -1;
}
static void ekg_gnutls_new_session(
GSocketClient *sockclient,
GSocketConnection *sock,
struct ekg_connection_starter *cs)
{
gnutls_session_t s;
gnutls_certificate_credentials_t cred;
struct ekg_gnutls_connection *conn = g_slice_new(struct ekg_gnutls_connection);
struct ekg_gnutls_connection_starter *gcs = g_slice_new(struct ekg_gnutls_connection_starter);
g_assert(!gnutls_certificate_allocate_credentials(&cred));
g_assert(!gnutls_init(&s, GNUTLS_CLIENT));
g_assert(!gnutls_priority_set_direct(s, "PERFORMANCE", NULL)); /* XXX */
g_assert(!gnutls_credentials_set(s, GNUTLS_CRD_CERTIFICATE, cred));
gnutls_transport_set_pull_function(s, ekg_gnutls_pull);
gnutls_transport_set_push_function(s, ekg_gnutls_push);
gnutls_transport_set_ptr(s, conn);
gcs->parent = cs;
gcs->conn = conn;
gcs->sockclient = sockclient;
conn->session = s;
conn->cred = cred;
conn->connection_error = NULL;
conn->connection = get_connection_by_outstream(
ekg_connection_add(
sock,
g_io_stream_get_input_stream(G_IO_STREAM(sock)),
g_io_stream_get_output_stream(G_IO_STREAM(sock)),
ekg_gnutls_handle_handshake_input,
ekg_gnutls_handle_handshake_failure,
gcs)
);
g_assert(conn->connection);
ekg_gnutls_async_handshake(gcs);
}
int main(int argc, char *argv[])
{
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
global_init();
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_priority_set_direct(client, "NORMAL", NULL);
/* Test setting the same credential type twice. Earlier GnuTLS had
a bug that crashed when this happened. */
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_deinit(client);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_global_deinit();
return 0;
}
static void client(int fd, unsigned tickets)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
char buf[64];
unsigned try = 0;
gnutls_datum_t session_data = {NULL, 0};
global_init();
tickets_seen = 0;
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
retry:
/* Initialize TLS session
*/
assert(gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_POST_HANDSHAKE_AUTH)>=0);
gnutls_handshake_set_timeout(session, 20 * 1000);
ret = gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.0", NULL);
if (ret < 0)
fail("cannot set TLS 1.3 priorities\n");
if (try == 0) {
gnutls_session_set_ptr(session, &session_data);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET,
GNUTLS_HOOK_BOTH,
ticket_callback);
} else {
/**
* gnutls_set_default_export_priority:
* @session: is a #gnutls_session_t structure.
*
* Sets some default priority on the ciphers, key exchange methods, macs
* and compression methods. This function also includes weak algorithms.
*
* This is the same as calling:
*
* gnutls_priority_set_direct (session, "EXPORT", NULL);
*
* This function is kept around for backwards compatibility, but
* because of its wide use it is still fully supported. If you wish
* to allow users to provide a string that specify which ciphers to
* use (which is recommended), you should use
* gnutls_priority_set_direct() or gnutls_priority_set() instead.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int gnutls_set_default_export_priority(gnutls_session_t session)
{
return gnutls_priority_set_direct(session, "EXPORT", NULL);
}
int
main (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file */
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
/* Initialize TLS session */
gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM);
/* Use default priorities */
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST)
{
fprintf (stderr, "Syntax error at: %s\n", err);
}
exit (1);
}
/* put the x509 credentials to the current session */
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer */
sd = udp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* set the connection MTU */
gnutls_dtls_set_mtu (session, 1000);
/* Perform the TLS handshake */
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
/* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
* connections because the peer's closure message might
* be lost */
gnutls_bye (session, GNUTLS_SHUT_WR);
end:
udp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
return 0;
}
/**
* gnutls_set_default_priority:
* @session: is a #gnutls_session_t structure.
*
* Sets some default priority on the ciphers, key exchange methods,
* macs and compression methods.
*
* This is the same as calling:
*
* gnutls_priority_set_direct (session, "NORMAL", NULL);
*
* This function is kept around for backwards compatibility, but
* because of its wide use it is still fully supported. If you wish
* to allow users to provide a string that specify which ciphers to
* use (which is recommended), you should use
* gnutls_priority_set_direct() or gnutls_priority_set() instead.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int gnutls_set_default_priority(gnutls_session_t session)
{
return gnutls_priority_set_direct(session, "NORMAL", NULL);
}
static
void test_success2(const char *name, const char *prio)
{
int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
gnutls_x509_crt_t *crts;
unsigned int crts_size;
unsigned i;
gnutls_x509_privkey_t pkey;
unsigned status;
success("testing cert verification success2 for %s\n", name);
to_server_len = 0;
to_client_len = 0;
ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_cert, GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_privkey_init(&pkey);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_privkey_import(pkey, &server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key(serverx509cred, crts, crts_size, pkey);
gnutls_x509_privkey_deinit(pkey);
for (i=0;i<crts_size;i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
assert(gnutls_priority_set_direct(server,
prio,
NULL)>=0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
/* Init client */
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_key_mem(clientx509cred,
&cli_cert, &cli_key,
GNUTLS_X509_FMT_PEM);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
assert(gnutls_priority_set_direct(client, prio, NULL)>=0);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
gnutls_session_set_verify_cert(client, "localhost", 0);
HANDSHAKE(client, server);
status = gnutls_session_get_verify_cert_status(client);
if (status != 0) {
fail("%s: should have accepted: %u!\n", __func__, status);
exit(1);
}
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
}
