static void
client (int fd, int server_init)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_anon_client_credentials_t anoncred;
/* Need to enable anonymous KX specifically. */
global_init ();
if (debug)
{
gnutls_global_set_log_function (client_log_func);
gnutls_global_set_log_level (4711);
}
gnutls_anon_allocate_client_credentials (&anoncred);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu( session, 1500);
/* Use default priorities */
gnutls_priority_set_direct (session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
gnutls_transport_set_push_function (session, push);
/* Perform the TLS handshake
*/
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
exit(1);
}
else
{
if (debug)
success ("client: Handshake was completed\n");
}
if (debug)
success ("client: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
if (!server_init)
{
if (debug) success("Initiating client rehandshake\n");
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0)
{
fail ("2nd client gnutls_handshake: %s\n", gnutls_strerror(ret));
terminate();
}
}
else
{
do {
ret = gnutls_record_recv (session, buffer, MAX_BUF);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
}
if (ret == 0)
{
if (debug)
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
if (server_init && ret == GNUTLS_E_REHANDSHAKE)
{
if (debug) success("Initiating rehandshake due to server request\n");
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
}
if (ret != 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
exit(1);
}
}
do {
ret = gnutls_record_send (session, MSG, strlen (MSG));
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
gnutls_bye (session, GNUTLS_SHUT_WR);
end:
close (fd);
gnutls_deinit (session);
gnutls_anon_free_client_credentials (anoncred);
gnutls_global_deinit ();
}
void dtls_client (char address[], int port, char message[])
{
int ret, sd;
gnutls_session_t session;
const char *err;
gnutls_certificate_credentials_t xcred;
// Certs
char *cafile = "./certs/cert.pem";
// Configure credentials and session
gnutls_certificate_allocate_credentials (&xcred);
gnutls_certificate_set_x509_trust_file (xcred, cafile, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
gnutls_init (&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0) Die (err);
/* put the x509 credentials to the current session */
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
// set up connection and properties
sd = udp_connect (address, port);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
gnutls_dtls_set_mtu (session, 1000);
gnutls_handshake_set_timeout (session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
// Start TLS handshake
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
// end of handshake
int j = 5; // send j messages
do
{
// Send and receive message
gnutls_record_send (session, message, strlen(message));
ret = gnutls_record_recv (session, message, MAX_MESSAGE_SIZE);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: %s\n", ret, message);
j--;
}
while(j>0);
/* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
* connections because the peer's closure message might
* be lost */
gnutls_bye (session, GNUTLS_SHUT_WR);
end:
udp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
return 0;
}
int
main (int argc, char **argv)
{
gpg_error_t err;
int rc;
parsed_uri_t uri;
uri_tuple_t r;
http_t hd;
int c;
http_session_t session = NULL;
gpgrt_init ();
log_set_prefix ("t-http", 1 | 4);
if (argc != 2)
{
fprintf (stderr, "usage: t-http uri\n");
return 1;
}
argc--;
argv++;
#ifdef HTTP_USE_GNUTLS
rc = gnutls_global_init ();
if (rc)
log_error ("gnutls_global_init failed: %s\n", gnutls_strerror (rc));
http_register_tls_callback (verify_callback);
http_register_tls_ca ("tls-ca.pem");
err = http_session_new (&session, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
/* rc = gnutls_dh_params_init(&dh_params); */
/* if (rc) */
/* log_error ("gnutls_dh_params_init failed: %s\n", gnutls_strerror (rc)); */
/* read_dh_params ("dh_param.pem"); */
/* rc = gnutls_certificate_set_x509_trust_file */
/* (certcred, "ca.pem", GNUTLS_X509_FMT_PEM); */
/* if (rc) */
/* log_error ("gnutls_certificate_set_x509_trust_file failed: %s\n", */
/* gnutls_strerror (rc)); */
/* gnutls_certificate_set_dh_params (certcred, dh_params); */
gnutls_global_set_log_function (my_gnutls_log);
/* gnutls_global_set_log_level (2); */
#endif /*HTTP_USE_GNUTLS*/
rc = http_parse_uri (&uri, *argv, 1);
if (rc)
{
log_error ("'%s': %s\n", *argv, gpg_strerror (rc));
return 1;
}
printf ("Scheme: %s\n", uri->scheme);
if (uri->opaque)
printf ("Value : %s\n", uri->path);
else
{
printf ("Auth : %s\n", uri->auth? uri->auth:"[none]");
printf ("Host : %s\n", uri->host);
printf ("Port : %u\n", uri->port);
printf ("Path : %s\n", uri->path);
for (r = uri->params; r; r = r->next)
{
printf ("Params: %s", r->name);
if (!r->no_value)
{
printf ("=%s", r->value);
if (strlen (r->value) != r->valuelen)
printf (" [real length=%d]", (int) r->valuelen);
}
putchar ('\n');
}
for (r = uri->query; r; r = r->next)
{
printf ("Query : %s", r->name);
if (!r->no_value)
{
printf ("=%s", r->value);
if (strlen (r->value) != r->valuelen)
printf (" [real length=%d]", (int) r->valuelen);
}
putchar ('\n');
}
}
http_release_parsed_uri (uri);
uri = NULL;
rc = http_open_document (&hd, *argv, NULL, 0, NULL, session, NULL, NULL);
if (rc)
{
log_error ("can't get '%s': %s\n", *argv, gpg_strerror (rc));
return 1;
}
log_info ("open_http_document succeeded; status=%u\n",
http_get_status_code (hd));
{
const char **names;
int i;
names = http_get_header_names (hd);
if (!names)
log_fatal ("http_get_header_names failed: %s\n",
gpg_strerror (gpg_error_from_syserror ()));
for (i = 0; names[i]; i++)
printf ("HDR: %s: %s\n", names[i], http_get_header (hd, names[i]));
xfree (names);
}
switch (http_get_status_code (hd))
{
case 200:
case 400:
case 401:
case 403:
case 404:
while ((c = es_getc (http_get_read_ptr (hd))) != EOF)
putchar (c);
break;
case 301:
case 302:
printf ("Redirected to '%s'\n", http_get_header (hd, "Location"));
break;
}
http_close (hd, 0);
http_session_release (session);
#ifdef HTTP_USE_GNUTLS
gnutls_global_deinit ();
#endif /*HTTP_USE_GNUTLS*/
return 0;
}
void
doit (void)
{
gnutls_x509_crt_t crt;
int ret;
gnutls_datum_t data;
unsigned int critical;
ret = gnutls_global_init ();
if (ret < 0)
{
fail ("gnutls_global_init\n");
exit (1);
}
ret = gnutls_x509_crt_init (&crt);
if (ret != 0)
{
fail ("gnutls_x509_crt_init\n");
exit (1);
}
ret = gnutls_x509_crt_import (crt, &cert_with_aia, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
fail ("gnutls_x509_crt_import\n");
exit (1);
}
/* test null input */
ret = gnutls_x509_crt_get_authority_info_access (NULL, 0, 0, NULL, NULL);
if (ret != GNUTLS_E_INVALID_REQUEST)
{
fail ("gnutls_x509_crt_get_authority_info_access null input\n");
exit (1);
}
/* test unused enum */
ret = gnutls_x509_crt_get_authority_info_access (crt, 0, 44, NULL, NULL);
if (ret != GNUTLS_E_INVALID_REQUEST)
{
fail ("gnutls_x509_crt_get_authority_info_access insane input\n");
exit (1);
}
/* test basic query with null output */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 0, GNUTLS_IA_ACCESSMETHOD_OID, NULL, NULL);
if (ret < 0)
{
fail ("gnutls_x509_crt_get_authority_info_access "
"GNUTLS_IA_ACCESSMETHOD_OID null output critical\n");
exit (1);
}
/* test same as previous but also check that critical flag is
correct */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 0, GNUTLS_IA_ACCESSMETHOD_OID, NULL, &critical);
if (ret < 0)
{
fail ("gnutls_x509_crt_get_authority_info_access "
"GNUTLS_IA_ACCESSMETHOD_OID null output\n");
exit (1);
}
if (critical != 0)
{
fail ("gnutls_x509_crt_get_authority_info_access "
"critical failed: %d\n", critical);
exit (1);
}
/* basic query of another type */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 0, GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, NULL, NULL);
if (ret < 0)
{
fail ("gnutls_x509_crt_get_authority_info_access "
"GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE null output\n");
exit (1);
}
/* basic query of another type, with out-of-bound sequence */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 1, GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, NULL, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
{
fail ("gnutls_x509_crt_get_authority_info_access "
"GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE out-of-bounds\n");
exit (1);
}
/* basic query and check output value */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 0, GNUTLS_IA_ACCESSMETHOD_OID, &data, NULL);
if (ret < 0)
{
fail ("gnutls_x509_crt_get_authority_info_access "
"GNUTLS_IA_ACCESSMETHOD_OID\n");
exit (1);
}
if (memcmp ("1.3.6.1.5.5.7.48.1", data.data, data.size) != 0)
{
fail ("memcmp OCSP OID failed\n");
exit (1);
}
gnutls_free (data.data);
/* basic query of another type and check output value */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 0, GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, &data, NULL);
if (ret < 0)
{
fail ("gnutls_x509_crt_get_authority_info_access "
"GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE\n");
exit (1);
}
if (memcmp ("uniformResourceIdentifier", data.data, data.size) != 0)
{
fail ("memcmp URI failed\n");
exit (1);
}
gnutls_free (data.data);
/* specific query */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 0, GNUTLS_IA_URI, &data, NULL);
if (ret < 0)
{
fail ("gnutls_x509_crt_get_authority_info_access GNUTLS_IA_URI\n");
exit (1);
}
if (memcmp ("https://ocsp.quovadisoffshore.com", data.data, data.size) != 0)
{
fail ("memcmp URI value failed\n");
exit (1);
}
gnutls_free (data.data);
/* even more specific query */
ret = gnutls_x509_crt_get_authority_info_access
(crt, 0, GNUTLS_IA_OCSP_URI, &data, NULL);
if (ret < 0)
{
fail ("gnutls_x509_crt_get_authority_info_access GNUTLS_IA_OCSP_URI\n");
exit (1);
}
if (memcmp ("https://ocsp.quovadisoffshore.com", data.data, data.size) != 0)
{
fail ("memcmp URI value failed\n");
exit (1);
}
gnutls_free (data.data);
gnutls_x509_crt_deinit (crt);
gnutls_global_deinit ();
}
void doit(void)
{
int exit_code = EXIT_SUCCESS;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(2);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server,
"NORMAL:-CIPHER-ALL:+ARCFOUR-128",
NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
if (debug > 0) {
if (exit_code == 0)
puts("Self-test successful");
else
puts("Self-test failed");
}
}
static void server(int fd)
{
int ret;
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
ret = gnutls_certificate_set_x509_key_mem(xcred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
gnutls_init(&session, GNUTLS_SERVER);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret != GNUTLS_E_UNEXPECTED_EXTENSIONS_LENGTH) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake did not fail with GNUTLS_E_UNEXPECTED_EXTENSIONS_LENGTH (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
success("server: Handshake failed as expected\n");
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
void
doit (void)
{
gnutls_x509_privkey_t pkey;
gnutls_privkey_t abs_pkey;
gnutls_x509_crq_t crq;
size_t pkey_key_id_len;
unsigned char *pkey_key_id = NULL;
size_t crq_key_id_len;
unsigned char *crq_key_id = NULL;
gnutls_pk_algorithm_t algorithm;
int ret;
ret = gnutls_global_init ();
if (ret < 0)
fail ("gnutls_global_init: %d\n", ret);
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
for (algorithm = GNUTLS_PK_RSA; algorithm <= GNUTLS_PK_DSA; algorithm++)
{
ret = gnutls_x509_crq_init (&crq);
if (ret < 0)
fail ("gnutls_x509_crq_init: %d\n", ret);
ret = gnutls_x509_privkey_init (&pkey);
if (ret < 0)
{
fail ("gnutls_x509_privkey_init: %d\n", ret);
}
ret = gnutls_privkey_init (&abs_pkey);
if (ret < 0)
{
fail ("gnutls_privkey_init: %d\n", ret);
}
ret = gnutls_x509_privkey_generate (pkey, algorithm, 1024, 0);
if (ret < 0)
{
fail ("gnutls_x509_privkey_generate (rsa): %d\n", ret);
}
else if (debug)
{
success ("Key[%s] generation ok: %d\n",
gnutls_pk_algorithm_get_name (algorithm), ret);
}
pkey_key_id_len = 0;
ret = gnutls_x509_privkey_get_key_id (pkey, 0, pkey_key_id,
&pkey_key_id_len);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fail ("gnutls_x509_privkey_get_key_id incorrectly returns %d\n",
ret);
}
pkey_key_id = malloc (sizeof (unsigned char) * pkey_key_id_len);
ret = gnutls_x509_privkey_get_key_id (pkey, 0, pkey_key_id,
&pkey_key_id_len);
if (ret != GNUTLS_E_SUCCESS)
{
fail ("gnutls_x509_privkey_get_key_id incorrectly returns %d\n",
ret);
}
ret = gnutls_x509_crq_set_version (crq, 1);
if (ret < 0)
{
fail ("gnutls_x509_crq_set_version: %d\n", ret);
}
ret = gnutls_x509_crq_set_key (crq, pkey);
if (ret < 0)
{
fail ("gnutls_x509_crq_set_key: %d\n", ret);
}
ret = gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
0, "CN-Test", 7);
if (ret < 0)
{
fail ("gnutls_x509_crq_set_dn_by_oid: %d\n", ret);
}
ret = gnutls_privkey_import_x509( abs_pkey, pkey, 0);
if (ret < 0)
{
fail ("gnutls_privkey_import_x509: %d\n", ret);
}
ret = gnutls_x509_crq_privkey_sign (crq, abs_pkey, GNUTLS_DIG_SHA1, 0);
if (ret < 0)
{
fail ("gnutls_x509_crq_sign: %d\n", ret);
}
ret = gnutls_x509_crq_verify (crq, 0);
if (ret < 0)
{
fail ("gnutls_x509_crq_verify: %d\n", ret);
}
crq_key_id_len = 0;
ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fail ("gnutls_x509_crq_get_key_id incorrectly returns %d\n", ret);
}
crq_key_id = malloc (sizeof (unsigned char) * crq_key_id_len);
ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len);
if (ret != GNUTLS_E_SUCCESS)
{
fail ("gnutls_x509_crq_get_key_id incorrectly returns %d\n", ret);
}
if (crq_key_id_len == pkey_key_id_len)
{
ret = memcmp (crq_key_id, pkey_key_id, crq_key_id_len);
if (ret == 0)
{
if (debug)
success ("Key ids are identical. OK.\n");
}
else
{
fail ("Key ids differ incorrectly: %d\n", ret);
}
}
else
{
fail ("Key_id lengths differ incorrectly: %d - %d\n",
(int) crq_key_id_len, (int) pkey_key_id_len);
}
if (pkey_key_id)
{
free (pkey_key_id);
pkey_key_id = NULL;
}
if (crq_key_id)
{
free (crq_key_id);
crq_key_id = NULL;
}
gnutls_x509_crq_deinit (crq);
gnutls_x509_privkey_deinit (pkey);
gnutls_privkey_deinit (abs_pkey);
}
gnutls_global_deinit ();
}
static void
client (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_set_default_priority (session);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
if (debug)
success ("client: Handshake was completed\n");
}
if (debug)
success ("client: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
/* see the Getting peer's information example */
if (debug)
print_info (session);
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
goto end;
}
if (debug)
{
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
}
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
}
static void
server (void)
{
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_certificate_set_dh_params (x509_cred, dh_params);
client_len = sizeof (sa_cli);
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
if (debug)
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
return;
}
if (debug)
success ("server: Handshake was completed\n");
if (debug)
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
/* see the Getting peer's information example */
if (debug)
print_info (session);
i = 0;
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("server: Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
if (debug)
success ("server: finished\n");
}
static void start(struct test_st *test)
{
int ret;
/* Server stuff. */
gnutls_priority_t cache;
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
const char *ep;
int cret = GNUTLS_E_AGAIN;
if (test == NULL)
success("running gnutls_set_default_priority test\n");
else
success("running %s\n", test->name);
if (test && test->def_prio)
_gnutls_default_priority_string = test->def_prio;
else
_gnutls_default_priority_string = "NORMAL";
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0);
assert(gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
if (test == NULL) {
ret = gnutls_priority_init(&cache, NULL, NULL);
if (ret < 0)
fail("error: %s\n", gnutls_strerror(ret));
} else {
ret = gnutls_priority_init2(&cache, test->add_prio, &ep, GNUTLS_PRIORITY_INIT_DEF_APPEND);
if (ret < 0) {
if (test->exp_err == ret) {
if (strchr(_gnutls_default_priority_string, '@') != 0) {
if (ep != test->add_prio) {
fail("error expected error on start of string[%d]: %s\n",
test->err_pos, test->add_prio);
}
} else {
if (ep-test->add_prio != test->err_pos) {
fprintf(stderr, "diff: %d\n", (int)(ep-test->add_prio));
fail("error expected error on different position[%d]: %s\n",
test->err_pos, test->add_prio);
}
}
goto cleanup;
}
fail("error: %s\n", gnutls_strerror(ret));
}
}
gnutls_priority_set(server, cache);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_set_default_priority(client);
if (ret < 0)
exit(1);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
/* check gnutls_certificate_get_ours() - client side */
{
const gnutls_datum_t *mcert;
mcert = gnutls_certificate_get_ours(client);
if (mcert != NULL) {
fail("gnutls_certificate_get_ours(): failed\n");
exit(1);
}
}
if (test && test->exp_vers != 0) {
if (test->exp_vers != gnutls_protocol_get_version(server)) {
fail("expected version %s, got %s\n",
gnutls_protocol_get_name(test->exp_vers),
gnutls_protocol_get_name(gnutls_protocol_get_version(server)));
}
}
/* check the number of certificates received */
{
unsigned cert_list_size = 0;
gnutls_typed_vdata_st data[2];
unsigned status;
memset(data, 0, sizeof(data));
data[0].type = GNUTLS_DT_DNS_HOSTNAME;
data[0].data = (void*)"localhost1";
data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
gnutls_certificate_get_peers(client, &cert_list_size);
if (cert_list_size < 2) {
fprintf(stderr, "received a certificate list of %d!\n", cert_list_size);
exit(1);
}
ret = gnutls_certificate_verify_peers(client, data, 2, &status);
if (ret < 0) {
fprintf(stderr, "could not verify certificate: %s\n", gnutls_strerror(ret));
exit(1);
}
if (status == 0) {
fprintf(stderr, "should not have accepted!\n");
exit(1);
}
data[0].type = GNUTLS_DT_DNS_HOSTNAME;
data[0].data = (void*)"localhost";
ret = gnutls_certificate_verify_peers(client, data, 2, &status);
if (ret < 0) {
fprintf(stderr, "could not verify certificate: %s\n", gnutls_strerror(ret));
exit(1);
}
if (status != 0) {
fprintf(stderr, "could not verify certificate: %.4x\n", status);
exit(1);
}
}
if (test && test->exp_etm) {
ret = gnutls_session_ext_master_secret_status(client);
if (ret != 1) {
fprintf(stderr, "Extended master secret wasn't negotiated by default (client ret: %d)\n", ret);
exit(1);
}
ret = gnutls_session_ext_master_secret_status(server);
if (ret != 1) {
fprintf(stderr, "Extended master secret wasn't negotiated by default (server ret: %d)\n", ret);
exit(1);
}
}
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_certificate_free_credentials(clientx509cred);
cleanup:
gnutls_priority_deinit(cache);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_global_deinit();
reset_buffers();
}
void
doit (void)
{
gnutls_x509_privkey_t key;
gnutls_x509_crt_t crt;
gnutls_pubkey_t pubkey;
gnutls_privkey_t privkey;
gnutls_digest_algorithm_t hash_algo;
gnutls_datum_t signature;
gnutls_datum_t signature2;
int ret;
size_t i;
gnutls_global_init ();
for (i = 0; i < sizeof (key_dat) / sizeof (key_dat[0]); i++)
{
if (debug)
success ("loop %d\n", (int) i);
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
fail ("gnutls_x509_privkey_init\n");
ret =
gnutls_x509_privkey_import (key, &key_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_privkey_import\n");
ret = gnutls_pubkey_init (&pubkey);
if (ret < 0)
fail ("gnutls_privkey_init\n");
ret = gnutls_privkey_init (&privkey);
if (ret < 0)
fail ("gnutls_pubkey_init\n");
ret = gnutls_privkey_import_x509 (privkey, key, 0);
if (ret < 0)
fail ("gnutls_privkey_import_x509\n");
ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA1, 0,
&hash_data, &signature2);
if (ret < 0)
fail ("gnutls_privkey_sign_hash\n");
ret = gnutls_privkey_sign_data (privkey, GNUTLS_DIG_SHA1, 0,
&raw_data, &signature);
if (ret < 0)
fail ("gnutls_x509_privkey_sign_hash\n");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
fail ("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_import (crt, &cert_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import\n");
ret =
gnutls_pubkey_import_x509 (pubkey, crt, 0);
if (ret < 0)
fail ("gnutls_x509_pubkey_import\n");
ret =
gnutls_pubkey_get_verify_algorithm (pubkey, &signature, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm\n");
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature);
if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash\n");
ret =
gnutls_pubkey_get_verify_algorithm (pubkey, &signature2, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm (hashed data)\n");
ret = gnutls_pubkey_verify_hash (pubkey, 0, &hash_data, &signature2);
if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
/* should fail */
ret = gnutls_pubkey_verify_hash (pubkey, 0, &invalid_hash_data, &signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
fail ("gnutls_x509_privkey_verify_hash (hashed data)\n");
gnutls_free(signature.data);
gnutls_free(signature2.data);
gnutls_x509_privkey_deinit (key);
gnutls_x509_crt_deinit (crt);
gnutls_privkey_deinit (privkey);
gnutls_pubkey_deinit (pubkey);
}
gnutls_global_deinit ();
}
int
main (int argc, char **argv)
{
int ret;
int ii, i, inp;
char buffer[MAX_BUF + 1];
char *session_data = NULL;
char *session_id = NULL;
size_t session_data_size;
size_t session_id_size = 0;
int user_term = 0, retval = 0;
socket_st hd;
ssize_t bytes;
set_program_name (argv[0]);
cmd_parser (argc, argv);
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (OPT_VALUE_DEBUG);
if ((ret = gnutls_global_init ()) < 0)
{
fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
exit (1);
}
#ifdef ENABLE_PKCS11
// pkcs11_common ();
#endif
if (hostname == NULL)
{
fprintf (stderr, "No hostname given\n");
exit (1);
}
sockets_init ();
init_global_tls_stuff ();
socket_open (&hd, hostname, service, udp);
hd.session = init_tls_session (hostname);
if (starttls)
goto after_handshake;
for (i = 0; i < 2; i++)
{
if (i == 1)
{
hd.session = init_tls_session (hostname);
gnutls_session_set_data (hd.session, session_data,
session_data_size);
free (session_data);
}
ret = do_handshake (&hd);
if (ret < 0)
{
fprintf (stderr, "*** Handshake has failed\n");
gnutls_perror (ret);
gnutls_deinit (hd.session);
return 1;
}
else
{
printf ("- Handshake was completed\n");
if (gnutls_session_is_resumed (hd.session) != 0)
printf ("*** This is a resumed session\n");
}
if (resume != 0 && i == 0)
{
gnutls_session_get_data (hd.session, NULL, &session_data_size);
session_data = malloc (session_data_size);
gnutls_session_get_data (hd.session, session_data,
&session_data_size);
gnutls_session_get_id (hd.session, NULL, &session_id_size);
session_id = malloc (session_id_size);
gnutls_session_get_id (hd.session, session_id, &session_id_size);
printf ("- Disconnecting\n");
socket_bye (&hd);
printf
("\n\n- Connecting again- trying to resume previous session\n");
socket_open (&hd, hostname, service, udp);
}
else
{
break;
}
}
after_handshake:
/* Warning! Do not touch this text string, it is used by external
programs to search for when gnutls-cli has reached this point. */
printf ("\n- Simple Client Mode:\n\n");
if (rehandshake)
{
ret = do_handshake (&hd);
if (ret < 0)
{
fprintf (stderr, "*** ReHandshake has failed\n");
gnutls_perror (ret);
gnutls_deinit (hd.session);
return 1;
}
else
{
printf ("- ReHandshake was completed\n");
}
}
#ifndef _WIN32
signal (SIGALRM, &starttls_alarm);
#endif
fflush (stdout);
fflush (stderr);
/* do not buffer */
#ifndef _WIN32
setbuf (stdin, NULL);
#endif
setbuf (stdout, NULL);
setbuf (stderr, NULL);
for (;;)
{
if (starttls_alarmed && !hd.secure)
{
/* Warning! Do not touch this text string, it is used by
external programs to search for when gnutls-cli has
reached this point. */
fprintf (stderr, "*** Starting TLS handshake\n");
ret = do_handshake (&hd);
if (ret < 0)
{
fprintf (stderr, "*** Handshake has failed\n");
user_term = 1;
retval = 1;
break;
}
}
inp = check_net_or_keyboard_input(&hd);
if (inp == IN_NET)
{
memset (buffer, 0, MAX_BUF + 1);
ret = socket_recv (&hd, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the GnuTLS connection\n");
break;
}
else if (handle_error (&hd, ret) < 0 && user_term == 0)
{
fprintf (stderr,
"*** Server has terminated the connection abnormally.\n");
retval = 1;
break;
}
else if (ret > 0)
{
if (verbose != 0)
printf ("- Received[%d]: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fflush (stdout);
}
if (user_term != 0)
break;
}
if (inp == IN_KEYBOARD)
{
if ((bytes = read (fileno (stdin), buffer, MAX_BUF - 1)) <= 0)
{
if (hd.secure == 0)
{
/* Warning! Do not touch this text string, it is
used by external programs to search for when
gnutls-cli has reached this point. */
fprintf (stderr, "*** Starting TLS handshake\n");
ret = do_handshake (&hd);
clearerr (stdin);
if (ret < 0)
{
fprintf (stderr, "*** Handshake has failed\n");
user_term = 1;
retval = 1;
break;
}
}
else
{
user_term = 1;
break;
}
continue;
}
buffer[bytes] = 0;
if (crlf != 0)
{
char *b = strchr (buffer, '\n');
if (b != NULL)
{
strcpy (b, "\r\n");
bytes++;
}
}
ret = socket_send (&hd, buffer, bytes);
if (ret > 0)
{
if (verbose != 0)
printf ("- Sent: %d bytes\n", ret);
}
else
handle_error (&hd, ret);
}
}
if (user_term != 0)
socket_bye (&hd);
else
gnutls_deinit (hd.session);
#ifdef ENABLE_SRP
if (srp_cred)
gnutls_srp_free_client_credentials (srp_cred);
#endif
#ifdef ENABLE_PSK
if (psk_cred)
gnutls_psk_free_client_credentials (psk_cred);
#endif
gnutls_certificate_free_credentials (xcred);
#ifdef ENABLE_ANON
gnutls_anon_free_client_credentials (anon_cred);
#endif
gnutls_global_deinit ();
return retval;
}
void doit(void)
{
gnutls_x509_privkey_t key;
gnutls_x509_crt_t crt;
gnutls_pubkey_t pubkey;
gnutls_privkey_t privkey;
gnutls_datum_t out, out2;
int ret;
size_t i;
global_init();
for (i = 0; i < sizeof(key_dat) / sizeof(key_dat[0]); i++) {
if (debug)
success("loop %d\n", (int) i);
ret = gnutls_x509_privkey_init(&key);
if (ret < 0)
fail("gnutls_x509_privkey_init\n");
ret =
gnutls_x509_privkey_import(key, &key_dat[i],
GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_privkey_import\n");
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0)
fail("gnutls_privkey_init\n");
ret = gnutls_privkey_init(&privkey);
if (ret < 0)
fail("gnutls_pubkey_init\n");
ret = gnutls_privkey_import_x509(privkey, key, 0);
if (ret < 0)
fail("gnutls_privkey_import_x509\n");
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
fail("gnutls_x509_crt_init\n");
ret =
gnutls_x509_crt_import(crt, &cert_dat[i],
GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import\n");
ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
if (ret < 0)
fail("gnutls_x509_pubkey_import\n");
ret =
gnutls_pubkey_encrypt_data(pubkey, 0, &hash_data,
&out);
if (ret < 0)
fail("gnutls_pubkey_encrypt_data\n");
ret = gnutls_privkey_decrypt_data(privkey, 0, &out, &out2);
if (ret < 0)
fail("gnutls_privkey_decrypt_data\n");
if (out2.size != hash_data.size)
fail("Decrypted data don't match original (1)\n");
if (memcmp(out2.data, hash_data.data, hash_data.size) != 0)
fail("Decrypted data don't match original (2)\n");
gnutls_free(out.data);
gnutls_free(out2.data);
ret =
gnutls_pubkey_encrypt_data(pubkey, 0, &raw_data, &out);
if (ret < 0)
fail("gnutls_pubkey_encrypt_data\n");
ret = gnutls_privkey_decrypt_data(privkey, 0, &out, &out2);
if (ret < 0)
fail("gnutls_privkey_decrypt_data\n");
if (out2.size != raw_data.size)
fail("Decrypted data don't match original (3)\n");
if (memcmp(out2.data, raw_data.data, raw_data.size) != 0)
fail("Decrypted data don't match original (4)\n");
if (debug)
success("ok\n");
gnutls_free(out.data);
gnutls_free(out2.data);
gnutls_x509_privkey_deinit(key);
gnutls_x509_crt_deinit(crt);
gnutls_privkey_deinit(privkey);
gnutls_pubkey_deinit(pubkey);
}
gnutls_global_deinit();
}
void tls_deinit(void *ssl_ctx)
{
tls_gnutls_ref_count--;
if (tls_gnutls_ref_count == 0)
gnutls_global_deinit();
}
static void client(int fd)
{
int ret;
unsigned int status;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
gnutls_global_set_time_function(mytime);
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CERTIFICATE_STATUS,
GNUTLS_HOOK_POST,
handshake_callback);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) {
/* success */
goto end;
}
if (ret < 0) {
fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
terminate();
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
if (received == 1) {
fail("client: received certificate status when we shouldn't.\n");
terminate();
}
ret = gnutls_certificate_verify_peers2(session, &status);
if (ret != GNUTLS_E_SUCCESS) {
fail("client: Peer certificate validation failed: %s\n", gnutls_strerror(ret));
terminate();
}
else {
if (status & GNUTLS_CERT_MISSING_OCSP_STATUS) {
success("client: Validation failed with GNUTLS_CERT_MISSING_OCSP_STATUS\n");
}
else {
fail("client: Validation status does not include GNUTLS_CERT_MISSING_OCSP_STATUS. Status is %d\n", status);
terminate();
}
}
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
int main(void)
{
int ret;
int sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
/* variables used in session resuming
*/
int t;
char *session_data = NULL;
size_t session_data_size = 0;
gnutls_global_init();
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
GNUTLS_X509_FMT_PEM);
for (t = 0; t < 2; t++) { /* connect 2 times to the server */
sd = tcp_connect();
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_priority_set_direct(session,
"PERFORMANCE:!ARCFOUR-128",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
xcred);
if (t > 0) {
/* if this is not the first time we connect */
gnutls_session_set_data(session, session_data,
session_data_size);
free(session_data);
}
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fprintf(stderr, "*** Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
printf("- Handshake was completed\n");
}
if (t == 0) { /* the first time we connect */
/* get the session data size */
gnutls_session_get_data(session, NULL,
&session_data_size);
session_data = malloc(session_data_size);
/* put session data to the session variable */
gnutls_session_get_data(session, session_data,
&session_data_size);
} else { /* the second time we connect */
/* check if we actually resumed the previous session */
if (gnutls_session_is_resumed(session) != 0) {
printf("- Previous session was resumed\n");
} else {
fprintf(stderr,
"*** Previous session was NOT resumed\n");
}
}
/* This function was defined in a previous example
*/
/* print_info(session); */
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n",
gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n",
gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
tcp_close(sd);
gnutls_deinit(session);
} /* for() */
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
return 0;
}
static void server(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
/* this must be called once in the program
*/
global_init();
memset(buffer, 0, sizeof(buffer));
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
/* failure is expected here */
goto end;
}
if (debug) {
success("server: Handshake was completed\n");
}
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int fd, const char *prio)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_anon_client_credentials_t anoncred;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_anon_allocate_client_credentials(&anoncred);
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, prio, NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
do {
ret = gnutls_record_recv(session, buffer, MAX_BUF);
} while (ret == GNUTLS_E_AGAIN
|| ret == GNUTLS_E_INTERRUPTED);
} while (ret > 0);
if (ret == GNUTLS_E_PREMATURE_TERMINATION) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else {
fail("client: Unexpected error: %d (%s)\n", ret,
gnutls_strerror(ret));
exit(1);
}
end:
close(fd);
gnutls_deinit(session);
gnutls_anon_free_client_credentials(anoncred);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
void
doit (void)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char*) pkcs3, strlen (pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
int n, cret = GNUTLS_E_AGAIN;
/* Need to enable anonymous KX specifically. */
const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
char buffer[MAX_BUF + 1];
ssize_t ns;
int ret;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
/* Init server */
gnutls_anon_allocate_server_credentials (&s_anoncred);
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_set_default_priority (server);
gnutls_kx_set_priority (server, kx_prio);
gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits (server, 1024);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_set_default_priority (client);
gnutls_kx_set_priority (client, kx_prio);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
do
{
if (cret == GNUTLS_E_AGAIN)
{
success ("loop invoking client:\n");
cret = gnutls_handshake (client);
success ("client %d: %s\n", cret, gnutls_strerror (cret));
}
if (sret == GNUTLS_E_AGAIN)
{
success ("loop invoking server:\n");
sret = gnutls_handshake (server);
success ("server %d: %s\n", sret, gnutls_strerror (sret));
}
}
while (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN);
success ("Handshake established\n");
ns = gnutls_record_send (client, MSG, strlen (MSG));
success ("client: sent %d\n", ns);
ret = gnutls_record_recv (server, buffer, MAX_BUF);
if (ret == 0)
fail ("server: didn't receive any data\n");
else if (ret < 0)
fail ("server: error: %s\n", gnutls_strerror (ret));
else
{
printf ("server: received %d: ", ret);
for (n = 0; n < ret; n++)
fputc (buffer[n], stdout);
fputs ("\n", stdout);
}
ns = gnutls_record_send (server, MSG, strlen (MSG));
success ("server: sent %d\n", ns);
ret = gnutls_record_recv (client, buffer, MAX_BUF);
if (ret == 0)
{
fail ("client: Peer has closed the TLS connection\n");
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
}
else
{
printf ("client: received %d: ", ret);
for (n = 0; n < ret; n++)
fputc (buffer[n], stdout);
fputs ("\n", stdout);
}
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
free (to_server);
free (to_client);
gnutls_anon_free_client_credentials (c_anoncred);
gnutls_anon_free_server_credentials (s_anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
int main (int argc, char *argv[])
{
enum {
OPT_SERVER,
OPT_MUTLI_SERVER,
OPT_DAEMON,
OPT_VERBOSE,
OPT_QUIET,
OPT_SH,
OPT_CSH,
OPT_OPTIONS,
OPT_NO_DETACH,
OPT_LOG_FILE,
OPT_VERSION,
OPT_HELP
};
static struct option long_options[] = {
{ "server", no_argument, NULL, OPT_SERVER },
{ "multi-server", no_argument, NULL, OPT_MUTLI_SERVER },
{ "daemon", no_argument, NULL, OPT_DAEMON },
{ "verbose", no_argument, NULL, OPT_VERBOSE },
{ "quiet", no_argument, NULL, OPT_QUIET },
{ "sh", no_argument, NULL, OPT_SH },
{ "csh", no_argument, NULL, OPT_CSH },
{ "options", required_argument, NULL, OPT_OPTIONS },
{ "no-detach", no_argument, NULL, OPT_NO_DETACH },
{ "log-file", required_argument, NULL, OPT_LOG_FILE },
{ "version", no_argument, NULL, OPT_VERSION },
{ "help", no_argument, NULL, OPT_HELP },
{ NULL, 0, NULL, 0 }
};
int long_options_ret;
int base_argc = 1;
int usage_ok = 1;
enum {
RUN_MODE_NONE,
RUN_MODE_SERVER,
RUN_MODE_MULTI_SERVER,
RUN_MODE_DAEMON
} run_mode = RUN_MODE_NONE;
int env_is_csh = 0;
int log_verbose = 0;
int log_quiet = 0;
int no_detach = 0;
char *config_file = NULL;
char *log_file = NULL;
char *home_dir = NULL;
int have_at_least_one_provider=0;
FILE *fp_log = NULL;
int i;
CK_RV rv;
dconfig_data_t config;
const char * CONFIG_SUFFIX = ".conf";
char *default_config_file = NULL;
#if !defined(HAVE_W32_SYSTEM)
s_parent_pid = getpid ();
#endif
if ((default_config_file = (char *)malloc (strlen (PACKAGE)+strlen (CONFIG_SUFFIX)+1)) == NULL) {
common_log (LOG_FATAL, "malloc failed");
}
sprintf (default_config_file, "%s%s", PACKAGE, CONFIG_SUFFIX);
common_set_log_stream (stderr);
while ((long_options_ret = getopt_long (argc, argv, "vqsc", long_options, NULL)) != -1) {
base_argc++;
switch (long_options_ret) {
case OPT_SERVER:
run_mode = RUN_MODE_SERVER;
break;
case OPT_MUTLI_SERVER:
run_mode = RUN_MODE_MULTI_SERVER;
break;
case OPT_DAEMON:
run_mode = RUN_MODE_DAEMON;
break;
case OPT_VERBOSE:
case 'v':
log_verbose = 1;
break;
case OPT_QUIET:
case 'q':
log_quiet = 1;
break;
case OPT_SH:
case 's':
break;
case OPT_CSH:
case 'c':
env_is_csh = 1;
break;
case OPT_OPTIONS:
base_argc++;
config_file = strdup (optarg);
break;
case OPT_NO_DETACH:
no_detach = 1;
break;
case OPT_LOG_FILE:
base_argc++;
log_file = strdup (optarg);
break;
case OPT_VERSION:
printf (
"%s %s\n"
"\n"
"Copyright (c) 2006-2007 Zeljko Vrba <*****@*****.**>\n"
"Copyright (c) 2006-2011 Alon Bar-Lev <*****@*****.**>\n"
"\n"
"This is free software; see the source for copying conditions.\n"
"There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n",
PACKAGE,
PACKAGE_VERSION
);
exit (1);
break;
case OPT_HELP:
usage_ok = 0;
break;
default:
usage_ok = 0;
break;
}
}
if (base_argc < argc) {
if (!strcmp (argv[base_argc], "--")) {
base_argc++;
}
}
if (!usage_ok) {
usage (argv[0]);
}
if (run_mode == RUN_MODE_NONE) {
common_log (LOG_FATAL, "please use the option `--daemon' to run the program in the background");
}
#if defined(HAVE_W32_SYSTEM)
if (run_mode == RUN_MODE_DAEMON) {
common_log (LOG_FATAL, "daemon mode is not supported");
}
#endif
home_dir = get_home_dir ();
if (config_file == NULL) {
if ((config_file = (char *)malloc (strlen (home_dir) + strlen (default_config_file)+2)) == NULL) {
common_log (LOG_FATAL, "malloc failed");
}
sprintf (config_file, "%s%c%s", home_dir, CONFIG_PATH_SEPARATOR, default_config_file);
}
if (
!dconfig_read (config_file, &config) &&
!dconfig_read (CONFIG_SYSTEM_CONFIG, &config)
) {
common_log (LOG_FATAL, "Cannot open configuration file");
}
if (log_file != NULL) {
if (config.log_file != NULL) {
free (config.log_file);
}
if ((config.log_file = strdup (log_file)) == NULL) {
common_log (LOG_FATAL, "strdup failed");
}
}
if (log_verbose) {
config.verbose = 1;
}
#if !defined(HAVE_W32_SYSTEM)
signal (SIGPIPE, SIG_IGN);
signal (SIGINT, on_signal);
signal (SIGTERM, on_signal);
signal (SIGABRT, on_signal);
signal (SIGHUP, on_signal);
#endif
if (log_file != NULL) {
if (strcmp (log_file, "stderr")) {
if ((fp_log = fopen (log_file, "a")) != NULL) {
common_set_log_stream (fp_log);
}
}
}
else if (config.log_file != NULL) {
if (strcmp (config.log_file, "stderr")) {
if ((fp_log = fopen (config.log_file, "a")) != NULL) {
common_set_log_stream (fp_log);
}
}
}
if (config.debug) {
common_log (LOG_DEBUG, "version: %s", PACKAGE_VERSION);
dconfig_print (&config);
common_log (LOG_DEBUG, "run_mode: %d", run_mode);
common_log (LOG_DEBUG, "crypto: %s",
#if defined(ENABLE_OPENSSL)
"openssl"
#elif defined(ENABLE_GNUTLS)
"gnutls"
#else
"invalid"
#endif
);
}
#if !defined(HAVE_W32_SYSTEM)
if (run_mode == RUN_MODE_DAEMON || run_mode == RUN_MODE_MULTI_SERVER) {
server_socket_create_name ();
}
/*
* fork before doing PKCS#11 stuff
* some providers don't behave well
*/
if (run_mode == RUN_MODE_DAEMON) {
pid_t pid;
pid = fork ();
if (pid == -1) {
common_log (LOG_FATAL, "fork failed");
}
if (pid != 0) {
static const char *key = "SCDAEMON_INFO";
char env[1024];
snprintf (env, sizeof (env), "%s:%lu:1", s_socket_name, (unsigned long)pid);
if (argc - base_argc > 0) {
setenv(key, env, 1);
execvp (argv[base_argc], &(argv[base_argc]));
kill (pid, SIGTERM);
exit (1);
}
else {
if (env_is_csh) {
*strchr (env, '=') = ' ';
printf ("setenv %s %s\n", key, env);
}
else {
printf ("%s=%s; export %s\n", key, env, key);
}
exit (0);
}
}
if (!no_detach) {
int i;
for (i=0;i<3;i++) {
if (fileno (common_get_log_stream ()) != i) {
close (i);
}
}
if (setsid () == -1) {
common_log (LOG_FATAL, "setsid failed");
}
}
if (chdir ("/") == -1) {
common_log (LOG_FATAL, "chdir failed");
}
if (argc - base_argc > 0) {
struct sigaction sa;
memset (&sa, 0, sizeof (sa));
sigemptyset (&sa.sa_mask);
#if defined(SA_INTERRUPT)
sa.sa_flags |= SA_INTERRUPT;
#endif
sa.sa_handler = on_alarm;
sigaction (SIGALRM, &sa, NULL);
alarm (10);
}
}
#endif /* HAVE_W32_SYSTEM */
assuan_set_assuan_log_prefix (PACKAGE);
assuan_set_assuan_log_stream (common_get_log_stream ());
#if defined(USE_GNUTLS)
if (gnutls_global_init () != GNUTLS_E_SUCCESS) {
common_log (LOG_FATAL, "Cannot initialize gnutls");
}
#endif
if ((rv = pkcs11h_initialize ()) != CKR_OK) {
common_log (LOG_FATAL, "Cannot initialize PKCS#11: %s", pkcs11h_getMessage (rv));
}
pkcs11h_setLogLevel (config.verbose ? PKCS11H_LOG_DEBUG2 : PKCS11H_LOG_INFO);
pkcs11h_setLogHook (pkcs11_log_hook, NULL);
pkcs11h_setTokenPromptHook (pkcs11_token_prompt_hook, NULL);
pkcs11h_setPINPromptHook (pkcs11_pin_prompt_hook, NULL);
pkcs11h_setProtectedAuthentication (TRUE);
for (i=0;i<DCONFIG_MAX_PROVIDERS;i++) {
if (
config.providers[i].name != NULL &&
config.providers[i].library != NULL
) {
if (
(rv = pkcs11h_addProvider (
config.providers[i].name,
config.providers[i].library,
config.providers[i].allow_protected,
config.providers[i].private_mask,
PKCS11H_SLOTEVENT_METHOD_POLL,
0,
config.providers[i].cert_is_private
)) != CKR_OK
) {
common_log (LOG_WARNING, "Cannot add PKCS#11 provider '%s': %ld-'%s'", config.providers[i].name, rv, pkcs11h_getMessage (rv));
}
else {
have_at_least_one_provider = 1;
}
}
}
if (!have_at_least_one_provider) {
common_log (LOG_FATAL, "Could not load any provider");
}
#if defined(HAVE_W32_SYSTEM)
command_handler (-1, &config);
#else
{
pthread_t accept_thread = 0;
int accept_socket = -1;
if (run_mode == RUN_MODE_DAEMON || run_mode == RUN_MODE_MULTI_SERVER) {
accept_socket = server_socket_create ();
server_socket_accept (accept_socket, &accept_thread, &config);
}
if (run_mode == RUN_MODE_DAEMON) {
/*
* Emulate assuan behavior
*/
int fds[2];
char c;
if (pipe (fds)==-1) {
common_log (LOG_FATAL, "Could not create pipe");
}
close (0);
dup2 (fds[0], 0);
close (fds[0]);
while (read (0, &c, 1) == -1 && errno == EINTR);
close (fds[1]);
}
else {
command_handler (-1, &config);
}
if (run_mode == RUN_MODE_DAEMON || run_mode == RUN_MODE_MULTI_SERVER) {
server_socket_accept_terminate (accept_thread);
server_socket_close (accept_socket);
}
}
#endif
pkcs11h_terminate ();
#if defined(USE_GNUTLS)
gnutls_global_deinit ();
#endif
dconfig_free (&config);
if (log_file != NULL) {
free (log_file);
log_file = NULL;
}
if (config_file != NULL) {
free (config_file);
config_file = NULL;
}
if (default_config_file != NULL) {
free (default_config_file);
default_config_file = NULL;
}
if (home_dir != NULL) {
free (home_dir);
home_dir = NULL;
}
if (fp_log != NULL) {
fclose (fp_log);
fp_log = NULL;
}
return 0;
}
int Curl_gtls_cleanup(void)
{
if (gtls_inited)
gnutls_global_deinit();
return 1;
}
static void client(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t clientx509cred;
gnutls_anon_client_credentials_t anoncred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
assert(gnutls_anon_allocate_client_credentials(&anoncred) >= 0);
assert(gnutls_certificate_allocate_credentials(&clientx509cred) >= 0);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, MTU);
assert(gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL) >= 0);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, clientx509cred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
gnutls_dtls_set_timeouts(session, 2000, 30 * 1000);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* update priorities to allow cert auth */
assert(gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ECDHE-RSA:+CURVE-ALL",
NULL) >= 0);
do {
ret = gnutls_record_recv(session, buffer, MAX_BUF);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret == 0) {
if (debug)
success("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
if (ret == GNUTLS_E_REHANDSHAKE) {
if (debug)
success
("Initiating rehandshake due to server request\n");
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
}
if (ret != 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
exit(1);
}
}
do {
ret = gnutls_record_send(session, MSG, strlen(MSG));
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_anon_free_client_credentials(anoncred);
gnutls_global_deinit();
}
int main (int argc, char **argv) {
/* init gtk for notifications */
gtk_init(&argc, &argv);
notify_init("pianobar");
static BarApp_t app;
/* terminal attributes _before_ we started messing around with ~ECHO */
struct termios termOrig;
memset (&app, 0, sizeof (app));
/* save terminal attributes, before disabling echoing */
BarTermSave (&termOrig);
BarTermSetEcho (0);
BarTermSetBuffer (0);
/* init some things */
ao_initialize ();
gnutls_global_init ();
PianoInit (&app.ph);
BarSettingsInit (&app.settings);
BarSettingsRead (&app.settings);
BarUiMsg (&app.settings, MSG_NONE,
"Welcome to " PACKAGE " (" VERSION ")! ");
if (app.settings.keys[BAR_KS_HELP] == BAR_KS_DISABLED) {
BarUiMsg (&app.settings, MSG_NONE, "\n");
} else {
BarUiMsg (&app.settings, MSG_NONE,
"Press %c for a list of commands.\n",
app.settings.keys[BAR_KS_HELP]);
}
WaitressInit (&app.waith);
app.waith.url.host = strdup (PIANO_RPC_HOST);
app.waith.url.tls = true;
app.waith.tlsFingerprint = app.settings.tlsFingerprint;
/* init fds */
FD_ZERO(&app.input.set);
app.input.fds[0] = STDIN_FILENO;
FD_SET(app.input.fds[0], &app.input.set);
/* open fifo read/write so it won't EOF if nobody writes to it */
assert (sizeof (app.input.fds) / sizeof (*app.input.fds) >= 2);
app.input.fds[1] = open (app.settings.fifo, O_RDWR);
if (app.input.fds[1] != -1) {
FD_SET(app.input.fds[1], &app.input.set);
BarUiMsg (&app.settings, MSG_INFO, "Control fifo at %s opened\n",
app.settings.fifo);
}
app.input.maxfd = app.input.fds[0] > app.input.fds[1] ? app.input.fds[0] :
app.input.fds[1];
++app.input.maxfd;
BarMainLoop (&app);
if (app.input.fds[1] != -1) {
close (app.input.fds[1]);
}
PianoDestroy (&app.ph);
PianoDestroyPlaylist (app.songHistory);
PianoDestroyPlaylist (app.playlist);
WaitressFree (&app.waith);
ao_shutdown();
gnutls_global_deinit ();
BarSettingsDestroy (&app.settings);
/* restore terminal attributes, zsh doesn't need this, bash does... */
BarTermRestore (&termOrig);
return 0;
}
static void server(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t serverx509cred;
gnutls_anon_server_credentials_t anoncred;
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
assert(gnutls_anon_allocate_server_credentials(&anoncred) >= 0);
assert(gnutls_certificate_allocate_credentials(&serverx509cred) >= 0);
assert(gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM) >= 0);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, MTU);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
assert(gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ECDHE-RSA:+ANON-ECDH:+CURVE-ALL",
NULL) >= 0);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, serverx509cred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
if (gnutls_kx_get(session) != GNUTLS_KX_ANON_ECDH) {
fail("did not negotiate an anonymous ciphersuite on initial auth\n");
}
/* see the Getting peer's information example */
/* print_info(session); */
if (debug)
success("server: Sending dummy packet\n");
ret = gnutls_rehandshake(session);
if (ret < 0) {
fail("gnutls_rehandshake: %s\n", gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Initiating rehandshake\n");
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("server: 2nd gnutls_handshake: %s\n",
gnutls_strerror(ret));
terminate();
}
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
do {
ret = gnutls_record_recv(session, buffer, MAX_BUF);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%s). Closing...\n", gnutls_strerror(ret));
terminate();
} else if (ret > 0) {
/* echo data back to the client
*/
do {
ret =
gnutls_record_send(session, buffer,
strlen(buffer));
} while (ret == GNUTLS_E_AGAIN
|| ret == GNUTLS_E_INTERRUPTED);
}
}
if (gnutls_kx_get(session) != GNUTLS_KX_ECDHE_RSA) {
fail("did not negotiate a certificate ciphersuite on second auth\n");
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
int
main (void)
{
int err, listen_sd, i;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
gnutls_session_t session;
char buffer[MAX_BUF + 1];
int optval = 1;
/* to disallow usage of the blocking /dev/random
*/
gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE,
GNUTLS_X509_FMT_PEM);
generate_dh_params ();
gnutls_priority_init (&priority_cache, "NORMAL", NULL);
gnutls_certificate_set_dh_params (x509_cred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
SOCKET_ERR (listen_sd, "socket");
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
SOCKET_ERR (err, "bind");
err = listen (listen_sd, 1024);
SOCKET_ERR (err, "listen");
printf ("Server ready. Listening to port '%d'.\n\n", PORT);
client_len = sizeof (sa_cli);
for (;;)
{
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
printf ("- connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
continue;
}
printf ("- Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
i = 0;
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("\n- Peer has closed the GNUTLS connection\n");
break;
}
else if (ret < 0)
{
fprintf (stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
printf ("\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_priority_deinit (priority_cache);
gnutls_global_deinit ();
return 0;
}
void
doit (void)
{
gnutls_certificate_credentials_t x509cred;
const char *file, *password;
int ret;
ret = gnutls_global_init ();
if (ret < 0)
fail ("gnutls_global_init failed %d\n", ret);
ret = gnutls_certificate_allocate_credentials (&x509cred);
if (ret < 0)
fail ("gnutls_certificate_allocate_credentials failed %d\n", ret);
file = getenv ("PKCS12FILE");
password = getenv ("PKCS12PASSWORD");
if (!file)
file = "pkcs12-decode/client.p12";
if (!password)
password = "******";
success ("Reading PKCS#12 blob from `%s' using password `%s'.\n",
file, password);
ret = gnutls_certificate_set_x509_simple_pkcs12_file (x509cred,
file,
GNUTLS_X509_FMT_DER,
password);
if (ret < 0)
fail ("x509_pkcs12 failed %d: %s\n", ret, gnutls_strerror (ret));
success ("Read file OK\n");
gnutls_certificate_free_credentials (x509cred);
/* try now if we can read correctly from a pkcs12 file that
* contains two certificates (one unrelated with key)
*/
ret = gnutls_certificate_allocate_credentials (&x509cred);
if (ret < 0)
fail ("gnutls_certificate_allocate_credentials failed %d\n", ret);
file = getenv ("PKCS12FILE_2");
password = getenv ("PKCS12PASSWORD_2");
if (!file)
file = "pkcs12-decode/pkcs12_2certs.p12";
if (!password)
password = "";
success ("Reading PKCS#12 blob from `%s' using password `%s'.\n",
file, password);
ret = gnutls_certificate_set_x509_simple_pkcs12_file (x509cred,
file,
GNUTLS_X509_FMT_DER,
password);
if (ret < 0)
fail ("x509_pkcs12 failed %d: %s\n", ret, gnutls_strerror (ret));
success ("Read file OK\n");
gnutls_certificate_free_credentials (x509cred);
gnutls_global_deinit ();
}
void dtls_server (int port)
{
int listen_sd;
int sock, ret;
struct sockaddr_in sa_serv;
char buffer[MAX_MESSAGE_SIZE];
int mtu = 1400;
unsigned char sequence[8];
gnutls_datum_t cookie_key; // Should this be regenerated for each incoming conn?
// Certs
char *cafile = "./certs/cert.pem";
char *crlfile = "./certs/crl.pem";
char *certfile = "./certs/cert.pem";
char *keyfile = "./certs/key.pem";
// Configure credentials and session
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, cafile, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, crlfile, GNUTLS_X509_FMT_PEM);
ret = gnutls_certificate_set_x509_key_file (x509_cred, certfile, keyfile,
GNUTLS_X509_FMT_PEM);
if (ret < 0) Die("No keys or certs were found");
// Set some crypto params and other stuff
generate_dh_params (); // Diffie-Hellman
gnutls_priority_init (&priority_cache,
"PERFORMANCE:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE",
NULL);
gnutls_key_generate (&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_DGRAM, 0);
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (port);
/* DTLS requires the IP don't fragment (DF) bit to be set */
#if defined(IP_DONTFRAG)
int optval = 1;
setsockopt (listen_sd, IPPROTO_IP, IP_DONTFRAG,
(const void *) &optval, sizeof (optval));
#elif defined(IP_MTU_DISCOVER)
int optval = IP_PMTUDISC_DO;
setsockopt(listen_sd, IPPROTO_IP, IP_MTU_DISCOVER,
(const void*) &optval, sizeof (optval));
#endif
bind (listen_sd, (struct sockaddr *) &sa_serv, sizeof (sa_serv));
printf ("UDP server ready. Listening to port '%d'.\n\n", port);
for (;;)
{
printf ("Waiting for connection...\n");
sock = wait_for_connection (listen_sd);
if (sock < 0) continue;
// Someone is accepting a connection, get data structures ready
priv_data_st priv;
gnutls_dtls_prestate_st prestate;
gnutls_session_t session;
struct sockaddr_in cli_addr;
socklen_t cli_addr_size;
cli_addr_size = sizeof (cli_addr);
ret = recvfrom (sock, buffer, sizeof (buffer), MSG_PEEK,
(struct sockaddr *) &cli_addr, &cli_addr_size);
if (ret > 0)
{
memset (&prestate, 0, sizeof (prestate));
ret = gnutls_dtls_cookie_verify (&cookie_key, &cli_addr,
sizeof (cli_addr), buffer, ret,
&prestate);
if (ret < 0) /* cookie not valid */
{
priv_data_st s;
memset (&s, 0, sizeof (s));
s.fd = sock;
s.cli_addr = (void *) &cli_addr;
s.cli_addr_size = sizeof (cli_addr);
printf ("Sending hello verify request to %s\n",
human_addr ((struct sockaddr *) &cli_addr,
sizeof (cli_addr), buffer,
sizeof (buffer)));
gnutls_dtls_cookie_send (&cookie_key, &cli_addr,
sizeof (cli_addr), &prestate,
(gnutls_transport_ptr_t) & s,
push_func);
/* discard peeked data */
recvfrom (sock, buffer, sizeof (buffer), 0,
(struct sockaddr *) &cli_addr, &cli_addr_size);
usleep (100);
continue;
}
printf ("Accepted connection from %s\n",
human_addr ((struct sockaddr *)
&cli_addr, sizeof (cli_addr), buffer,
sizeof (buffer)));
}
else
continue;
session = initialize_tls_session ();
gnutls_dtls_prestate_set (session, &prestate);
gnutls_dtls_set_mtu (session, mtu);
priv.session = session;
priv.fd = sock;
priv.cli_addr = (struct sockaddr *) &cli_addr;
priv.cli_addr_size = sizeof (cli_addr);
gnutls_transport_set_ptr (session, &priv);
gnutls_transport_set_push_function (session, push_func);
gnutls_transport_set_pull_function (session, pull_func);
gnutls_transport_set_pull_timeout_function (session, pull_timeout_func);
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
fprintf (stderr, "Error in handshake(): %s\n",
gnutls_strerror (ret));
gnutls_deinit (session);
continue;
}
printf ("- Handshake was completed\n");
for (;;)
{
do
{
ret = gnutls_record_recv_seq (session, buffer, MAX_MESSAGE_SIZE,
sequence);
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0)
{
fprintf (stderr, "Error in recv(): %s\n",
gnutls_strerror (ret));
break;
}
if (ret == 0)
{
printf ("EOF\n\n");
break;
}
buffer[ret] = 0;
printf ("received[%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x]: %s\n",
sequence[0], sequence[1], sequence[2], sequence[3],
sequence[4], sequence[5], sequence[6], sequence[7], buffer);
/* reply back */
ret = gnutls_record_send (session, buffer, ret);
if (ret < 0)
{
fprintf (stderr, "Error in send(): %s\n",
gnutls_strerror (ret));
break;
}
}
gnutls_bye (session, GNUTLS_SHUT_WR);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_priority_deinit (priority_cache);
gnutls_global_deinit ();
}
int
main (int argc, char *argv[])
{
int debug_level = argc - 1;
int exit_code = EXIT_SUCCESS;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug_level);
/* Init server */
gnutls_certificate_allocate_credentials (&serverx509cred);
gnutls_certificate_set_x509_key_mem (serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
gnutls_priority_set_direct (server, "NORMAL", NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
/* Init client */
gnutls_certificate_allocate_credentials (&clientx509cred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
gnutls_priority_set_direct (client, "NORMAL", NULL);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
/* Check that initially no session use the extension. */
if (gnutls_safe_renegotiation_status (server)
|| gnutls_safe_renegotiation_status (client))
{
puts ("Client or server using extension before handshake?");
abort ();
}
do
{
static int max_iter = 0;
if (max_iter++ > 10)
abort ();
if (cret == GNUTLS_E_AGAIN)
{
cret = gnutls_handshake (client);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_handshake (client)...\n");
tls_log_func (0, gnutls_strerror (cret));
tls_log_func (0, "\n");
}
}
if (sret == GNUTLS_E_AGAIN)
{
sret = gnutls_handshake (server);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_handshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
}
}
while (
/* Not done: */
!(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
/* No error: */
&& (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
exit_code = EXIT_FAILURE;
/* Check that both sessions use the extension. */
if (!gnutls_safe_renegotiation_status (server)
|| !gnutls_safe_renegotiation_status (client))
{
puts ("Client or server not using safe renegotiation extension?");
abort ();
}
sret = gnutls_rehandshake (server);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
cret = GNUTLS_E_AGAIN;
sret = GNUTLS_E_AGAIN;
do
{
static int max_iter = 0;
if (max_iter++ > 10)
abort ();
if (cret == GNUTLS_E_AGAIN)
{
cret = gnutls_handshake (client);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (client)...\n");
tls_log_func (0, gnutls_strerror (cret));
tls_log_func (0, "\n");
}
}
if (sret == GNUTLS_E_AGAIN)
{
sret = gnutls_handshake (server);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
}
}
while (
/* Not done: */
!(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
/* No error: */
&& (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
exit_code = 1;
/* Check that session still use the extension. */
if (!gnutls_safe_renegotiation_status (server)
|| !gnutls_safe_renegotiation_status (client))
{
puts ("Client or server not using safe renegotiation extension?");
abort ();
}
/* Check that this API does not affect anything after first
handshake.
gnutls_safe_negotiation_set_initial (server, 0); */
sret = gnutls_rehandshake (server);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
cret = GNUTLS_E_AGAIN;
sret = GNUTLS_E_AGAIN;
do
{
static int max_iter = 0;
if (max_iter++ > 10)
abort ();
if (cret == GNUTLS_E_AGAIN)
{
cret = gnutls_handshake (client);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (client)...\n");
tls_log_func (0, gnutls_strerror (cret));
tls_log_func (0, "\n");
}
}
if (sret == GNUTLS_E_AGAIN)
{
sret = gnutls_handshake (server);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
}
}
while (
/* Not done: */
!(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
/* No error: */
&& (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
exit_code = 1;
/* Check that disabling the extension will break rehandshakes.
gnutls_safe_renegotiation_set (client, 0); */
sret = gnutls_rehandshake (server);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
cret = GNUTLS_E_AGAIN;
sret = GNUTLS_E_AGAIN;
do
{
static int max_iter = 0;
if (max_iter++ > 10)
abort ();
if (cret == GNUTLS_E_AGAIN)
{
cret = gnutls_handshake (client);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (client)...\n");
tls_log_func (0, gnutls_strerror (cret));
tls_log_func (0, "\n");
}
}
if (sret == GNUTLS_E_AGAIN)
{
sret = gnutls_handshake (server);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
}
}
while (
/* Not done: */
!(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
/* No error: */
&& (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
exit_code = 1;
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
free (to_server);
free (to_client);
gnutls_certificate_free_credentials (serverx509cred);
gnutls_global_deinit ();
if (debug_level > 0)
{
if (exit_code == 0)
puts ("Self-test successful");
else
puts ("Self-test failed");
}
return exit_code;
}
void doit(void)
{
int ret;
gnutls_certificate_credentials_t xcred;
gnutls_certificate_credentials_t clicred;
const char *certfile = "does-not-exist.pem";
gnutls_datum_t tcert;
FILE *fp;
if (gnutls_fips140_mode_enabled()) {
exit(77);
}
global_init();
assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
/* this will fail */
ret = gnutls_certificate_set_x509_simple_pkcs12_file(xcred, certfile,
GNUTLS_X509_FMT_PEM, "1234");
if (ret != GNUTLS_E_FILE_ERROR)
fail("gnutls_certificate_set_x509_simple_pkcs12_file failed: %s\n", gnutls_strerror(ret));
gnutls_certificate_free_credentials(xcred);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
certfile = get_tmpname(NULL);
fp = fopen(certfile, "w");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(server_ca3_pkcs12_pem, 1, strlen((char*)server_ca3_pkcs12_pem), fp)>0);
fclose(fp);
ret = gnutls_certificate_set_x509_simple_pkcs12_file(xcred, certfile,
GNUTLS_X509_FMT_PEM, "1234");
if (ret < 0)
fail("gnutls_certificate_set_x509_simple_pkcs12_file failed: %s\n", gnutls_strerror(ret));
/* verify whether the stored certificate match the ones we have */
ret = gnutls_certificate_get_crt_raw(xcred, 0, 0, &tcert);
if (ret < 0) {
fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret));
exit(1);
}
compare(&tcert, server_localhost_ca3_cert_pem);
remove(certfile);
test_cli_serv(xcred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */
gnutls_certificate_free_credentials(xcred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
}
static void
server (int fd, int server_init)
{
int ret;
char buffer[MAX_BUF + 1];
/* this must be called once in the program
*/
global_init ();
if (debug)
{
gnutls_global_set_log_function (server_log_func);
gnutls_global_set_log_level (4711);
}
gnutls_anon_allocate_server_credentials (&anoncred);
session = initialize_tls_session ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
gnutls_transport_set_push_function (session, push);
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0)
{
close (fd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
terminate();
}
if (debug)
success ("server: Handshake was completed\n");
if (debug)
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
/* see the Getting peer's information example */
/* print_info(session); */
if (server_init)
{
if (debug) success("server: Sending dummy packet\n");
ret = gnutls_rehandshake(session);
if (ret < 0)
{
fail ("gnutls_rehandshake: %s\n", gnutls_strerror(ret));
terminate();
}
if (debug) success("server: Initiating rehandshake\n");
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0)
{
fail ("server: 2nd gnutls_handshake: %s\n", gnutls_strerror(ret));
terminate();
}
}
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
do {
ret = gnutls_record_recv (session, buffer, MAX_BUF);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret == 0)
{
if (debug)
success ("server: Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
if (!server_init && ret == GNUTLS_E_REHANDSHAKE)
{
if (debug) success("Initiating rehandshake due to client request\n");
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret == 0) break;
}
fail ("server: Received corrupted data(%s). Closing...\n", gnutls_strerror(ret));
terminate();
}
else if (ret > 0)
{
/* echo data back to the client
*/
do {
ret = gnutls_record_send (session, buffer, strlen (buffer));
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (fd);
gnutls_deinit (session);
gnutls_anon_free_server_credentials (anoncred);
gnutls_global_deinit ();
if (debug)
success ("server: finished\n");
}
