void doit(void)
{
int exit_code = EXIT_SUCCESS;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (2);
/* Init server */
gnutls_certificate_allocate_credentials (&serverx509cred);
gnutls_certificate_set_x509_key_mem (serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
gnutls_priority_set_direct (server, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);
/* Init client */
gnutls_certificate_allocate_credentials (&clientx509cred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
gnutls_priority_set_direct (client, "NORMAL", NULL);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);
HANDSHAKE(client, server);
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
gnutls_certificate_free_credentials (serverx509cred);
gnutls_certificate_free_credentials (clientx509cred);
gnutls_global_deinit ();
if (debug > 0)
{
if (exit_code == 0)
puts ("Self-test successful");
else
puts ("Self-test failed");
}
}
static
void test_failure_server(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
to_server_len = 0;
to_client_len = 0;
client_ret_val = 0;
server_ret_val = GNUTLS_E_CERTIFICATE_ERROR;
server_ok = 0;
client_ok = 0;
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server, "NORMAL", NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_session_set_verify_function(server,
server_callback);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
gnutls_session_set_verify_function(client,
client_callback);
HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_CERTIFICATE_ERROR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
if (server_ok == 0)
fail("%s: certificate verify callback wasn't called\n", __func__);
}
int
test_cli_serv_psk(gnutls_psk_server_credentials_t server_cred,
gnutls_psk_client_credentials_t client_cred,
const char *prio)
{
int exit_code = EXIT_SUCCESS;
int ret;
/* Server stuff. */
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
reset_buffers();
/* Init server */
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_PSK,
server_cred);
gnutls_priority_set_direct(server, prio, NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_PSK,
client_cred);
if (ret < 0)
exit(1);
gnutls_priority_set_direct(client, prio, NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
ret = 0;
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
if (debug > 0) {
if (exit_code == 0)
puts("Self-test successful");
else
puts("Self-test failed");
}
return ret;
}
//general tls stuff-------------------------------------------------------------
static gnutls_session_t initialize_tls_session(bool sServer,
gnutls_srp_client_credentials_t &cClient, const struct sockaddr *aAddress,
socklen_t lLength, const char *aActual)
{
gnutls_session_t session;
gnutls_init(&session, sServer? GNUTLS_SERVER : GNUTLS_CLIENT);
if (use_srp_auth)
{
gnutls_priority_set_direct(session, sServer?
"NORMAL:+SRP" : "PERFORMANCE:+SRP", NULL);
if (!sServer)
set_client_passwd(cClient, aAddress, lLength, aActual);
gnutls_credentials_set(session, GNUTLS_CRD_SRP, sServer?
(void*) srp_server : (void*) cClient);
}
else
{
gnutls_priority_set_direct(session, sServer?
"NORMAL:+ANON-DH" : "PERFORMANCE:+ANON-DH", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, credentials);
}
gnutls_dh_set_prime_bits(session, 1024);
gnutls_transport_set_push_function(session, (gnutls_push_func) &write_wrapper);
gnutls_transport_set_pull_function(session, (gnutls_pull_func) &read_wrapper);
return session;
}
gnutls_session_t session(int sock, int server)
{
gnutls_session_t r;
gnutls_init(&r, GNUTLS_DATAGRAM | (server ? GNUTLS_SERVER : GNUTLS_CLIENT)
| GNUTLS_NONBLOCK * nonblock);
gnutls_priority_set_direct(r, "NORMAL:+ANON-ECDH", 0);
gnutls_transport_set_ptr(r, (gnutls_transport_ptr_t) sock);
if (server) {
gnutls_anon_server_credentials_t cred;
gnutls_anon_allocate_server_credentials(&cred);
gnutls_credentials_set(r, GNUTLS_CRD_ANON, cred);
} else {
gnutls_anon_client_credentials_t cred;
gnutls_anon_allocate_client_credentials(&cred);
gnutls_credentials_set(r, GNUTLS_CRD_ANON, cred);
}
gnutls_transport_set_push_function(r, writefn);
gnutls_dtls_set_mtu(r, 1400);
gnutls_dtls_set_timeouts(r, 100, 60000);
return r;
}
struct tls_connection * tls_connection_init(void *ssl_ctx)
{
struct tls_connection *conn;
const int cert_types[2] = { GNUTLS_CRT_X509, 0 };
const int protos[2] = { GNUTLS_TLS1, 0 };
conn = malloc(sizeof(*conn));
if (conn == NULL)
return NULL;
memset(conn, 0, sizeof(*conn));
if (gnutls_init(&conn->session, GNUTLS_CLIENT) < 0) {
wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS "
"connection");
free(conn);
return NULL;
}
gnutls_set_default_priority(conn->session);
gnutls_certificate_type_set_priority(conn->session, cert_types);
gnutls_protocol_set_priority(conn->session, protos);
gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func);
gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn);
gnutls_certificate_allocate_credentials(&conn->xcred);
return conn;
}
static rfbBool
InitializeTLSSession(rfbClient* client, rfbBool anonTLS)
{
int ret;
const char *p;
if (client->tlsSession) return TRUE;
if ((ret = gnutls_init((gnutls_session_t*)&client->tlsSession, GNUTLS_CLIENT)) < 0)
{
rfbClientLog("Failed to initialized TLS session: %s.\n", gnutls_strerror(ret));
return FALSE;
}
if ((ret = gnutls_priority_set_direct((gnutls_session_t)client->tlsSession,
anonTLS ? rfbAnonTLSPriority : rfbTLSPriority, &p)) < 0)
{
rfbClientLog("Warning: Failed to set TLS priority: %s (%s).\n", gnutls_strerror(ret), p);
}
gnutls_transport_set_ptr((gnutls_session_t)client->tlsSession, (gnutls_transport_ptr_t)client);
gnutls_transport_set_push_function((gnutls_session_t)client->tlsSession, PushTLS);
gnutls_transport_set_pull_function((gnutls_session_t)client->tlsSession, PullTLS);
rfbClientLog("TLS session initialized.\n");
return TRUE;
}
static void server(int fd, int packet)
{
int ret;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
session = initialize_tls_session();
counter = 0;
packet_to_lose = packet;
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
gnutls_deinit(session);
gnutls_global_deinit();
if (ret < 0) {
return;
}
}
static void session_init(int sock, int server)
{
gnutls_init(&session, GNUTLS_DATAGRAM | (server ? GNUTLS_SERVER : GNUTLS_CLIENT)
| GNUTLS_NONBLOCK * nonblock);
gnutls_priority_set_direct(session, "+CTYPE-OPENPGP:+CIPHER-ALL:+MAC-ALL:+ECDHE-RSA:+ANON-ECDH", 0);
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) (intptr_t) sock);
if (full) {
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
if (server) {
gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE);
}
} else if (server) {
gnutls_anon_server_credentials_t cred;
gnutls_anon_allocate_server_credentials(&cred);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred);
} else {
gnutls_anon_client_credentials_t cred;
gnutls_anon_allocate_client_credentials(&cred);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred);
}
gnutls_transport_set_push_function(session, writefn);
gnutls_dtls_set_mtu(session, 1400);
gnutls_dtls_set_timeouts(session, retransmit_milliseconds, timeout_seconds * 1000);
}
static gnutls_session new_tls_session(int sock)
{
int ret;
gnutls_session session;
const int kx_priority[] = {
GNUTLS_KX_ANON_DH,
#ifdef GNUTLS_SRP_ENABLED
GNUTLS_KX_SRP, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA,
#endif
0 };
gnutls_init(&session, GNUTLS_SERVER);
gnutls_set_default_priority(session);
gnutls_kx_set_priority(session, kx_priority);
#ifdef GNUTLS_SRP_ENABLED
gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred);
gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE);
#endif
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr(session, fd_to_ptr(sock));
gnutls_transport_set_pull_function(session, tls_pull);
gnutls_transport_set_push_function(session, tls_push);
ret = gnutls_handshake(session);
if ( ret < 0 ) {
fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret));
gnutls_alert_send_appropriate(session, ret);
return NULL;
}
return session;
}
void SslSocket::setupSession()
{
qDebug() << "Initialise client session";
// Setup the trust store
gnutls_certificate_allocate_credentials(&d->x509cred);
gnutls_certificate_set_x509_trust_file(d->x509cred, "/etc/ssl/ca-bundle.pem", GNUTLS_X509_FMT_PEM);
// Configure the session
gnutls_init(&d->session, GNUTLS_CLIENT);
gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509cred);
const char *err;
gnutls_priority_init(&d->priority_cache, "NORMAL", &err);
gnutls_priority_set(d->session, d->priority_cache);
// Setup the transport functions to use QTcpSocket
gnutls_transport_set_ptr(d->session, this);
gnutls_transport_set_pull_function(d->session, read_callback);
#ifdef NO_VECTOR_WRITES
gnutls_transport_set_push_function(d->session, write_callback);
#else
gnutls_transport_set_vec_push_function(d->session, write_vector_callback);
#endif
}
bool CTlsSocket::InitSession()
{
int res = gnutls_init(&m_session, GNUTLS_CLIENT);
if (res) {
LogError(res, _T("gnutls_init"));
Uninit();
return false;
}
// Even though the name gnutls_db_set_cache_expiration
// implies expiration of some cache, it also governs
// the actual session lifetime, independend whether the
// session is cached or not.
gnutls_db_set_cache_expiration(m_session, 100000000);
res = gnutls_priority_set_direct(m_session, ciphers, 0);
if (res) {
LogError(res, _T("gnutls_priority_set_direct"));
Uninit();
return false;
}
gnutls_dh_set_prime_bits(m_session, 512);
gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials);
// Setup transport functions
gnutls_transport_set_push_function(m_session, PushFunction);
gnutls_transport_set_pull_function(m_session, PullFunction);
gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
return true;
}
bool CTlsSocket::Init()
{
// This function initializes GnuTLS
int res = gnutls_global_init();
if (res)
{
LogError(res);
return false;
}
m_initialized = true;
res = gnutls_certificate_allocate_credentials(&m_certCredentials);
if (res < 0)
{
LogError(res);
Uninit();
return false;
}
res = gnutls_init(&m_session, GNUTLS_CLIENT);
if (res)
{
LogError(res);
Uninit();
return false;
}
res = gnutls_set_default_priority(m_session);
if (res)
{
LogError(res);
Uninit();
return false;
}
// Set which type of certificates we accept
const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
gnutls_certificate_type_set_priority(m_session, cert_type_priority);
if (res)
{
LogError(res);
Uninit();
return false;
}
gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials);
// Setup transport functions
gnutls_transport_set_push_function(m_session, PushFunction);
gnutls_transport_set_pull_function(m_session, PullFunction);
gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
gnutls_transport_set_lowat(m_session, 0);
m_shutdown_requested = false;
// At this point, we can start shaking hands.
return true;
}
static void client(int fd, int packet)
{
int ret;
gnutls_anon_client_credentials_t anoncred;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_client_credentials(&anoncred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
counter = 0;
packet_to_lose = packet;
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
gnutls_deinit(session);
gnutls_global_deinit();
if (ret < 0) {
if (ret == GNUTLS_E_TIMEDOUT)
return;
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
exit(1);
}
static int
tls_handshake (struct ikstls_data **datap, ikstransport *trans, void *sock)
{
const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
struct ikstls_data *data;
int ret;
*datap = NULL;
data = iks_malloc (sizeof(*data));
if (!data) return IKS_NOMEM;
memset (data, 0, sizeof(*data));
data->trans = trans;
data->sock = sock;
data->timeout = -1;
if (gnutls_global_init () != 0) {
iks_free (data);
return IKS_NOMEM;
}
if (gnutls_certificate_allocate_credentials (&data->cred) < 0) {
iks_free (data);
return IKS_NOMEM;
}
if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
gnutls_certificate_free_credentials (data->cred);
iks_free (data);
return IKS_NOMEM;
}
gnutls_protocol_set_priority (data->sess, protocol_priority);
gnutls_cipher_set_priority(data->sess, cipher_priority);
gnutls_compression_set_priority(data->sess, comp_priority);
gnutls_kx_set_priority(data->sess, kx_priority);
gnutls_mac_set_priority(data->sess, mac_priority);
gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
gnutls_transport_set_ptr (data->sess, data);
ret = gnutls_handshake (data->sess);
if (ret != 0) {
gnutls_deinit (data->sess);
gnutls_certificate_free_credentials (data->cred);
iks_free (data);
return IKS_NET_TLSFAIL;
}
*datap = data;
return IKS_OK;
}
liGnuTLSFilter* li_gnutls_filter_new(
liServer *srv, liWorker *wrk,
const liGnuTLSFilterCallbacks *callbacks, gpointer data,
gnutls_session_t session, liStream *crypt_source, liStream *crypt_drain
) {
liEventLoop *loop = crypt_source->loop;
liGnuTLSFilter *f;
liCQLimit *out_limit;
f = g_slice_new0(liGnuTLSFilter);
f->refcount = 5; /* 1 + 4 streams */
f->callbacks = callbacks;
f->callback_data = data;
f->srv = srv;
f->wrk = wrk;
f->session = session;
gnutls_transport_set_ptr(f->session, (gnutls_transport_ptr_t) f);
gnutls_transport_set_push_function(f->session, stream_push);
#ifdef HAVE_GIOVEC
gnutls_transport_set_vec_push_function(f->session, stream_pushv);
#endif
gnutls_transport_set_pull_function(f->session, stream_pull);
gnutls_session_set_ptr(f->session, f);
gnutls_handshake_set_post_client_hello_function(f->session, post_client_hello_cb);
f->initial_handshaked_finished = 0;
f->closing = f->aborted = 0;
f->write_wants_read = 0;
li_stream_init(&f->crypt_source, loop, stream_crypt_source_cb);
li_stream_init(&f->crypt_drain, loop, stream_crypt_drain_cb);
li_stream_init(&f->plain_source, loop, stream_plain_source_cb);
li_stream_init(&f->plain_drain, loop, stream_plain_drain_cb);
/* "virtual" connections - the content goes through SSL */
li_stream_connect(&f->plain_drain, &f->crypt_source);
li_stream_connect(&f->crypt_drain, &f->plain_source);
li_stream_connect(crypt_source, &f->crypt_drain);
li_stream_connect(&f->crypt_source, crypt_drain);
/* separate limit for buffer of encrypted data
*
* f->plain_drain is already connected to f->crypt_source,
* so they won't share the same limit */
out_limit = li_cqlimit_new();
out_limit->notify = stream_crypt_source_limit_notify_cb;
out_limit->context = f;
li_cqlimit_set_limit(out_limit, 32*1024);
li_chunkqueue_set_limit(crypt_drain->out, out_limit);
li_chunkqueue_set_limit(f->crypt_source.out, out_limit);
li_cqlimit_release(out_limit);
return f;
}
TLSSocket::TLSSocket(std::shared_ptr<TLSSession> session, std::shared_ptr<socket> sok)
: m_session(session), m_wrapped(sok), m_connected(false),
m_handshaking(false), m_ex(NULL)
{
gnutls_transport_set_ptr(*m_session->m_gnutlsSession, this);
gnutls_transport_set_push_function(*m_session->m_gnutlsSession, gnutlsPushFunc);
gnutls_transport_set_pull_function(*m_session->m_gnutlsSession, gnutlsPullFunc);
}
static void client(int fd)
{
int ret;
gnutls_anon_client_credentials_t anoncred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_client_credentials(&anoncred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
success("client: Handshake failed as expected\n");
gnutls_perror(ret);
goto exit;
} else {
fail("client: Handshake completed unexpectedly\n");
goto exit;
}
exit:
gnutls_deinit(session);
gnutls_anon_free_client_credentials(anoncred);
gnutls_global_deinit();
}
bool DTLS_Encrypt(NetworkAddress * destAddress, uint8_t * plainText, int plainTextLength, uint8_t * encryptedBuffer, int encryptedBufferLength, int * encryptedLength, void *context)
{
bool result = false;
DTLS_Session * session = GetSession(destAddress);
if (session)
{
if (session->SessionEstablished)
{
gnutls_transport_set_push_function(session->Session, EncryptCallBack);
session->Buffer = encryptedBuffer;
session->BufferLength = encryptedBufferLength;
int written = gnutls_write(session->Session, plainText, plainTextLength);
if (written >= 0)
{
*encryptedLength = encryptedBufferLength - session->BufferLength;
result = (*encryptedLength > 0);
}
}
else
{
session->UserContext = context;
gnutls_transport_set_push_function(session->Session, SSLSendCallBack);
session->SessionEstablished = (gnutls_handshake(session->Session) == GNUTLS_E_SUCCESS);
if (session->SessionEstablished)
Lwm2m_Info("DTLS Session established\n");
}
}
else
{
int index;
for (index = 0;index < MAX_DTLS_SESSIONS; index++)
{
if (!sessions[index].Session)
{
SetupNewSession(index, destAddress, true);
sessions[index].UserContext = context;
gnutls_transport_set_push_function(sessions[index].Session, SSLSendCallBack);
sessions[index].SessionEstablished = (gnutls_handshake(sessions[index].Session) == GNUTLS_E_SUCCESS);
break;
}
}
}
return result;
}
/**
* Enables SSL for the given connection.
*
* @param connection The connection to enable SSL for.
*
* @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection
* is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when
* SSL initialization, setup, or handshake fails.
*/
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_global_init();
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback);
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert);
if (uerr != USERPREF_E_SUCCESS) {
debug_info("Error %d when loading keys and certificates! %d", uerr);
}
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno)
debug_info("WARN: errno says %s before handshake!", strerror(errno));
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
return ret;
}
GIOChannel *g_io_channel_gnutls_new(int fd)
{
GIOGnuTLSChannel *gnutls_channel;
GIOChannel *channel;
int err;
DBG("");
gnutls_channel = g_new(GIOGnuTLSChannel, 1);
channel = (GIOChannel *) gnutls_channel;
g_io_channel_init(channel);
channel->funcs = &gnutls_channel_funcs;
gnutls_channel->fd = fd;
channel->is_seekable = FALSE;
channel->is_readable = TRUE;
channel->is_writeable = TRUE;
channel->do_encode = FALSE;
g_io_gnutls_global_init();
err = gnutls_init(&gnutls_channel->session, GNUTLS_CLIENT);
if (err < 0) {
g_free(gnutls_channel);
return NULL;
}
gnutls_transport_set_ptr(gnutls_channel->session, gnutls_channel);
gnutls_transport_set_push_function(gnutls_channel->session,
g_io_gnutls_push_func);
gnutls_transport_set_pull_function(gnutls_channel->session,
g_io_gnutls_pull_func);
#if GNUTLS_VERSION_NUMBER < 0x020c00
gnutls_transport_set_lowat(gnutls_channel->session, 0);
gnutls_priority_set_direct(gnutls_channel->session,
"NORMAL:%COMPAT", NULL);
#else
gnutls_priority_set_direct(gnutls_channel->session,
"NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL);
#endif
gnutls_certificate_allocate_credentials(&gnutls_channel->cred);
gnutls_credentials_set(gnutls_channel->session,
GNUTLS_CRD_CERTIFICATE, gnutls_channel->cred);
DBG("channel %p", channel);
return channel;
}
static int tls_gnutls_init_session(struct tls_global *global,
struct tls_connection *conn)
{
#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
const char *err;
#else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */
const int cert_types[2] = { GNUTLS_CRT_X509, 0 };
const int protos[2] = { GNUTLS_TLS1, 0 };
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */
int ret;
ret = gnutls_init(&conn->session,
global->server ? GNUTLS_SERVER : GNUTLS_CLIENT);
if (ret < 0) {
wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS "
"connection: %s", gnutls_strerror(ret));
return -1;
}
ret = gnutls_set_default_priority(conn->session);
if (ret < 0)
goto fail;
#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0",
&err);
if (ret < 0) {
wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at "
"'%s'", err);
goto fail;
}
#else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */
ret = gnutls_certificate_type_set_priority(conn->session, cert_types);
if (ret < 0)
goto fail;
ret = gnutls_protocol_set_priority(conn->session, protos);
if (ret < 0)
goto fail;
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */
gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func);
gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn);
return 0;
fail:
wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s",
gnutls_strerror(ret));
gnutls_deinit(conn->session);
return -1;
}
void InitSession(StreamSocket* user, bool me_server)
{
gnutls_init(&sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
profile->SetupSession(sess);
gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(user));
gnutls_transport_set_push_function(sess, gnutls_push_wrapper);
gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper);
if (me_server)
gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
}
static int
handshake (struct stream_data *data)
{
const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
const int kx_priority[] = { GNUTLS_KX_RSA, 0 };
const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0};
const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
int ret;
#ifndef WIN32
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
#endif
if (gnutls_global_init () != 0)
return IKS_NOMEM;
if (gnutls_certificate_allocate_credentials (&data->cred) < 0)
return IKS_NOMEM;
if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) {
gnutls_certificate_free_credentials (data->cred);
return IKS_NOMEM;
}
gnutls_protocol_set_priority (data->sess, protocol_priority);
gnutls_cipher_set_priority(data->sess, cipher_priority);
gnutls_compression_set_priority(data->sess, comp_priority);
gnutls_kx_set_priority(data->sess, kx_priority);
gnutls_mac_set_priority(data->sess, mac_priority);
gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred);
gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push);
gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull);
gnutls_transport_set_ptr (data->sess, data->prs);
ret = gnutls_handshake (data->sess);
if (ret != 0) {
gnutls_deinit (data->sess);
gnutls_certificate_free_credentials (data->cred);
return IKS_NET_TLSFAIL;
}
data->flags &= (~SF_TRY_SECURE);
data->flags |= SF_SECURE;
iks_send_header (data->prs, data->server);
return IKS_OK;
} // HAVE_GNUTLS
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA:%COMPAT",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, odd_push);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret >= 0) {
fail("client: Handshake succeeded!\n");
exit(1);
}
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
}
void GnuTlsStream::handshake(const GnuTlsServer& server)
{
log_debug("gnutls_init(session, GNUTLS_SERVER)");
int ret = gnutls_init(&_session, GNUTLS_SERVER);
if (ret != 0)
throw GnuTlsException("gnutls_init", ret);
log_debug("gnutls_set_default_priority");
ret = gnutls_set_default_priority(_session);
if (ret != 0)
throw GnuTlsException("gnutls_set_default_priority", ret);
log_debug("gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, "
<< server.getCred() << ')');
ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, server.getCred());
if (ret != 0)
throw GnuTlsException("gnutls_credentials_set", ret);
log_debug("gnutls_dh_set_prime_bits(session, 1024)");
gnutls_dh_set_prime_bits(_session, 1024);
_fdInfo.fd = getFd();
_fdInfo.timeout = getTimeout();
log_debug("gnutls_transport_set_ptr(ptr)");
gnutls_transport_set_ptr(_session, static_cast<gnutls_transport_ptr_t>(&_fdInfo));
log_debug("gnutls_transport_set_pull_function()");
gnutls_transport_set_pull_function(_session, pull_func);
log_debug("gnutls_transport_set_push_function()");
gnutls_transport_set_push_function(_session, push_func);
// non-blocking/with timeout
_fdInfo.timeout = 10000;
log_debug("gnutls_handshake");
ret = gnutls_handshake(_session);
log_debug("gnutls_handshake => " << ret);
if (ret != 0)
throw GnuTlsException("gnutls_handshake", ret);
_connected = true;
_fdInfo.timeout = getTimeout();
log_debug("ssl-handshake was completed");
}
void
evcom_stream_assign_fds (evcom_stream *stream, int recvfd, int sendfd)
{
assert(recvfd >= 0);
assert(sendfd >= 0);
if (recvfd == sendfd) stream->flags |= EVCOM_DUPLEX;
if (set_nonblock(recvfd) != 0) {
evcom_perror("set_nonblock(recvfd)", errno);
}
if (set_nonblock(sendfd) != 0) {
evcom_perror("set_nonblock(sendfd)", errno);
}
#ifdef SO_NOSIGPIPE
if (DUPLEX(stream)) {
int flags = 1;
int r = setsockopt(sendfd, SOL_SOCKET, SO_NOSIGPIPE, &flags, sizeof(flags));
if (r < 0) {
evcom_perror("setsockopt(SO_NOSIGPIPE)", errno);
}
}
#endif
ev_io_set(&stream->read_watcher, recvfd, EV_READ);
ev_io_set(&stream->write_watcher, sendfd, EV_WRITE);
stream->recvfd = recvfd;
stream->sendfd = sendfd;
stream->send_action = stream__connection_established;
stream->recv_action = stream__connection_established;
stream->flags |= EVCOM_READABLE;
stream->flags |= EVCOM_WRITABLE;
#if EVCOM_HAVE_GNUTLS
if (SECURE(stream)) {
gnutls_transport_set_lowat(stream->session, 0);
gnutls_transport_set_push_function(stream->session, nosigpipe_push);
gnutls_transport_set_pull_function(stream->session, pull);
gnutls_transport_set_ptr2(stream->session, stream, stream);
}
#endif
}
bool DTLS_Decrypt(NetworkAddress * sourceAddress, uint8_t * encrypted, int encryptedLength, uint8_t * decryptBuffer, int decryptBufferLength, int * decryptedLength, void *context)
{
bool result = false;
DTLS_Session * session = GetSession(sourceAddress);
if (session)
{
session->Buffer = encrypted;
session->BufferLength = encryptedLength;
if (session->SessionEstablished)
{
*decryptedLength = gnutls_read(session->Session, decryptBuffer, decryptBufferLength);
result = (*decryptedLength > 0);
if (!result)
{
FreeSession(session);
session = NULL;
}
}
else
{
*decryptedLength = 0;
session->SessionEstablished = (gnutls_handshake(session->Session) == GNUTLS_E_SUCCESS);
if (session->SessionEstablished)
Lwm2m_Info("Session established");
}
}
if (!session)
{
int index;
for (index = 0;index < MAX_DTLS_SESSIONS; index++)
{
if (!sessions[index].Session)
{
SetupNewSession(index, sourceAddress, false);
sessions[index].UserContext = context;
gnutls_transport_set_push_function(sessions[index].Session, SSLSendCallBack);
sessions[index].Buffer = encrypted;
sessions[index].BufferLength = encryptedLength;
sessions[index].SessionEstablished = (gnutls_handshake(sessions[index].Session) == GNUTLS_E_SUCCESS);
break;
}
}
}
return result;
}
static gnutls_session_t new_tls_session(int sock)
{
int ret;
gnutls_session_t session;
const char *err;
#if defined LIBGNUTLS_VERSION_MAJOR && LIBGNUTLS_VERSION_MAJOR >= 3
# define TLS_DH_STR "+ANON-ECDH:+ANON-DH"
#else
# define TLS_DH_STR "+ANON-DH"
#endif
#ifdef GNUTLS_SRP_ENABLED
const char *pstring = "NORMAL:+SRP:+SRP-DSS:+SRP-RSA:" TLS_DH_STR;
#else
const char *pstring = "NORMAL:" TLS_DH_STR;
#endif
gnutls_init(&session, GNUTLS_SERVER);
gnutls_set_default_priority(session);
ret = gnutls_priority_set_direct(session, pstring, &err);
if (ret < 0) {
fprintf(stderr, "TLS priority syntax error at: %s\n", err);
return NULL;
}
#ifdef GNUTLS_SRP_ENABLED
gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred);
gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE);
#endif
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr(session, fd_to_ptr(sock));
gnutls_transport_set_pull_function(session, tls_pull);
gnutls_transport_set_push_function(session, tls_push);
ret = gnutls_handshake(session);
if ( ret < 0 ) {
fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret));
gnutls_alert_send_appropriate(session, ret);
return NULL;
}
return session;
}
/** \brief Start the action
*/
crypto_err_t tls_full_t::start(tls_privctx_t * p_tls_privctx
, const pkt_t &p_lower_buf_l2u) throw()
{
// log to debug
KLOG_DBG("enter");
// copy the parameters
this->m_tls_privctx = p_tls_privctx;
this->m_lower_buf_l2u = p_lower_buf_l2u;
// set all the custom read/write function
gnutls_session_t gnutls_sess = m_tls_privctx->session();
gnutls_transport_set_ptr(gnutls_sess, (gnutls_transport_ptr_t) this);
gnutls_transport_set_pull_function(gnutls_sess, tls_full_c_read_cb);
gnutls_transport_set_push_function(gnutls_sess, tls_full_c_write_cb);
// return no error
return crypto_err_t::OK;
}
