static void server(int fd, int packet)
{
int ret;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
session = initialize_tls_session();
counter = 0;
packet_to_lose = packet;
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
gnutls_deinit(session);
gnutls_global_deinit();
if (ret < 0) {
return;
}
}
extern int xlibgnutls_tls_handshake(gnutls_session_t *session, int tcp_sd, unsigned verbose_level) {
int ret, ii;
/* Need to enable anonymous KX specifically. */
gnutls_global_init();
gnutls_anon_allocate_client_credentials(&anoncred);
gnutls_init(session, GNUTLS_CLIENT);
gnutls_priority_set_direct(*session, "NORMAL:+ANON-ECDH:+ANON-DH", NULL);
gnutls_credentials_set(*session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(*session, tcp_sd);
gnutls_handshake_set_timeout(*session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
do {
ret = gnutls_handshake(*session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
print_error("handshake failed");
gnutls_perror(ret);
} else {
char *desc;
desc = gnutls_session_get_desc(*session);
print_info("- Session info: %s\n", desc);
gnutls_free(desc);
}
return ret;
}
static void client(int fd, int packet)
{
int ret;
gnutls_anon_client_credentials_t anoncred;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_client_credentials(&anoncred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
counter = 0;
packet_to_lose = packet;
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
gnutls_deinit(session);
gnutls_global_deinit();
if (ret < 0) {
if (ret == GNUTLS_E_TIMEDOUT)
return;
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
exit(1);
}
static void server(int sd)
{
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
int ret;
unsigned loops;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success("Launched, generating DH parameters...\n");
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, sd);
loops = 0;
do {
ret = gnutls_handshake(session);
loops++;
if (loops > 64)
fail("Too many loops in the handshake!\n");
} while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_WARNING_ALERT_RECEIVED);
if (ret >= 0) {
fail("server: Handshake succeeded unexpectedly\n");
}
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int fd)
{
int ret;
gnutls_anon_client_credentials_t anoncred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_client_credentials(&anoncred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
success("client: Handshake failed as expected\n");
gnutls_perror(ret);
goto exit;
} else {
fail("client: Handshake completed unexpectedly\n");
goto exit;
}
exit:
gnutls_deinit(session);
gnutls_anon_free_client_credentials(anoncred);
gnutls_global_deinit();
}
void TLSTransaction::init (TLSServer& server)
{
gnutls_init (&_session, GNUTLS_SERVER);
gnutls_priority_set (_session, server._priorities);
gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, server._credentials);
// Require client certificate.
gnutls_certificate_server_set_request (_session, GNUTLS_CERT_REQUIRE);
/*
// Set maximum compatibility mode. This is only suggested on public
// webservers that need to trade security for compatibility
gnutls_session_enable_compatibility_mode (_session);
*/
struct sockaddr_in sa_cli = {0};
socklen_t client_len = sizeof sa_cli;
do
{
_socket = accept (server._socket, (struct sockaddr *) &sa_cli, &client_len);
}
while (errno == EINTR);
if (_socket < 0)
throw std::string (::strerror (errno));
// Obtain client info.
char topbuf[512];
_address = inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf));
_port = ntohs (sa_cli.sin_port);
if (_debug)
std::cout << "s: INFO connection from "
<< _address
<< " port "
<< _port
<< "\n";
#if GNUTLS_VERSION_NUMBER >= 0x030109
gnutls_transport_set_int (_session, _socket);
#else
gnutls_transport_set_ptr (_session, (gnutls_transport_ptr_t) (long) _socket);
#endif
// Key exchange.
int ret;
do
{
ret = gnutls_handshake (_session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
throw std::string ("Handshake has failed (") + gnutls_strerror (ret) + ")";
if (_debug)
std::cout << "s: INFO Handshake was completed\n";
}
static void server(int fd, const char *prio)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
memset(buffer, 0, sizeof(buffer));
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
gnutls_anon_allocate_server_credentials(&anoncred);
session = initialize_tls_session(prio);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s) for %s\n\n",
gnutls_strerror(ret), prio);
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int fd, const char *prio)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_certificate_allocate_credentials(&x509_cred);
assert(gnutls_init(&session, GNUTLS_CLIENT)>=0);
assert(gnutls_priority_set_direct(session, prio, NULL)>=0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
terminate();
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA:%COMPAT",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, odd_push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret >= 0) {
fail("client: Handshake succeeded!\n");
exit(1);
}
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
}
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL)>=0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
static int get_cert(socket_st *hd, const char *hostname, unsigned udp, int fd)
{
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
int ret;
struct priv_st priv;
priv.found = 0;
priv.fd = fd;
ret = gnutls_certificate_allocate_credentials(&xcred);
if (ret < 0) {
fprintf(stderr, "error[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
exit(1);
}
gnutls_certificate_set_verify_function(xcred, cert_callback);
ret = gnutls_init(&session, (udp?GNUTLS_DATAGRAM:0)|GNUTLS_CLIENT);
if (ret < 0) {
fprintf(stderr, "error[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
exit(1);
}
gnutls_session_set_ptr(session, &priv);
gnutls_transport_set_int(session, hd->fd);
gnutls_set_default_priority(session);
if (hostname && is_ip(hostname)==0) {
gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, strlen(hostname));
}
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
do {
ret = gnutls_handshake(session);
} while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_WARNING_ALERT_RECEIVED);
/* we don't care on the result */
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
if (priv.found == 0)
return -1;
return 0;
}
SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
{
gnutls_session_t * session = calloc(1, sizeof(gnutls_session_t));
gnutls_init(session, GNUTLS_SERVER);
gnutls_priority_set(*session, cipherCache);
gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
gnutls_transport_set_int(*session, *fileDescriptor);
if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
*isSSLReady = true;
return session;
}
tls_t *tls_new(xmpp_conn_t *conn)
{
tls_t *tls = xmpp_alloc(conn->ctx, sizeof(tls_t));
if (tls) {
tls->ctx = conn->ctx;
tls->sock = conn->sock;
gnutls_init(&tls->session, GNUTLS_CLIENT);
gnutls_certificate_allocate_credentials(&tls->cred);
tls_set_credentials(tls, CAFILE);
gnutls_set_default_priority(tls->session);
/* fixme: this may require setting a callback on win32? */
gnutls_transport_set_int(tls->session, conn->sock);
}
return tls;
}
/**
* Create wr_socket with TLS TCP underlying socket
* @return created socket on success, WR_BAD otherwise
*/
static wr_socket wr_create_tls_sckt(void)
{
#ifdef HTTPS_SUPPORT
wr_socket s = (wr_socket)malloc(sizeof(struct wr_socket_strc));
if (WR_BAD == s)
return WR_BAD;
s->t = wr_tls;
s->tls_connected = 0;
s->fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (MHD_INVALID_SOCKET != s->fd)
{
if (GNUTLS_E_SUCCESS == gnutls_init (&(s->tls_s), GNUTLS_CLIENT))
{
if (GNUTLS_E_SUCCESS == gnutls_set_default_priority (s->tls_s))
{
if (GNUTLS_E_SUCCESS == gnutls_certificate_allocate_credentials (&(s->tls_crd)))
{
if (GNUTLS_E_SUCCESS == gnutls_credentials_set (s->tls_s, GNUTLS_CRD_CERTIFICATE, s->tls_crd))
{
#if GNUTLS_VERSION_NUMBER+0 >= 0x030109
gnutls_transport_set_int (s->tls_s, (int)(s->fd));
#else /* GnuTLS before 3.1.9 */
gnutls_transport_set_ptr (s->tls_s, (gnutls_transport_ptr_t)(intptr_t)(s->fd));
#endif /* GnuTLS before 3.1.9 */
return s;
}
gnutls_certificate_free_credentials (s->tls_crd);
}
}
gnutls_deinit (s->tls_s);
}
(void)MHD_socket_close_ (s->fd);
}
free(s);
#endif /* HTTPS_SUPPORT */
return WR_BAD;
}
static void client(int sds[], struct params_res *params)
{
int ret, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_anon_client_credentials_t anoncred;
/* Need to enable anonymous KX specifically. */
/* variables used in session resuming
*/
int t;
gnutls_datum_t session_data;
if (debug) {
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(3);
}
global_init();
gnutls_anon_allocate_client_credentials(&anoncred);
for (t = 0; t < SESSIONS; t++) {
int sd = sds[t];
/* Initialize TLS session
*/
gnutls_init(&session,
GNUTLS_CLIENT | GNUTLS_DATAGRAM);
/* Use default priorities */
if (params->enable_session_ticket_client)
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
NULL);
else
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH:%NO_TICKETS",
NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
if (t > 0) {
/* if this is not the first time we connect */
gnutls_session_set_data(session, session_data.data,
session_data.size);
gnutls_free(session_data.data);
}
gnutls_transport_set_int(session, sd);
/* Perform the TLS handshake
*/
gnutls_dtls_set_timeouts(session, 3*1000, 240 * 1000);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
gnutls_perror(ret);
fail("client: Handshake failed\n");
goto end;
} else {
if (debug)
success
("client: Handshake was completed\n");
}
if (t == 0) { /* the first time we connect */
/* get the session data size */
ret =
gnutls_session_get_data2(session,
&session_data);
if (ret < 0)
fail("Getting resume data failed\n");
} else { /* the second time we connect */
/* check if we actually resumed the previous session */
if (gnutls_session_is_resumed(session) != 0) {
if (params->expect_resume) {
if (debug)
success
("- Previous session was resumed\n");
} else
fail("- Previous session was resumed\n");
} else {
if (params->expect_resume) {
fail("*** Previous session was NOT resumed\n");
} else {
if (debug)
success
("*** Previous session was NOT resumed (expected)\n");
}
}
}
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (debug) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
close(sd);
gnutls_deinit(session);
}
end:
gnutls_anon_free_client_credentials(anoncred);
}
static void server(int sds[], struct params_res *params)
{
gnutls_anon_server_credentials_t anoncred;
static gnutls_datum_t session_ticket_key = { NULL, 0 };
int ret;
size_t t;
gnutls_session_t session;
/* this must be called once in the program, it is mostly for the server.
*/
if (debug) {
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(3);
}
global_init();
gnutls_anon_allocate_server_credentials(&anoncred);
if (debug)
success("Launched, generating DH parameters...\n");
gnutls_anon_set_server_dh_params(anoncred, dh_params);
if (params->enable_db) {
wrap_db_init();
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_key_generate(&session_ticket_key);
for (t = 0; t < SESSIONS; t++) {
int sd = sds[t];
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits(session, DH_BITS);
if (params->enable_db) {
gnutls_db_set_retrieve_function(session, wrap_db_fetch);
gnutls_db_set_remove_function(session, wrap_db_delete);
gnutls_db_set_store_function(session, wrap_db_store);
gnutls_db_set_ptr(session, NULL);
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_enable_server(session,
&session_ticket_key);
gnutls_transport_set_int(session, sd);
gnutls_dtls_set_timeouts(session, 3*1000, 240 * 1000);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && (ret == GNUTLS_E_INTERRUPTED||ret == GNUTLS_E_AGAIN));
if (ret < 0) {
close(sd);
gnutls_deinit(session);
kill(child, SIGTERM);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
kill(child, SIGTERM);
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
}
if (params->enable_db) {
wrap_db_deinit();
}
gnutls_free(session_ticket_key.data);
session_ticket_key.data = NULL;
gnutls_anon_free_server_credentials(anoncred);
if (debug)
success("server: finished\n");
}
int main(void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_certificate_credentials_t xcred;
if (gnutls_check_version("3.1.4") == NULL) {
fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n");
exit(1);
}
/* for backwards compatibility with gnutls < 3.3.0 */
gnutls_global_init();
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function(xcred,
_verify_certificate_callback);
/* If client holds a certificate it can be set using the following:
*
gnutls_certificate_set_x509_key_file (xcred,
"cert.pem", "key.pem",
GNUTLS_X509_FMT_PEM);
*/
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_session_set_ptr(session, (void *) "my_host_name");
gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name",
strlen("my_host_name"));
/* use default priorities */
gnutls_set_default_priority(session);
#if 0
/* if more fine-graned control is required */
ret = gnutls_priority_set_direct(session,
"NORMAL", &err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST) {
fprintf(stderr, "Syntax error at: %s\n", err);
}
exit(1);
}
#endif
/* put the x509 credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect();
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fprintf(stderr, "*** Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(session);
printf("- Session info: %s\n", desc);
gnutls_free(desc);
}
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
tcp_close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
return 0;
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
char c;
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(2);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_dtls_set_timeouts(session, 50 * 1000, 600 * 1000);
gnutls_transport_set_push_function(session, odd_push);
gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_record_recv(session, &c, 1);
do {
do {
ret = gnutls_record_send(session, &c, 1);
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0) {
fail("send: %s\n", gnutls_strerror(ret));
terminate();
}
}
while (test_finished == 0);
gnutls_transport_set_push_function(session, n_push);
do {
ret = gnutls_bye(session, GNUTLS_SHUT_WR);
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int fd)
{
gnutls_session_t session;
int ret;
char buffer[MAX_BUF + 1];
gnutls_anon_client_credentials_t anoncred;
unsigned char seq[8];
uint32_t useq;
memset(buffer, 0, sizeof(buffer));
/* Need to enable anonymous KX specifically. */
/* gnutls_global_set_audit_log_function (tls_audit_log_func); */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(2);
}
gnutls_anon_allocate_client_credentials(&anoncred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_dtls_set_timeouts(session, 50 * 1000, 600 * 1000);
gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
gnutls_dtls_set_mtu(session, 1500);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
gnutls_record_send(session, buffer, 1);
if (debug)
success("client: DTLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
ret =
gnutls_record_recv_seq(session, buffer, sizeof(buffer),
seq);
if (ret > 0) {
useq =
seq[7] | (seq[6] << 8) | (seq[5] << 16) |
(seq[4] << 24);
if (debug)
success("received %u\n", (unsigned int)useq);
if (recv_msg_seq[current] == -1) {
fail("received message sequence differs\n");
terminate();
}
if (((uint32_t)recv_msg_seq[current]) != useq) {
fail("received message sequence differs (current: %u, got: %u, expected: %u)\n",
(unsigned)current, (unsigned)useq, (unsigned)recv_msg_seq[current]);
terminate();
}
current++;
}
}
while ((ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED
|| ret > 0));
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_client_credentials(anoncred);
gnutls_global_deinit();
}
static void client(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
ret = disable_system_calls();
if (ret < 0) {
fprintf(stderr, "could not enable seccomp\n");
exit(2);
}
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
ret = gnutls_record_recv(session, buffer, sizeof(buffer)-1);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret == 0) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
if (ret < 0) {
fail("server: error in closing session: %s\n", gnutls_strerror(ret));
}
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
}
static void server(int sd)
{
gnutls_certificate_credentials_t serverx509cred;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
side = "server";
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "PERFORMANCE:+ANON-ECDH:+ANON-DH",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_supplemental_recv(session, 1);
gnutls_supplemental_send(session, 1);
gnutls_session_supplemental_register(session, "supplemental_server", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_server_recv_func, supp_server_send_func, 0);
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
if (TLS_SUPPLEMENTALDATA_server_sent != 1 || TLS_SUPPLEMENTALDATA_server_received != 1)
fail("server: extension not properly sent/received\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int fd, int profile)
{
gnutls_session_t session;
int ret;
gnutls_anon_client_credentials_t anoncred;
uint8_t km[MAX_KEY_MATERIAL];
char buf[2 * MAX_KEY_MATERIAL];
gnutls_datum_t cli_key, cli_salt, server_key, server_salt;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_client_credentials(&anoncred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
gnutls_dtls_set_mtu(session, 1500);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
if (profile)
ret =
gnutls_srtp_set_profile_direct(session,
"SRTP_AES128_CM_HMAC_SHA1_80",
NULL);
else
ret =
gnutls_srtp_set_profile_direct(session,
"SRTP_NULL_HMAC_SHA1_80",
NULL);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: DTLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
ret =
gnutls_srtp_get_keys(session, km, sizeof(km), &cli_key,
&cli_salt, &server_key, &server_salt);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
if (debug) {
size_t size = sizeof(buf);
gnutls_hex_encode(&cli_key, buf, &size);
success("Client key: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&cli_salt, buf, &size);
success("Client salt: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&server_key, buf, &size);
success("Server key: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&server_salt, buf, &size);
success("Server salt: %s\n", buf);
}
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_client_credentials(anoncred);
gnutls_global_deinit();
}
static void server(int fd)
{
int ret;
gnutls_certificate_credentials_t xcred;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
ret = gnutls_certificate_set_x509_key_mem(xcred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
gnutls_init(&session, GNUTLS_SERVER);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
memset(buffer, 1, sizeof(buffer));
do {
ret = gnutls_record_send(session, buffer, sizeof(buffer)-1);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: data sending has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
if (ret < 0) {
fail("server: error in closing session: %s\n", gnutls_strerror(ret));
}
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM);
gnutls_handshake_set_timeout(session, 20 * 1000);
assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-DTLS1.2", NULL)>= 0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
assert(gnutls_server_name_set(session, GNUTLS_NAME_DNS, HOSTNAME, strlen(HOSTNAME))>=0);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) {
/* success */
goto end;
}
if (ret < 0) {
fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&session, GNUTLS_SERVER|GNUTLS_DATAGRAM);
gnutls_handshake_set_timeout(session, 20 * 1000);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO,
GNUTLS_HOOK_POST,
handshake_callback);
assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-DTLS1.2", NULL)>= 0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
/* failure is expected here */
goto end;
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
assert(found_server_name != 0);
assert(found_status_req != 0);
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int sd)
{
int ret, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file
*/
ret = gnutls_certificate_set_x509_trust_mem(xcred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
if (ret <= 0) {
fail("client: no CAs loaded!\n");
goto end;
}
gnutls_certificate_set_retrieve_function2(xcred, cert_callback);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, "NORMAL", NULL);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake(session);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
if (debug)
print_info(session);
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (debug) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
}
static void server(int fd, int profile)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
uint8_t km[MAX_KEY_MATERIAL];
char buf[2 * MAX_KEY_MATERIAL];
gnutls_datum_t cli_key, cli_salt, server_key, server_salt;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
if (profile)
ret =
gnutls_srtp_set_profile_direct(session,
"SRTP_AES128_CM_HMAC_SHA1_80",
NULL);
else
ret =
gnutls_srtp_set_profile_direct(session,
"SRTP_NULL_HMAC_SHA1_80",
NULL);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
ret =
gnutls_srtp_get_keys(session, km, sizeof(km), &cli_key,
&cli_salt, &server_key, &server_salt);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
if (debug) {
size_t size = sizeof(buf);
gnutls_hex_encode(&cli_key, buf, &size);
success("Client key: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&cli_salt, buf, &size);
success("Client salt: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&server_key, buf, &size);
success("Server key: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&server_salt, buf, &size);
success("Server salt: %s\n", buf);
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int sd)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
gnutls_certificate_allocate_credentials(&x509_cred);
ret = gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
if (ret == 0) {
fail("server: no CAs loaded\n");
}
gnutls_certificate_set_x509_key_mem(x509_cred,
&server_ca3_localhost_cert,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success("Launched, generating DH parameters...\n");
generate_dh_params();
gnutls_certificate_set_dh_params(x509_cred, dh_params);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits(session, DH_BITS);
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session, 20 * 1000);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
if (debug)
print_info(session);
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
int main(void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_certificate_credentials_t xcred;
if (gnutls_check_version("3.1.4") == NULL) {
fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n");
exit(1);
}
/* for backwards compatibility with gnutls < 3.3.0 */
gnutls_global_init();
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file */
gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function(xcred,
verify_certificate_callback);
/* Initialize TLS session */
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
/* Use default priorities */
ret = gnutls_priority_set_direct(session,
"NORMAL", &err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST) {
fprintf(stderr, "Syntax error at: %s\n", err);
}
exit(1);
}
/* put the x509 credentials to the current session */
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name",
strlen("my_host_name"));
/* connect to the peer */
sd = udp_connect();
gnutls_transport_set_int(session, sd);
/* set the connection MTU */
gnutls_dtls_set_mtu(session, 1000);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake */
do {
ret = gnutls_handshake(session);
}
while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
/* Note that DTLS may also receive GNUTLS_E_LARGE_PACKET */
if (ret < 0) {
fprintf(stderr, "*** Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(session);
printf("- Session info: %s\n", desc);
gnutls_free(desc);
}
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
/* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
* connections because the peer's closure message might
* be lost */
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
udp_close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
return 0;
}
static void client(int sd)
{
int ret;
gnutls_session_t session;
gnutls_certificate_credentials_t clientx509cred;
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
side = "client";
gnutls_certificate_allocate_credentials(&clientx509cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, "PERFORMANCE:+ANON-ECDH:+ANON-DH",
NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_transport_set_int(session, sd);
gnutls_supplemental_recv(session, 1);
gnutls_supplemental_send(session, 1);
gnutls_session_supplemental_register(session, "supplemental_client", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_client_recv_func, supp_client_send_func, 0);
/* Perform the TLS handshake
*/
ret = gnutls_handshake(session);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (TLS_SUPPLEMENTALDATA_client_sent != 1 || TLS_SUPPLEMENTALDATA_client_received != 1)
fail("client: extension not properly sent/received\n");
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
}