void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
int ret = gnutls_global_init ();
if (ret < 0)
throw format ("TLS init error. {1}", gnutls_strerror (ret));
ret = gnutls_certificate_allocate_credentials (&_credentials);
if (ret < 0)
throw format ("TLS allocation error. {1}", gnutls_strerror (ret));
if (_ca != "" &&
(ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CA file. {1}", gnutls_strerror (ret));
if ( _crl != "" &&
(ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CRL file. {1}", gnutls_strerror (ret));
if (_cert != "" &&
_key != "" &&
(ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CERT file. {1}", gnutls_strerror (ret));
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
// The automatic verification for the client certificate with
// gnutls_certificate_set_verify_function only works with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
void TLSClient::init (
const std::string& ca,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_cert = cert;
_key = key;
int ret = gnutls_global_init ();
if (ret < 0)
throw format ("TLS init error. {1}", gnutls_strerror (ret));
ret = gnutls_certificate_allocate_credentials (&_credentials);
if (ret < 0)
throw format ("TLS allocation error. {1}", gnutls_strerror (ret));
if (_ca != "" &&
(ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CA file. {1}", gnutls_strerror (ret));
if (_cert != "" &&
_key != "" &&
(ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CERT file. {1}", gnutls_strerror (ret));
#if GNUTLS_VERSION_NUMBER >= 0x02090a
// The automatic verification for the server certificate with
// gnutls_certificate_set_verify_function only works with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
ret = gnutls_init (&_session, GNUTLS_CLIENT);
if (ret < 0)
throw format ("TLS client init error. {1}", gnutls_strerror (ret));
// Use default priorities unless overridden.
if (_ciphers == "")
_ciphers = "NORMAL";
const char *err;
ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err);
if (ret < 0)
{
if (_debug && ret == GNUTLS_E_INVALID_REQUEST)
std::cout << "c: ERROR Priority error at: " << err << "\n";
throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret));
}
// Apply the x509 credentials to the current session.
ret = gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials);
if (ret < 0)
throw format ("TLS credentials error. {1}", gnutls_strerror (ret));
}
void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&_credentials);
if (_ca != "" &&
gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CA file.");
if ( _crl != "" &&
gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CRL file.");
if (_cert != "" &&
_key != "" &&
gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CERT file.");
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
static int get_cert(socket_st *hd, const char *hostname, unsigned udp, int fd)
{
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
int ret;
struct priv_st priv;
priv.found = 0;
priv.fd = fd;
ret = gnutls_certificate_allocate_credentials(&xcred);
if (ret < 0) {
fprintf(stderr, "error[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
exit(1);
}
gnutls_certificate_set_verify_function(xcred, cert_callback);
ret = gnutls_init(&session, (udp?GNUTLS_DATAGRAM:0)|GNUTLS_CLIENT);
if (ret < 0) {
fprintf(stderr, "error[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
exit(1);
}
gnutls_session_set_ptr(session, &priv);
gnutls_transport_set_int(session, hd->fd);
gnutls_set_default_priority(session);
if (hostname && is_ip(hostname)==0) {
gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname, strlen(hostname));
}
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
do {
ret = gnutls_handshake(session);
} while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_WARNING_ALERT_RECEIVED);
/* we don't care on the result */
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
if (priv.found == 0)
return -1;
return 0;
}
void TLSClient::init (
const std::string& ca,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_cert = cert;
_key = key;
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&_credentials);
if (_ca != "" &&
gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CA file.");
if (_cert != "" &&
_key != "" &&
gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CERT file.");
#if GNUTLS_VERSION_NUMBER >= 0x02090a
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
gnutls_init (&_session, GNUTLS_CLIENT);
// Use default priorities unless overridden.
if (_ciphers == "")
_ciphers = "NORMAL";
const char *err;
int ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err);
if (ret < 0)
{
if (_debug && ret == GNUTLS_E_INVALID_REQUEST)
std::cout << "c: ERROR Priority error at: " << err << "\n";
throw std::string ("Error initializing TLS.");
}
// Apply the x509 credentials to the current session.
gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials);
}
static int ma_ssl_set_certs(MYSQL *mysql)
{
char *certfile= mysql->options.ssl_cert,
*keyfile= mysql->options.ssl_key;
char *cipher= NULL;
int ssl_error= 0;
if (mysql->options.ssl_ca)
{
ssl_error= gnutls_certificate_set_x509_trust_file(GNUTLS_xcred,
mysql->options.ssl_ca,
GNUTLS_X509_FMT_PEM);
if (ssl_error < 0)
goto error;
}
gnutls_certificate_set_verify_function(GNUTLS_xcred,
my_verify_callback);
/* GNUTLS doesn't support ca_path */
if (keyfile && !certfile)
certfile= keyfile;
if (certfile && !keyfile)
keyfile= certfile;
/* set key */
if (certfile || keyfile)
{
if ((ssl_error= gnutls_certificate_set_x509_key_file2(GNUTLS_xcred,
certfile, keyfile,
GNUTLS_X509_FMT_PEM,
OPT_HAS_EXT_VAL(mysql, ssl_pw) ? mysql->options.extension->ssl_pw : NULL,
0)) < 0)
goto error;
}
return 1;
error:
if (cipher)
my_free(cipher);
return ssl_error;
}
void ssl_init(gnutls_session_t *session,
gnutls_certificate_credentials_t *xcred,
void *push_cb,
void *pull_cb,
void *pull_timeout_cb)
{
/* X509 */
gnutls_certificate_allocate_credentials(xcred);
gnutls_certificate_set_verify_function(*xcred, _verify_certificate_callback);
/* init things! */
gnutls_init(session, GNUTLS_CLIENT);
gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, *xcred);
gnutls_transport_set_push_function(*session, push_cb);
gnutls_transport_set_pull_function(*session, pull_cb);
gnutls_transport_set_pull_timeout_function(*session, pull_timeout_cb);
/* handshake */
gnutls_handshake(*session);
}
int ssl_init(void)
{
if (!gnutls_check_version("3.1.4")) {
logit(LOG_ERR, "%s requires GnuTLS 3.1.4 or later for SSL", ident);
exit(1);
}
/* for backwards compatibility with gnutls < 3.3.0 */
gnutls_global_init();
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
/* Try to figure out location of trusted CA certs on system */
if (ssl_set_ca_location())
return RC_HTTPS_NO_TRUSTED_CA_STORE;
gnutls_certificate_set_verify_function(xcred, verify_certificate_callback);
return 0;
}
void
network_init ()
{
#ifdef HAVE_GNUTLS
if (!weechat_no_gnutls)
{
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&gnutls_xcred);
network_set_gnutls_ca_file ();
#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a
/* for gnutls >= 2.9.10 */
gnutls_certificate_set_verify_function (gnutls_xcred,
&hook_connect_gnutls_verify_certificates);
#endif
#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00
/* for gnutls >= 2.11.0 */
gnutls_certificate_set_retrieve_function (gnutls_xcred,
&hook_connect_gnutls_set_certificates);
#else
/* for gnutls < 2.11.0 */
gnutls_certificate_client_set_retrieve_function (gnutls_xcred,
&hook_connect_gnutls_set_certificates);
#endif
}
#endif /* HAVE_GNUTLS */
if (!weechat_no_gcrypt)
{
gcry_check_version (GCRYPT_VERSION);
gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
}
network_init_ok = 1;
}
void dtls_client (char address[], int port, char message[])
{
int ret, sd;
gnutls_session_t session;
const char *err;
gnutls_certificate_credentials_t xcred;
// Certs
char *cafile = "./certs/cert.pem";
// Configure credentials and session
gnutls_certificate_allocate_credentials (&xcred);
gnutls_certificate_set_x509_trust_file (xcred, cafile, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
gnutls_init (&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0) Die (err);
/* put the x509 credentials to the current session */
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
// set up connection and properties
sd = udp_connect (address, port);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
gnutls_dtls_set_mtu (session, 1000);
gnutls_handshake_set_timeout (session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
// Start TLS handshake
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
// end of handshake
int j = 5; // send j messages
do
{
// Send and receive message
gnutls_record_send (session, message, strlen(message));
ret = gnutls_record_recv (session, message, MAX_MESSAGE_SIZE);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: %s\n", ret, message);
j--;
}
while(j>0);
/* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
* connections because the peer's closure message might
* be lost */
gnutls_bye (session, GNUTLS_SHUT_WR);
end:
udp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
return 0;
}
int main (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, _verify_certificate_callback);
/* If client holds a certificate it can be set using the following:
*/
gnutls_certificate_set_x509_key_file (xcred,
"cacert.pem", "cakey.pem",
GNUTLS_X509_FMT_PEM);
/* */
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/*
gnutls_session_set_ptr (session, (void *) "my_host_name");
gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name",
strlen("my_host_name"));*/
gnutls_session_set_ptr (session, (void *) "sl13.sl13.org");
gnutls_server_name_set (session, GNUTLS_NAME_DNS, "sl13.sl13.org",
strlen("sl13.sl13.org"));
/* Use default priorities */
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST)
{
fprintf (stderr, "Syntax error at: %s\n", err);
}
exit (1);
}
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
return 0;
}
void doit(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(2);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server, "NORMAL", NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_certificate_set_verify_function(serverx509cred,
server_callback);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
gnutls_handshake_set_post_client_hello_function(server,
post_client_hello_callback);
gnutls_handshake_set_hook_function(server, GNUTLS_HANDSHAKE_ANY,
GNUTLS_HOOK_POST,
handshake_callback);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
gnutls_certificate_set_verify_function(clientx509cred,
client_callback);
HANDSHAKE(client, server);
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
if (pch_ok == 0)
fail("Post client hello callback wasn't called\n");
if (server_ok == 0)
fail("Server certificate verify callback wasn't called\n");
if (client_ok == 0)
fail("Client certificate verify callback wasn't called\n");
}
PresentationServer::PresentationServer(const std::string & conferenceUrl,
const std::string & managerHost, unsigned short managerPort,
int screenWidth, int screenHeight,
const std::string & caCertificate,
const std::string & managerPath, const std::string & managerParam) :
_server(0), _fps(5) {
if (caCertificate.empty()) {
throw std::invalid_argument("no CA Certificate provided!");
}
//Erstmal d�rfte jetzt die Authorisierung und die Anfrage an den Manager geschehen
//Dazu einfach �ber nen Socket ne primitive http anfrage senden und die Antwort auswerten
//Achtung momentan ist BUF_SIZE auch die maximale Nachrichtengr��e die Empfangen werden kann!!
//@TODO Dringend ne bessere HTTP Implementation verwenden oder selber bauen.
const int BUF_SIZE = 2048;
char tmpBuffer[BUF_SIZE];
SOCKET httpSocket = rfbConnectToTcpAddr(const_cast<char*> (managerHost.c_str()), managerPort);
std::string httpResponse;
if (httpSocket == INVALID_SOCKET) {
std::cerr << "Failed to connect to " << managerHost << ":" << managerPort << std::endl;
throw std::runtime_error(STR_ERR_WEBHOST_UNREACHABLE);
return;
}
//HTTPS Verbindung mit GnuTLS und handkodierter HTTP Nachricht :)
gnutls_session_t session = 0;
gnutls_certificate_credentials_t credentials = 0;
gnutls_datum_t data;
int gtlsRet = GNUTLS_E_SUCCESS;
try {
//Zertifikat
if (GNUTLS_E_SUCCESS != (gtlsRet = gnutls_certificate_allocate_credentials(&credentials))) {
std::cerr << "failed to allocate credentials." << std::endl;
throw std::runtime_error("failed to allocate credentials.");
}
data.size = caCertificate.size();
data.data = (unsigned char*) caCertificate.data();
gnutls_certificate_set_x509_trust_mem(credentials, &data, GNUTLS_X509_FMT_PEM);
// Verifizierung des Zertifikats in der übergebenen Callback Funktion, Ausführung erfolgt als Teil des Handshakes
gnutls_certificate_set_verify_function(credentials, [] (gnutls_session_t session) throw () -> int {
std::cout << "verifying certificate...";
//Server Zertifikat prüfen:
unsigned int verify = 0;
if (GNUTLS_E_SUCCESS != gnutls_certificate_verify_peers3(session, (const char*) gnutls_session_get_ptr(session), &verify)) {
std::cerr << "certficate verification failed." << std::endl;
return -1;
}
if (verify != 0) {
gnutls_datum_t pr;
std::cout << "no" << std::endl;
gnutls_certificate_verification_status_print(verify, GNUTLS_CRT_X509, &pr, 0);
std::cerr << pr.data << std::endl;
free(pr.data);
return -2;
}
std::cout << "yes" << std::endl;
return 0;
});
//Session
if (GNUTLS_E_SUCCESS != (gtlsRet = gnutls_init(&session, GNUTLS_CLIENT))) {
std::cerr << "failed to init session." << std::endl;
throw std::runtime_error("failed to init session.");
}
gnutls_server_name_set(session, GNUTLS_NAME_DNS, managerHost.data(), managerHost.length());
gnutls_session_set_ptr(session, (void*) managerHost.c_str());
if (GNUTLS_E_SUCCESS != (gtlsRet = gnutls_priority_set_direct(session, CIPHERSUITE_PRIORITIES, 0))) {
std::cerr << "failed to set priority." << std::endl;
throw std::runtime_error("failed to set priority.");
}
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, credentials);
gnutls_transport_set_int(session, httpSocket);
gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
if (GNUTLS_E_SUCCESS != ((gtlsRet = gnutls_handshake(session)))) {
std::cerr << "handshake failed." << std::endl;
throw std::runtime_error("handshake failed.");
}
//Ciphersuite
std::cout << "ciphersuite: " << gnutls_cipher_suite_get_name(gnutls_kx_get(session), gnutls_cipher_get(session), gnutls_mac_get(session)) << std::endl;
//Prepare HTTP Request
std::string httpRequest;
std::string httpRequestBody = managerParam + "=" + urlencode(conferenceUrl) + "&version=" + std::to_string(TOOL_VERSION);
httpRequest += "POST ";
httpRequest += managerPath;
httpRequest += " HTTP/1.1\r\n";
httpRequest += "Host: ";
httpRequest += managerHost + "\r\n";
httpRequest += "Content-Type: application/x-www-form-urlencoded\r\n"; //< Beachte der Webserver kann auf der Zielroute momentan auch nichts anderes
httpRequest += "Connection: close\r\n";
sprintf(tmpBuffer, "%d", httpRequestBody.length());
httpRequest += "Content-Length: " + std::string(tmpBuffer) + "\r\n";
httpRequest += "\r\n";
httpRequest += httpRequestBody;
std::cout << "SEND >>" << std::endl << httpRequest << std::endl << "<<" << std::endl;
gnutls_record_send(session, httpRequest.data(), httpRequest.length());
std::cout << "WAITING TO RECEIVE.." << std::endl;
//Alles lesen und hoffen dass sich der Webserver dran h�lt und die Verbindung schlie�t
//wenn er fertig mit Senden ist
int c = 0, r = 0;
do {
r = gnutls_record_recv(session, tmpBuffer + c, BUF_SIZE - c);
if (r > 0) c += r;
} while (r > 0 && c < BUF_SIZE);
if (c > 1024 || c <= 0) {
std::cout << "received " << c << " bytes" << std::endl;
std::cout << std::string(tmpBuffer, c) << std::endl;
std::cerr << "Couldn't receive answer." << std::endl;
throw std::runtime_error(STR_ERR_WRONG_ANSWER);
}
httpResponse = std::string(tmpBuffer, c);
//Und fertig Verbindung beenden
gnutls_bye(session, GNUTLS_SHUT_RDWR);
gnutls_deinit(session);
gnutls_certificate_free_credentials(credentials);
closesocket(httpSocket);
} catch (...) {
//Irgendein Fehler trat auf, dann schließen.
std::cerr << gtlsRet << ' ' << gnutls_error_is_fatal(gtlsRet) << std::endl;
std::cerr << gnutls_strerror(gtlsRet) << std::endl;
std::cerr << gnutls_alert_get_name(gnutls_alert_get(session)) << std::endl;
if (session) gnutls_deinit(session);
if (credentials) gnutls_certificate_free_credentials(credentials);
closesocket(httpSocket);
throw std::runtime_error(STR_ERR_TLS_FAILED); //weiterschmeißen
}
std::cout << "RECV >>" << std::endl << httpResponse << std::endl << "<<" << std::endl;
/**
Antwort sollte jetzt der typische HTTP Antwortquark sein und als Inhalt
sollte ein Text der folgenden Form sein:
PresentationServerUseHost: <host>\n
PresentationServerUsePort: <port>\n
*/
unsigned short port;
std::string host;
int lifetime;
try {
_messageBox = utf8_to_ucs2(getParameter(httpResponse, "MessageBox", ""));
port = atoi(getParameter(httpResponse, "PresentationServerUsePort").c_str());
host = getParameter(httpResponse, "PresentationServerUseHost");
_demo = atoi(getParameter(httpResponse, "Demo", "0").c_str()) ? true : false;
lifetime = atoi(getParameter(httpResponse, "RuntimeSec", "0").c_str());
_serverPassword = getParameter(httpResponse, "PresentationServerPassword");
} catch (std::runtime_error e) {
if (!_messageBox.empty())
throw runtime_error_with_extra_msg(_messageBox, getParameter(httpResponse, "Message"));
throw std::runtime_error(getParameter(httpResponse, "Message"));
}
//Wenn die erfolgreich war dann den Server erstellen, Gr��e = Desktopgr��e
_initRfbServer(screenWidth, screenHeight, _serverPassword, managerHost, caCertificate, host, port);
if (lifetime > 0) {
_timeOfDeath = std::chrono::system_clock::now() + std::chrono::seconds(lifetime);
_useTimeOfDeath = true;
} else {
_useTimeOfDeath = false;
}
}
rfbNewClientAction upgradeNewClientToTls (_rfbClientRec* cl) {
//Eine SSL Session beginnen
gnutls_session_t session = 0;
gnutls_certificate_credentials_t credentials = 0;
gnutls_datum_t data;
int gtlsRet = GNUTLS_E_SUCCESS;
std::cout<<"New Client Connection, upgrade protocol to Tls"<<std::endl;
try {
//Zertifikat
if (GNUTLS_E_SUCCESS != (gtlsRet = gnutls_certificate_allocate_credentials(&credentials))) {
std::cerr << "failed to allocate credentials." << std::endl;
throw std::runtime_error("failed to allocate credentials.");
}
data.size = g_caCertificate.size();
data.data = (unsigned char*) g_caCertificate.data();
gnutls_certificate_set_x509_trust_mem(credentials, &data, GNUTLS_X509_FMT_PEM);
// Verifizierung des Zertifikats in der übergebenen Callback Funktion, Ausführung erfolgt als Teil des Handshakes
gnutls_certificate_set_verify_function(credentials, [] (gnutls_session_t session) throw () -> int {
std::cout << "verifying certificate...";
//Server Zertifikat prüfen:
unsigned int verify = 0;
if (GNUTLS_E_SUCCESS != gnutls_certificate_verify_peers3(session, (const char*) gnutls_session_get_ptr(session), &verify)) {
std::cerr << "certficate verification failed." << std::endl;
return -1;
}
if (verify != 0) {
gnutls_datum_t pr;
std::cout << "no" << std::endl;
gnutls_certificate_verification_status_print(verify, GNUTLS_CRT_X509, &pr, 0);
std::cerr << pr.data << std::endl;
free(pr.data);
return -2;
}
std::cout << "yes" << std::endl;
return 0;
});
//Session
if (GNUTLS_E_SUCCESS != (gtlsRet = gnutls_init(&session, GNUTLS_CLIENT))) {
std::cerr << "failed to init session." << std::endl;
throw std::runtime_error("failed to init session.");
}
gnutls_server_name_set(session, GNUTLS_NAME_DNS, g_peerHostName.data(), g_peerHostName.length());
gnutls_session_set_ptr(session, (void*) g_peerHostName.c_str());
if (GNUTLS_E_SUCCESS != (gtlsRet = gnutls_priority_set_direct(session, CIPHERSUITE_PRIORITIES, 0))) {
std::cerr << "failed to set priority." << std::endl;
throw std::runtime_error("failed to set priority.");
}
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, credentials);
gnutls_transport_set_int(session, cl->sock);
gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
if (GNUTLS_E_SUCCESS != ((gtlsRet = gnutls_handshake(session)))) {
std::cerr << "handshake failed." << std::endl;
throw std::runtime_error("handshake failed.");
}
//Ciphersuite
std::cout << "ciphersuite: " << gnutls_cipher_suite_get_name(gnutls_kx_get(session), gnutls_cipher_get(session), gnutls_mac_get(session)) << std::endl;
//Send password, which was received in answer of webserver
if ((gtlsRet = gnutls_record_send(session, (void*)g_serverPassword.data(), g_serverPassword.size())) <= 0) {
std::cerr << "Sending Password failed." << std::endl;
throw std::runtime_error("Sending Password failed.");
}
rfbssl_ctx* ctx = (rfbssl_ctx*) malloc(sizeof(struct rfbssl_ctx));
ctx->peeklen = 0;
ctx->peekstart = 0;
ctx->session = session;
ctx->x509_cred = credentials;
ctx->dh_params = 0;
cl->sslctx = (rfbSslCtx*)ctx;
} catch (...) {
//Irgendein Fehler trat auf, dann schließen.
std::cerr << gtlsRet << ' ' << gnutls_error_is_fatal(gtlsRet) << std::endl;
std::cerr << gnutls_strerror(gtlsRet) << std::endl;
std::cerr << gnutls_alert_get_name(gnutls_alert_get(session)) << std::endl;
if (session) gnutls_deinit(session);
if (credentials) gnutls_certificate_free_credentials(credentials);
return RFB_CLIENT_REFUSE;
}
return RFB_CLIENT_ACCEPT;
}
static void SetupNewSession(int index, NetworkAddress * networkAddress, bool client)
{
DTLS_Session * session = &sessions[index];
session->NetworkAddress = networkAddress;
unsigned int flags;
#if GNUTLS_VERSION_MAJOR >= 3
if (client)
flags = GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK;
else
flags = GNUTLS_SERVER | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK;
#else
if (client)
flags = GNUTLS_CLIENT;
else
flags = GNUTLS_SERVER;
#endif
if (gnutls_init(&session->Session, flags) == GNUTLS_E_SUCCESS)
{
gnutls_transport_set_pull_function(session->Session, DecryptCallBack);
gnutls_transport_set_push_function(session->Session, SSLSendCallBack);
#if GNUTLS_VERSION_MAJOR >= 3
gnutls_transport_set_pull_timeout_function(session->Session, ReceiveTimeout);
#endif
gnutls_transport_set_ptr(session->Session, session);
if (certificate || !pskIdentity)
{
if (_CertCredentials)
{
gnutls_credentials_set(session->Session, GNUTLS_CRD_CERTIFICATE, _CertCredentials);
}
else if (gnutls_certificate_allocate_credentials(&_CertCredentials) == GNUTLS_E_SUCCESS)
{
if (certificate)
{
gnutls_datum_t certificateData;
certificateData.data = certificate;
certificateData.size = certificateLength;
int format = GNUTLS_X509_FMT_PEM;
if (certificateFormat == AwaCertificateFormat_ASN1)
format = GNUTLS_X509_FMT_DER;
// if (client)
// gnutls_certificate_set_x509_trust_mem(session->Credentials, &certificateData, format);
// else
gnutls_certificate_set_x509_key_mem(_CertCredentials, &certificateData, &certificateData, format);
}
#if GNUTLS_VERSION_MAJOR >= 3
gnutls_certificate_set_verify_function(_CertCredentials, CertificateVerify);
//gnutls_certificate_set_retrieve_function(xcred, cert_callback);
//gnutls_session_set_verify_cert(session->Session, NULL, GNUTLS_VERIFY_DISABLE_CA_SIGN);
#else
gnutls_certificate_set_verify_flags(_CertCredentials, GNUTLS_VERIFY_DISABLE_CA_SIGN);
#endif
gnutls_credentials_set(session->Session, GNUTLS_CRD_CERTIFICATE, _CertCredentials);
}
}
else if (pskIdentity)
{
if (client)
{
gnutls_psk_client_credentials_t credentials;
if (gnutls_psk_allocate_client_credentials(&credentials) == GNUTLS_E_SUCCESS)
{
if (gnutls_psk_set_client_credentials(credentials, pskIdentity, &pskKey, GNUTLS_PSK_KEY_RAW) == GNUTLS_E_SUCCESS)
{
gnutls_credentials_set(session->Session, GNUTLS_CRD_PSK, credentials);
session->Credentials = credentials;
session->CredentialType = CredentialType_ClientPSK;
}
else
{
gnutls_psk_set_client_credentials_function(credentials, PSKClientCallBack);
session->Credentials = credentials;
session->CredentialType = CredentialType_ClientPSK;
}
}
}
else
{
gnutls_psk_server_credentials_t credentials;
if (gnutls_psk_allocate_server_credentials(&credentials) == GNUTLS_E_SUCCESS)
{
gnutls_psk_set_server_credentials_function(credentials, PSKCallBack);
gnutls_credentials_set(session->Session, GNUTLS_CRD_PSK, credentials);
session->Credentials = credentials;
session->CredentialType = CredentialType_ServerPSK;
}
}
}
gnutls_priority_set(session->Session, _PriorityCache);
if (!client)
{
gnutls_certificate_server_set_request(session->Session, GNUTLS_CERT_REQUEST); // GNUTLS_CERT_IGNORE Don't require Client Cert
}
#if GNUTLS_VERSION_MAJOR >= 3
gnutls_handshake_set_timeout(session->Session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
#endif
}
}
int main(void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_certificate_credentials_t xcred;
if (gnutls_check_version("3.1.4") == NULL) {
fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n");
exit(1);
}
/* for backwards compatibility with gnutls < 3.3.0 */
gnutls_global_init();
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function(xcred,
_verify_certificate_callback);
/* If client holds a certificate it can be set using the following:
*
gnutls_certificate_set_x509_key_file (xcred,
"cert.pem", "key.pem",
GNUTLS_X509_FMT_PEM);
*/
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_session_set_ptr(session, (void *) "my_host_name");
gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name",
strlen("my_host_name"));
/* use default priorities */
gnutls_set_default_priority(session);
#if 0
/* if more fine-graned control is required */
ret = gnutls_priority_set_direct(session,
"NORMAL", &err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST) {
fprintf(stderr, "Syntax error at: %s\n", err);
}
exit(1);
}
#endif
/* put the x509 credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect();
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fprintf(stderr, "*** Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(session);
printf("- Session info: %s\n", desc);
gnutls_free(desc);
}
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
tcp_close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
return 0;
}
int main(void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_certificate_credentials_t xcred;
if (gnutls_check_version("3.1.4") == NULL) {
fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n");
exit(1);
}
/* for backwards compatibility with gnutls < 3.3.0 */
gnutls_global_init();
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file */
gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function(xcred,
verify_certificate_callback);
/* Initialize TLS session */
gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
/* Use default priorities */
ret = gnutls_priority_set_direct(session,
"NORMAL", &err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST) {
fprintf(stderr, "Syntax error at: %s\n", err);
}
exit(1);
}
/* put the x509 credentials to the current session */
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name",
strlen("my_host_name"));
/* connect to the peer */
sd = udp_connect();
gnutls_transport_set_int(session, sd);
/* set the connection MTU */
gnutls_dtls_set_mtu(session, 1000);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake */
do {
ret = gnutls_handshake(session);
}
while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
/* Note that DTLS may also receive GNUTLS_E_LARGE_PACKET */
if (ret < 0) {
fprintf(stderr, "*** Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(session);
printf("- Session info: %s\n", desc);
gnutls_free(desc);
}
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
/* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
* connections because the peer's closure message might
* be lost */
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
udp_close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
return 0;
}
int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
const struct tls_connection_params *params)
{
int ret;
if (conn == NULL || params == NULL)
return -1;
if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
wpa_printf(MSG_INFO,
"GnuTLS: tls_ext_cert_check=1 not supported");
return -1;
}
if (params->subject_match) {
wpa_printf(MSG_INFO, "GnuTLS: subject_match not supported");
return -1;
}
if (params->altsubject_match) {
wpa_printf(MSG_INFO, "GnuTLS: altsubject_match not supported");
return -1;
}
os_free(conn->suffix_match);
conn->suffix_match = NULL;
if (params->suffix_match) {
conn->suffix_match = os_strdup(params->suffix_match);
if (conn->suffix_match == NULL)
return -1;
}
#if GNUTLS_VERSION_NUMBER >= 0x030300
os_free(conn->domain_match);
conn->domain_match = NULL;
if (params->domain_match) {
conn->domain_match = os_strdup(params->domain_match);
if (conn->domain_match == NULL)
return -1;
}
#else /* < 3.3.0 */
if (params->domain_match) {
wpa_printf(MSG_INFO, "GnuTLS: domain_match not supported");
return -1;
}
#endif /* >= 3.3.0 */
conn->flags = params->flags;
if (params->openssl_ciphers) {
wpa_printf(MSG_INFO, "GnuTLS: openssl_ciphers not supported");
return -1;
}
/* TODO: gnutls_certificate_set_verify_flags(xcred, flags);
* to force peer validation(?) */
if (params->ca_cert) {
wpa_printf(MSG_DEBUG, "GnuTLS: Try to parse %s in DER format",
params->ca_cert);
ret = gnutls_certificate_set_x509_trust_file(
conn->xcred, params->ca_cert, GNUTLS_X509_FMT_DER);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"GnuTLS: Failed to read CA cert '%s' in DER format (%s) - try in PEM format",
params->ca_cert,
gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_trust_file(
conn->xcred, params->ca_cert,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"Failed to read CA cert '%s' in PEM format: %s",
params->ca_cert,
gnutls_strerror(ret));
return -1;
}
}
} else if (params->ca_cert_blob) {
gnutls_datum_t ca;
ca.data = (unsigned char *) params->ca_cert_blob;
ca.size = params->ca_cert_blob_len;
ret = gnutls_certificate_set_x509_trust_mem(
conn->xcred, &ca, GNUTLS_X509_FMT_DER);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"Failed to parse CA cert in DER format: %s",
gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_trust_mem(
conn->xcred, &ca, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
wpa_printf(MSG_DEBUG,
"Failed to parse CA cert in PEM format: %s",
gnutls_strerror(ret));
return -1;
}
}
} else if (params->ca_path) {
wpa_printf(MSG_INFO, "GnuTLS: ca_path not supported");
return -1;
}
conn->disable_time_checks = 0;
if (params->ca_cert || params->ca_cert_blob) {
conn->verify_peer = 1;
gnutls_certificate_set_verify_function(
conn->xcred, tls_connection_verify_peer);
if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
gnutls_certificate_set_verify_flags(
conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
}
if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
conn->disable_time_checks = 1;
gnutls_certificate_set_verify_flags(
conn->xcred,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
}
}
if (params->client_cert && params->private_key) {
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_file2(
conn->xcred, params->client_cert, params->private_key,
GNUTLS_X509_FMT_DER, params->private_key_passwd, 0);
#else
/* private_key_passwd not (easily) supported here */
ret = gnutls_certificate_set_x509_key_file(
conn->xcred, params->client_cert, params->private_key,
GNUTLS_X509_FMT_DER);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client cert/key "
"in DER format: %s", gnutls_strerror(ret));
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_file2(
conn->xcred, params->client_cert,
params->private_key, GNUTLS_X509_FMT_PEM,
params->private_key_passwd, 0);
#else
ret = gnutls_certificate_set_x509_key_file(
conn->xcred, params->client_cert,
params->private_key, GNUTLS_X509_FMT_PEM);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client "
"cert/key in PEM format: %s",
gnutls_strerror(ret));
return ret;
}
}
} else if (params->private_key) {
int pkcs12_ok = 0;
#ifdef PKCS12_FUNCS
/* Try to load in PKCS#12 format */
ret = gnutls_certificate_set_x509_simple_pkcs12_file(
conn->xcred, params->private_key, GNUTLS_X509_FMT_DER,
params->private_key_passwd);
if (ret != 0) {
wpa_printf(MSG_DEBUG, "Failed to load private_key in "
"PKCS#12 format: %s", gnutls_strerror(ret));
return -1;
} else
pkcs12_ok = 1;
#endif /* PKCS12_FUNCS */
if (!pkcs12_ok) {
wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not "
"included");
return -1;
}
} else if (params->client_cert_blob && params->private_key_blob) {
gnutls_datum_t cert, key;
cert.data = (unsigned char *) params->client_cert_blob;
cert.size = params->client_cert_blob_len;
key.data = (unsigned char *) params->private_key_blob;
key.size = params->private_key_blob_len;
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_mem2(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER,
params->private_key_passwd, 0);
#else
/* private_key_passwd not (easily) supported here */
ret = gnutls_certificate_set_x509_key_mem(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client cert/key "
"in DER format: %s", gnutls_strerror(ret));
#if GNUTLS_VERSION_NUMBER >= 0x03010b
ret = gnutls_certificate_set_x509_key_mem2(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM,
params->private_key_passwd, 0);
#else
/* private_key_passwd not (easily) supported here */
ret = gnutls_certificate_set_x509_key_mem(
conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM);
#endif
if (ret < 0) {
wpa_printf(MSG_DEBUG, "Failed to read client "
"cert/key in PEM format: %s",
gnutls_strerror(ret));
return ret;
}
}
} else if (params->private_key_blob) {
#ifdef PKCS12_FUNCS
gnutls_datum_t key;
key.data = (unsigned char *) params->private_key_blob;
key.size = params->private_key_blob_len;
/* Try to load in PKCS#12 format */
ret = gnutls_certificate_set_x509_simple_pkcs12_mem(
conn->xcred, &key, GNUTLS_X509_FMT_DER,
params->private_key_passwd);
if (ret != 0) {
wpa_printf(MSG_DEBUG, "Failed to load private_key in "
"PKCS#12 format: %s", gnutls_strerror(ret));
return -1;
}
#else /* PKCS12_FUNCS */
wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not included");
return -1;
#endif /* PKCS12_FUNCS */
}
#if GNUTLS_VERSION_NUMBER >= 0x030103
if (params->flags & (TLS_CONN_REQUEST_OCSP | TLS_CONN_REQUIRE_OCSP)) {
ret = gnutls_ocsp_status_request_enable_client(conn->session,
NULL, 0, NULL);
if (ret != GNUTLS_E_SUCCESS) {
wpa_printf(MSG_INFO,
"GnuTLS: Failed to enable OCSP client");
return -1;
}
}
#else /* 3.1.3 */
if (params->flags & TLS_CONN_REQUIRE_OCSP) {
wpa_printf(MSG_INFO,
"GnuTLS: OCSP not supported by this version of GnuTLS");
return -1;
}
#endif /* 3.1.3 */
conn->params_set = 1;
ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE,
conn->xcred);
if (ret < 0) {
wpa_printf(MSG_INFO, "Failed to configure credentials: %s",
gnutls_strerror(ret));
}
return ret;
}
/* initializes a gnutls_session_t with some defaults.
*/
static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
int ret;
gnutls_session_t session;
if (priorities == NULL)
priorities = "NORMAL";
if (udp)
{
gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM);
if (mtu)
gnutls_dtls_set_mtu(session, mtu);
}
else
gnutls_init (&session, GNUTLS_CLIENT);
if ((ret = gnutls_priority_set_direct (session, priorities, &err)) < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at: %s\n", err);
else
fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret));
exit (1);
}
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
if (!isdigit(hostname[0]) && strchr(hostname, ':') == 0)
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
}
gnutls_dh_set_prime_bits (session, 512);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
if (psk_cred)
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_set_retrieve_function2 (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
if (fingerprint != 0)
gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT);
#endif
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
#ifdef ENABLE_SESSION_TICKET
if (disable_extensions == 0 && !HAVE_OPT(NOTICKET)t)
gnutls_session_ticket_enable_client (session);
#endif
return session;
}
/* initializes a gnutls_session_t with some defaults.
*/
static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
gnutls_session_t session;
gnutls_init (&session, GNUTLS_CLIENT);
if (gnutls_priority_set_direct (session, info.priorities, &err) < 0)
{
fprintf (stderr, "Syntax error at: %s\n", err);
exit (1);
}
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
gnutls_handshake_set_private_extensions (session, 1);
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
if (cert_type_priority[0])
gnutls_certificate_type_set_priority (session, cert_type_priority);
}
if (cipher_priority[0])
gnutls_cipher_set_priority (session, cipher_priority);
if (comp_priority[0])
gnutls_compression_set_priority (session, comp_priority);
if (kx_priority[0])
gnutls_kx_set_priority (session, kx_priority);
if (protocol_priority[0])
gnutls_protocol_set_priority (session, protocol_priority);
if (mac_priority[0])
gnutls_mac_set_priority (session, mac_priority);
gnutls_dh_set_prime_bits (session, 512);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
if (psk_cred)
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
if (fingerprint != 0)
gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT);
#endif
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
#ifdef ENABLE_OPRFI
if (info.opaque_prf_input)
gnutls_oprfi_enable_client (session, strlen (info.opaque_prf_input),
info.opaque_prf_input);
#endif
#ifdef ENABLE_SESSION_TICKET
if (!info.noticket)
gnutls_session_ticket_enable_client (session);
#endif
return session;
}
int
main (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file */
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
/* Initialize TLS session */
gnutls_init (&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
/* Use default priorities */
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST)
{
fprintf (stderr, "Syntax error at: %s\n", err);
}
exit (1);
}
/* put the x509 credentials to the current session */
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer */
sd = udp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* set the connection MTU */
gnutls_dtls_set_mtu (session, 1000);
/* Perform the TLS handshake */
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
/* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
* connections because the peer's closure message might
* be lost */
gnutls_bye (session, GNUTLS_SHUT_WR);
end:
udp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
return 0;
}
extern int xlibgnutls_dtls_handshake(gnutls_session_t *session, int udp_sd, unsigned verbose_level) {
const char *CAFILE = "ca-cert.pem"; // TODO: use anoncred
int ret;
const char *err;
if (gnutls_check_version("3.1.4") == NULL) {
print_error("GnuTLS 3.1.4 or later is required");
return -1;
}
/* for backwards compatibility with gnutls < 3.3.0 */
gnutls_global_init();
if (verbose_level >= VERBOSE_LEVEL_GNUTLS) {
gnutls_global_set_log_level(9999);
gnutls_global_set_log_function(gnutls_log);
}
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file */
gnutls_certificate_set_x509_trust_file(xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function(xcred, verify_certificate_callback);
/* Initialize TLS session */
gnutls_init(session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
/* put the x509 credentials to the current session */
gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_server_name_set(*session, GNUTLS_NAME_DNS, "my_host_name", strlen("my_host_name"));
if (verbose_level >= VERBOSE_LEVEL_PACKETS) {
gnutls_transport_set_push_function(*session, gnutls_push_func_custom);
//gnutls_transport_set_pull_function(*session, gnutls_pull_func_custom);
//gnutls_transport_set_pull_timeout_function(*session, gnutls_pull_timeout_func_custom);
}
gnutls_dtls_set_mtu(*session, 1 << 14);
gnutls_set_default_priority(*session);
/* if more fine-graned control is required */
ret = gnutls_priority_set_direct(*session, "NORMAL", &err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST)
print_error("syntax error at: %d", err);
goto end;
}
gnutls_transport_set_int(*session, udp_sd);
gnutls_handshake_set_timeout(*session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
if (verbose_level >= VERBOSE_LEVEL_CLIENT)
print_info("handshake started");
do {
ret = gnutls_handshake(*session);
}
while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
/* Note that DTLS may also receive GNUTLS_E_LARGE_PACKET */
if (verbose_level >= VERBOSE_LEVEL_CLIENT)
print_info("handshake finished");
if (ret < 0) {
print_error("handshake failed with return code %d", ret);
gnutls_perror(ret);
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(*session);
if (verbose_level >= VERBOSE_LEVEL_CLIENT)
print_info("session info: %s", desc);
gnutls_free(desc);
}
ret = 0;
end:
return ret;
}
TDSRET
tds_ssl_init(TDSSOCKET *tds)
{
gnutls_session_t session;
gnutls_certificate_credentials_t xcred;
int ret;
const char *tls_msg;
xcred = NULL;
session = NULL;
tls_msg = "initializing tls";
if (!tls_initialized) {
ret = 0;
tds_mutex_lock(&tls_mutex);
if (!tls_initialized) {
tds_gcry_init();
ret = gnutls_global_init();
if (ret == 0)
tls_initialized = 1;
}
tds_mutex_unlock(&tls_mutex);
if (ret != 0)
goto cleanup;
}
if (tds_write_dump && tls_initialized < 2) {
gnutls_global_set_log_level(11);
gnutls_global_set_log_function(tds_tls_log);
tls_initialized = 2;
}
tls_msg = "allocating credentials";
ret = gnutls_certificate_allocate_credentials(&xcred);
if (ret != 0)
goto cleanup;
if (!tds_dstr_isempty(&tds->login->cafile)) {
tls_msg = "loading CA file";
if (strcasecmp(tds_dstr_cstr(&tds->login->cafile), "system") == 0)
ret = gnutls_certificate_set_x509_system_trust(xcred);
else
ret = gnutls_certificate_set_x509_trust_file(xcred, tds_dstr_cstr(&tds->login->cafile), GNUTLS_X509_FMT_PEM);
if (ret <= 0)
goto cleanup;
if (!tds_dstr_isempty(&tds->login->crlfile)) {
tls_msg = "loading CRL file";
ret = gnutls_certificate_set_x509_crl_file(xcred, tds_dstr_cstr(&tds->login->crlfile), GNUTLS_X509_FMT_PEM);
if (ret <= 0)
goto cleanup;
}
#ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
gnutls_certificate_set_verify_function(xcred, tds_verify_certificate);
#endif
}
/* Initialize TLS session */
tls_msg = "initializing session";
ret = gnutls_init(&session, GNUTLS_CLIENT);
if (ret != 0)
goto cleanup;
gnutls_transport_set_ptr(session, tds);
gnutls_transport_set_pull_function(session, tds_pull_func_login);
gnutls_transport_set_push_function(session, tds_push_func_login);
/* NOTE: there functions return int however they cannot fail */
/* use default priorities... */
gnutls_set_default_priority(session);
/* ... but overwrite some */
ret = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
if (ret != 0)
goto cleanup;
/* mssql does not like padding too much */
#ifdef HAVE_GNUTLS_RECORD_DISABLE_PADDING
gnutls_record_disable_padding(session);
#endif
/* put the anonymous credentials to the current session */
tls_msg = "setting credential";
ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
if (ret != 0)
goto cleanup;
/* Perform the TLS handshake */
tls_msg = "handshake";
ret = gnutls_handshake (session);
if (ret != 0)
goto cleanup;
#ifndef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
ret = tds_verify_certificate(session);
if (ret != 0)
goto cleanup;
#endif
tdsdump_log(TDS_DBG_INFO1, "handshake succeeded!!\n");
gnutls_transport_set_ptr(session, tds->conn);
gnutls_transport_set_pull_function(session, tds_pull_func);
gnutls_transport_set_push_function(session, tds_push_func);
tds->conn->tls_session = session;
tds->conn->tls_credentials = xcred;
return TDS_SUCCESS;
cleanup:
if (session)
gnutls_deinit(session);
if (xcred)
gnutls_certificate_free_credentials(xcred);
tdsdump_log(TDS_DBG_ERROR, "%s failed: %s\n", tls_msg, gnutls_strerror (ret));
return TDS_FAIL;
}
int main (int argc, char **argv)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[1024];
const char *err;
char *host = argv[1];
int port = atoi(argv[2]);
char *cafile = argv[3];
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_file (xcred, cafile, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function (xcred, _verify_certificate_callback);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
gnutls_session_set_ptr (session, (void *) "my_host_name");
gnutls_server_name_set (session, GNUTLS_NAME_DNS, "my_host_name",
strlen("my_host_name"));
/* Use default priorities */
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST)
{
fprintf (stderr, "Syntax error at: %s\n", err);
}
exit (1);
}
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect (host, port);
gnutls_transport_set_int (session, sd);
gnutls_handshake_set_timeout (session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake
*/
/* Perform the TLS handshake
*/
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
if (ret != GNUTLS_E_CERTIFICATE_ERROR)
exit(1);
}
gnutls_record_send (session, "", strlen (""));
ret = gnutls_record_recv (session, buffer, sizeof(buffer));
gnutls_bye (session, GNUTLS_SHUT_RDWR);
printf("%d\n", verification_result);
end:
close(sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
return 0;
}
struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
{
const char *errpos;
int rc;
gnutls_datum_t key;
int bits;
struct dtls_gnutls_data *d = malloc(sizeof(struct dtls_gnutls_data));
if (!d)
return 0;
gnutls_global_set_log_level(10);
gnutls_global_set_log_function(dtls_log_cb);
rc = gnutls_init(&d->session, config);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't init session: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
gnutls_certificate_allocate_credentials(&d->x509_cred);
/* Set credentials */
if (conn->dtls_cert_file && conn->dtls_key_file){
rc = gnutls_certificate_set_x509_key_file(d->x509_cred, conn->dtls_cert_file,
conn->dtls_key_file, GNUTLS_X509_FMT_PEM);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't set cert/key: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
}
/*
#if GNUTLS_VERSION_NUMBER >= 0x030100
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_INSECURE);
#else
*/ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
/*#endif*/
/* Set ciphers */
/*
rc = gnutls_priority_init(&d->priority_cache, conn->dtls_cipher, &errpos);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher,
errpos, gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
rc = gnutls_priority_set(d->session, d->priority_cache);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't set priority: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
*/
rc = gnutls_priority_set_direct(d->session,conn->dtls_cipher,&errpos);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't init ciphers '%s' at '%s' : %s", conn->dtls_cipher,
errpos, gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS - Can't set x.509 credentials: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
gnutls_certificate_set_verify_function(d->x509_cred,verify_cert);
gnutls_session_set_ptr(d->session, conn);
gnutls_transport_set_ptr(d->session, conn);
gnutls_transport_set_pull_function(d->session, dtls_gnutls_bio_read);
gnutls_transport_set_push_function(d->session, dtls_gnutls_bio_write);
gnutls_transport_set_pull_timeout_function(d->session, dtls_gnutls_bio_wait);
#if GNUTLS_VERSION_NUMBER >= 0x030100
gnutls_handshake_set_timeout(d->session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
gnutls_dtls_set_data_mtu(d->session, conn->dtls_mtu);
#endif
gnutls_dtls_set_mtu(d->session, conn->dtls_mtu);
return d;
}
/* initializes a gnutls_session_t with some defaults.
*/
static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
int ret;
gnutls_session_t session;
if (priorities == NULL)
priorities = "NORMAL";
if (udp)
{
gnutls_init (&session, GNUTLS_DATAGRAM|init_flags);
if (mtu)
gnutls_dtls_set_mtu(session, mtu);
}
else
gnutls_init (&session, init_flags);
if ((ret = gnutls_priority_set_direct (session, priorities, &err)) < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at: %s\n", err);
else
fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret));
exit (1);
}
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
if (!isdigit(hostname[0]) && strchr(hostname, ':') == 0)
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
}
if (HAVE_OPT(DH_BITS))
gnutls_dh_set_prime_bits( session, OPT_VALUE_DH_BITS);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
if (psk_cred)
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_set_retrieve_function2 (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
if (fingerprint != 0)
gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT);
#endif
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
if (HAVE_OPT(HEARTBEAT))
gnutls_heartbeat_enable (session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
#ifdef ENABLE_DTLS_SRTP
if (HAVE_OPT(SRTP_PROFILES))
{
ret = gnutls_srtp_set_profile_direct (session, OPT_ARG(SRTP_PROFILES), &err);
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at: %s\n", err);
else
fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret));
exit (1);
}
#endif
return session;
}
