/* This function will log some details of the given session. */ static void logtlsinfo (gnutls_session_t session) { gnutls_credentials_type_t cred; const char *protocol = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); gnutls_kx_algorithm_t kx = gnutls_kx_get (session); const char *keyexchange = gnutls_kx_get_name (kx); const char *certtype = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); const char *cipher = gnutls_cipher_get_name (gnutls_cipher_get (session)); const char *mac = gnutls_mac_get_name (gnutls_mac_get (session)); const char *compression = gnutls_compression_get_name (gnutls_compression_get (session)); int resumedp = gnutls_session_is_resumed (session); /* This message can arguably belong to LOG_AUTH. */ syslog (LOG_INFO, "TLS handshake negotiated protocol `%s', " "key exchange `%s', certficate type `%s', cipher `%s', " "mac `%s', compression `%s', %s", protocol ? protocol : "N/A", keyexchange ? keyexchange : "N/A", certtype ? certtype : "N/A", cipher ? cipher : "N/A", mac ? mac : "N/A", compression ? compression : "N/A", resumedp ? "resumed session" : "session not resumed"); cred = gnutls_auth_get_type (session); switch (cred) { case GNUTLS_CRD_ANON: syslog (LOG_INFO | LOG_DAEMON, "TLS anonymous authentication with %d bit Diffie-Hellman", gnutls_dh_get_prime_bits (session)); break; case GNUTLS_CRD_CERTIFICATE: if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) syslog (LOG_INFO | LOG_DAEMON, "TLS certificate authentication with %d bits " "ephemeral Diffie-Hellman", gnutls_dh_get_prime_bits (session)); logcertinfo (session); break; case GNUTLS_CRD_SRP: case GNUTLS_CRD_PSK: case GNUTLS_CRD_IA: default: syslog (LOG_ERR | LOG_DAEMON, "Unknown TLS authentication (%d)", cred); break; } }
static void print_dh_info (gnutls_session_t session, const char *str, int print) { printf ("- %sDiffie-Hellman parameters\n", str); printf (" - Using prime: %d bits\n", gnutls_dh_get_prime_bits (session)); printf (" - Secret key: %d bits\n", gnutls_dh_get_secret_bits (session)); printf (" - Peer's public key: %d bits\n", gnutls_dh_get_peers_public_bits (session)); if (print) { int ret; gnutls_datum_t raw_gen = { NULL, 0 }; gnutls_datum_t raw_prime = { NULL, 0 }; gnutls_dh_params_t dh_params = NULL; unsigned char *params_data = NULL; size_t params_data_size = 0; ret = gnutls_dh_get_group (session, &raw_gen, &raw_prime); if (ret) { fprintf (stderr, "gnutls_dh_get_group %d\n", ret); goto out; } ret = gnutls_dh_params_init (&dh_params); if (ret) { fprintf (stderr, "gnutls_dh_params_init %d\n", ret); goto out; } ret = gnutls_dh_params_import_raw (dh_params, &raw_prime, &raw_gen); if (ret) { fprintf (stderr, "gnutls_dh_params_import_raw %d\n", ret); goto out; } ret = gnutls_dh_params_export_pkcs3 (dh_params, GNUTLS_X509_FMT_PEM, params_data, ¶ms_data_size); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "gnutls_dh_params_export_pkcs3 %d\n", ret); goto out; } params_data = gnutls_malloc (params_data_size); if (!params_data) { fprintf (stderr, "gnutls_malloc %d\n", ret); goto out; } ret = gnutls_dh_params_export_pkcs3 (dh_params, GNUTLS_X509_FMT_PEM, params_data, ¶ms_data_size); if (ret) { fprintf (stderr, "gnutls_dh_params_export_pkcs3-2 %d\n", ret); goto out; } printf (" - PKCS#3 format:\n\n%.*s\n", (int) params_data_size, params_data); out: gnutls_free (params_data); gnutls_free (raw_prime.data); gnutls_free (raw_gen.data); gnutls_dh_params_deinit (dh_params); } }
void gtlsGeneric::logSessionInfo(LogWrapperType _logwrapper, gnutls_session_t _session) { const char *tmp; gnutls_credentials_type_t cred; gnutls_kx_algorithm_t kx; // print the key exchange's algorithm name kx = gnutls_kx_get(_session); tmp = gnutls_kx_get_name(kx); BTG_NOTICE(_logwrapper, "- Key Exchange: " << tmp); // Check the authentication type used and switch // to the appropriate. cred = gnutls_auth_get_type(_session); switch (cred) { case GNUTLS_CRD_SRP: { BTG_NOTICE(_logwrapper, "- SRP session"); break; } case GNUTLS_CRD_ANON: { BTG_NOTICE(_logwrapper, "- Anonymous DH using prime of " << gnutls_dh_get_prime_bits (_session) << " bits"); break; } case GNUTLS_CRD_CERTIFICATE: { // Check if we have been using ephemeral Diffie Hellman. if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { BTG_NOTICE(_logwrapper, "- Ephemeral DH using prime of " << gnutls_dh_get_prime_bits(_session) << " bits"); } /* if the certificate list is available, then * print some information about it. */ gtlsGeneric::logX509CertificateInfo(_logwrapper, _session); break; } default: { BTG_NOTICE(_logwrapper, "Unknown cred."); } } /* print the protocol's name (ie TLS 1.0) */ tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(_session)); BTG_NOTICE(_logwrapper, "- Protocol: " << tmp); /* print the certificate type of the peer. * ie X.509 */ tmp = gnutls_certificate_type_get_name(gnutls_certificate_type_get(_session)); BTG_NOTICE(_logwrapper, "- Certificate Type: " << tmp); /* print the compression algorithm (if any) */ tmp = gnutls_compression_get_name(gnutls_compression_get(_session)); BTG_NOTICE(_logwrapper, "- Compression: " << tmp); /* print the name of the cipher used. * ie 3DES. */ tmp = gnutls_cipher_get_name(gnutls_cipher_get(_session)); BTG_NOTICE(_logwrapper, "- Cipher: " << tmp); /* Print the MAC algorithms name. * ie SHA1 */ tmp = gnutls_mac_get_name(gnutls_mac_get(_session)); BTG_NOTICE(_logwrapper, "- MAC: " << tmp); }
/** * gnutls_session_get_desc: * @session: is a gnutls session * * This function returns a string describing the current session. * The string is null terminated and allocated using gnutls_malloc(). * * Returns: a description of the protocols and algorithms in the current session. * * Since: 3.1.10 **/ char *gnutls_session_get_desc(gnutls_session_t session) { gnutls_kx_algorithm_t kx; unsigned type; char kx_name[32]; char proto_name[32]; const char *curve_name = NULL; unsigned dh_bits = 0; unsigned mac_id; char *desc; kx = session->security_parameters.kx_algorithm; if (kx == GNUTLS_KX_ANON_ECDH || kx == GNUTLS_KX_ECDHE_PSK || kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA) { curve_name = gnutls_ecc_curve_get_name(gnutls_ecc_curve_get (session)); } else if (kx == GNUTLS_KX_ANON_DH || kx == GNUTLS_KX_DHE_PSK || kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { dh_bits = gnutls_dh_get_prime_bits(session); } if (curve_name != NULL) snprintf(kx_name, sizeof(kx_name), "%s-%s", gnutls_kx_get_name(kx), curve_name); else if (dh_bits != 0) snprintf(kx_name, sizeof(kx_name), "%s-%u", gnutls_kx_get_name(kx), dh_bits); else snprintf(kx_name, sizeof(kx_name), "%s", gnutls_kx_get_name(kx)); type = gnutls_certificate_type_get(session); if (type == GNUTLS_CRT_X509) snprintf(proto_name, sizeof(proto_name), "%s", gnutls_protocol_get_name(get_num_version (session))); else snprintf(proto_name, sizeof(proto_name), "%s-%s", gnutls_protocol_get_name(get_num_version (session)), gnutls_certificate_type_get_name(type)); gnutls_protocol_get_name(get_num_version(session)), desc = gnutls_malloc(DESC_SIZE); if (desc == NULL) return NULL; mac_id = gnutls_mac_get(session); if (mac_id == GNUTLS_MAC_AEAD) { /* no need to print */ snprintf(desc, DESC_SIZE, "(%s)-(%s)-(%s)", proto_name, kx_name, gnutls_cipher_get_name(gnutls_cipher_get(session))); } else { snprintf(desc, DESC_SIZE, "(%s)-(%s)-(%s)-(%s)", proto_name, kx_name, gnutls_cipher_get_name(gnutls_cipher_get(session)), gnutls_mac_get_name(mac_id)); } return desc; }
/** * gnutls_session_get_desc: * @session: is a gnutls session * * This function returns a string describing the current session. * The string is null terminated and allocated using gnutls_malloc(). * * If initial negotiation is not complete when this function is called, * %NULL will be returned. * * Returns: a description of the protocols and algorithms in the current session. * * Since: 3.1.10 **/ char *gnutls_session_get_desc(gnutls_session_t session) { gnutls_kx_algorithm_t kx; const char *kx_str; unsigned type; char kx_name[32]; char proto_name[32]; const char *curve_name = NULL; unsigned dh_bits = 0; unsigned mac_id; char *desc; if (session->internals.initial_negotiation_completed == 0) return NULL; kx = session->security_parameters.kx_algorithm; if (kx == GNUTLS_KX_ANON_ECDH || kx == GNUTLS_KX_ECDHE_PSK || kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA) { curve_name = gnutls_ecc_curve_get_name(gnutls_ecc_curve_get (session)); #if defined(ENABLE_DHE) || defined(ENABLE_ANON) } else if (kx == GNUTLS_KX_ANON_DH || kx == GNUTLS_KX_DHE_PSK || kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { dh_bits = gnutls_dh_get_prime_bits(session); #endif } kx_str = gnutls_kx_get_name(kx); if (kx_str) { if (curve_name != NULL) snprintf(kx_name, sizeof(kx_name), "%s-%s", kx_str, curve_name); else if (dh_bits != 0) snprintf(kx_name, sizeof(kx_name), "%s-%u", kx_str, dh_bits); else snprintf(kx_name, sizeof(kx_name), "%s", kx_str); } else { strcpy(kx_name, "NULL"); } type = gnutls_certificate_type_get(session); if (type == GNUTLS_CRT_X509) snprintf(proto_name, sizeof(proto_name), "%s", gnutls_protocol_get_name(get_num_version (session))); else snprintf(proto_name, sizeof(proto_name), "%s-%s", gnutls_protocol_get_name(get_num_version (session)), gnutls_certificate_type_get_name(type)); desc = gnutls_malloc(DESC_SIZE); if (desc == NULL) return NULL; mac_id = gnutls_mac_get(session); if (mac_id == GNUTLS_MAC_AEAD) { /* no need to print */ snprintf(desc, DESC_SIZE, "(%s)-(%s)-(%s)", proto_name, kx_name, gnutls_cipher_get_name(gnutls_cipher_get(session))); } else { snprintf(desc, DESC_SIZE, "(%s)-(%s)-(%s)-(%s)", proto_name, kx_name, gnutls_cipher_get_name(gnutls_cipher_get(session)), gnutls_mac_get_name(mac_id)); } return desc; }
/* This function will print some details of the * given session. */ int print_info (gnutls_session_t session) { const char *tmp; gnutls_credentials_type_t cred; gnutls_kx_algorithm_t kx; /* print the key exchange's algorithm name */ kx = gnutls_kx_get (session); tmp = gnutls_kx_get_name (kx); printf ("- Key Exchange: %s\n", tmp); /* Check the authentication type used and switch * to the appropriate. */ cred = gnutls_auth_get_type (session); switch (cred) { case GNUTLS_CRD_IA: printf ("- TLS/IA session\n"); break; #ifdef ENABLE_SRP case GNUTLS_CRD_SRP: printf ("- SRP session with username %s\n", gnutls_srp_server_get_username (session)); break; #endif case GNUTLS_CRD_PSK: /* This returns NULL in server side. */ if (gnutls_psk_client_get_hint (session) != NULL) printf ("- PSK authentication. PSK hint '%s'\n", gnutls_psk_client_get_hint (session)); /* This returns NULL in client side. */ if (gnutls_psk_server_get_username (session) != NULL) printf ("- PSK authentication. Connected as '%s'\n", gnutls_psk_server_get_username (session)); break; case GNUTLS_CRD_ANON: /* anonymous authentication */ printf ("- Anonymous DH using prime of %d bits\n", gnutls_dh_get_prime_bits (session)); break; case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */ /* Check if we have been using ephemeral Diffie-Hellman. */ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { printf ("\n- Ephemeral DH using prime of %d bits\n", gnutls_dh_get_prime_bits (session)); } /* if the certificate list is available, then * print some information about it. */ print_x509_certificate_info (session); } /* switch */ /* print the protocol's name (ie TLS 1.0) */ tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); printf ("- Protocol: %s\n", tmp); /* print the certificate type of the peer. * ie X.509 */ tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); printf ("- Certificate Type: %s\n", tmp); /* print the compression algorithm (if any) */ tmp = gnutls_compression_get_name (gnutls_compression_get (session)); printf ("- Compression: %s\n", tmp); /* print the name of the cipher used. * ie 3DES. */ tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); printf ("- Cipher: %s\n", tmp); /* Print the MAC algorithms name. * ie SHA1 */ tmp = gnutls_mac_get_name (gnutls_mac_get (session)); printf ("- MAC: %s\n", tmp); return 0; }
unsigned int session::get_dh_prime_bits () const { return RETWRAP (gnutls_dh_get_prime_bits (s)); }