static mod_context *mod_gnutls_context_new(liServer *srv) { mod_context *ctx = g_slice_new0(mod_context); int r; if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&ctx->server_cert))) { ERROR(srv, "gnutls_certificate_allocate_credentials failed(%s): %s", gnutls_strerror_name(r), gnutls_strerror(r)); goto error0; } if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority, "NORMAL", NULL))) { ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s", gnutls_strerror_name(r), gnutls_strerror(r)); goto error1; } if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL))) { int r1; if (GNUTLS_E_SUCCESS > (r1 = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL", NULL))) { ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s", gnutls_strerror_name(r1), gnutls_strerror(r1)); goto error2; } else { ERROR(srv, "gnutls_priority_init('NORMAL:-CIPHER-ALL:+ARCFOUR-128') failed(%s): %s. Using 'NORMAL' instead (BEAST mitigation not available)", gnutls_strerror_name(r), gnutls_strerror(r)); } } #ifdef HAVE_SESSION_TICKET if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_key_generate(&ctx->ticket_key))) { ERROR(srv, "gnutls_session_ticket_key_generate failed(%s): %s", gnutls_strerror_name(r), gnutls_strerror(r)); goto error3; } #endif ctx->srv = srv; ctx->ocsp = li_gnutls_ocsp_new(); ctx->refcount = 1; ctx->protect_against_beast = 1; return ctx; error3: gnutls_priority_deinit(ctx->server_priority_beast); error2: gnutls_priority_deinit(ctx->server_priority); error1: gnutls_certificate_free_credentials(ctx->server_cert); error0: g_slice_free(mod_context, ctx); return NULL; }
SslSocket::~SslSocket() { gnutls_priority_deinit(d->priority_cache); gnutls_deinit(d->session); gnutls_certificate_free_credentials(d->x509cred); delete d; }
static std::string RemoveUnknownTokens(const std::string& prio) { std::string ret; irc::sepstream ss(prio, ':'); for (std::string token; ss.GetToken(token); ) { // Save current position so we can revert later if needed const std::string::size_type prevpos = ret.length(); // Append next token if (!ret.empty()) ret.push_back(':'); ret.append(token); gnutls_priority_t test; if (gnutls_priority_init(&test, ret.c_str(), NULL) < 0) { // The new token broke the priority string, revert to the previously working one ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Priority string token not recognized: \"%s\"", token.c_str()); ret.erase(prevpos); } else { // Worked gnutls_priority_deinit(test); } } return ret; }
void manos_tls_global_end () { gnutls_priority_deinit (priority_cache); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); }
/** * gnutls_priority_set_direct - Sets priorities for the cipher suites supported by gnutls. * @session: is a #gnutls_session_t structure. * @priorities: is a string describing priorities * @err_pos: In case of an error this will have the position in the string the error occured * * Sets the priorities to use on the ciphers, key exchange methods, * macs and compression methods. This function avoids keeping a * priority cache and is used to directly set string priorities to a * TLS session. For documentation check the gnutls_priority_init(). * * On syntax error GNUTLS_E_INVALID_REQUEST is returned and 0 on success. * **/ int gnutls_priority_set_direct (gnutls_session_t session, const char *priorities, const char **err_pos) { gnutls_priority_t prio; int ret; ret = gnutls_priority_init (&prio, priorities, err_pos); if (ret < 0) { gnutls_assert (); return ret; } ret = gnutls_priority_set (session, prio); if (ret < 0) { gnutls_assert (); return ret; } gnutls_priority_deinit (prio); return 0; }
static void tlsg_ctx_free ( tls_ctx *ctx ) { tlsg_ctx *c = (tlsg_ctx *)ctx; int refcount; if ( !c ) return; #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_lock( &c->ref_mutex ); #endif refcount = --c->refcount; #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_unlock( &c->ref_mutex ); #endif if ( refcount ) return; #ifdef HAVE_CIPHERSUITES gnutls_priority_deinit( c->prios ); #else LDAP_FREE( c->kx_list ); #endif gnutls_certificate_free_credentials( c->cred ); ber_memfree ( c ); }
static void try_prio (const char* prio, unsigned expected_cs, unsigned expected_ciphers) { int ret; gnutls_priority_t p; const char* err; const unsigned int * t; unsigned i, si, count = 0; /* this must be called once in the program */ global_init (); ret = gnutls_priority_init(&p, prio, &err); if (ret < 0) { fprintf(stderr, "error: %s: %s\n", gnutls_strerror(ret), err); exit(1); } for (i=0;;i++) { ret = gnutls_priority_get_cipher_suite_index(p, i, &si); if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) continue; else if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; else if (ret == 0) { count++; /* fprintf(stderr, "%s\n", gnutls_cipher_suite_info(si, NULL, NULL, NULL, NULL, NULL)); */ } } ret = gnutls_priority_cipher_list (p, &t); if ((unsigned)ret != expected_ciphers) { #if 0 for (i=0;i<ret;i++) fprintf(stderr, "%s\n", gnutls_cipher_get_name(t[i])); #endif fail("expected %d ciphers, found %d\n", expected_ciphers, ret); exit(1); } gnutls_priority_deinit(p); /* fprintf(stderr, "count: %d\n", count); */ if (debug) success ("finished: %s\n", prio); if (count != expected_cs) { fail("expected %d ciphersuites, found %d\n", expected_cs, count); exit(1); } }
void tls_deinit(void) { if (_tls_init) { gnutls_priority_deinit(_tls_priority_cache); gnutls_global_deinit(); _tls_init = 0; } }
static void mod_gnutls_context_release(mod_context *ctx) { if (!ctx) return; LI_FORCE_ASSERT(g_atomic_int_get(&ctx->refcount) > 0); if (g_atomic_int_dec_and_test(&ctx->refcount)) { gnutls_priority_deinit(ctx->server_priority_beast); gnutls_priority_deinit(ctx->server_priority); gnutls_certificate_free_credentials(ctx->server_cert); #ifdef HAVE_SESSION_TICKET /* wtf. why is there no function in gnutls for this... */ if (NULL != ctx->ticket_key.data) { gnutls_free(ctx->ticket_key.data); ctx->ticket_key.data = NULL; ctx->ticket_key.size = 0; } #endif li_ssl_session_db_free(ctx->session_db); ctx->session_db = NULL; #ifdef USE_SNI if (NULL != ctx->sni_db) { li_fetch_database_release(ctx->sni_db); ctx->sni_db = NULL; } if (NULL != ctx->sni_backend_db) { li_fetch_database_release(ctx->sni_backend_db); ctx->sni_backend_db = NULL; } if (NULL != ctx->sni_fallback_cert) { gnutls_certificate_free_credentials(ctx->sni_fallback_cert); ctx->sni_fallback_cert = NULL; } #endif gnutls_dh_params_deinit(ctx->dh_params); if (NULL != ctx->pin) { g_string_free(ctx->pin, TRUE); ctx->pin = NULL; } li_gnutls_ocsp_free(ctx->ocsp); g_slice_free(mod_context, ctx); } }
/** * @short Frees the user data * @memberof onion_https_t * * @param op */ static void onion_https_free_user_data(onion_listen_point *op){ ONION_DEBUG("Free HTTPS %s:%s", op->hostname, op->port); onion_https *https=(onion_https*)op->user_data; gnutls_certificate_free_credentials (https->x509_cred); gnutls_dh_params_deinit(https->dh_params); gnutls_priority_deinit (https->priority_cache); //if (op->server->flags&O_SSL_NO_DEINIT) gnutls_global_deinit(); // This may cause problems if several characters use the gnutls on the same binary. onion_low_free(https); }
TLSServer::~TLSServer () { gnutls_certificate_free_credentials (_credentials); gnutls_priority_deinit (_priorities); gnutls_global_deinit (); if (_socket) { shutdown (_socket, SHUT_RDWR); close (_socket); } }
void Plugin::_deinit() { if (this->init.contains("priority")) gnutls_priority_deinit(this->priority); if (this->init.contains("credentials")) gnutls_certificate_free_credentials(this->x509_cred); if (this->init.contains("dh_params")) gnutls_dh_params_deinit(this->dhParams); if (this->init.contains("crt")) gnutls_x509_crt_deinit(this->crt); if (this->init.contains("privkey")) gnutls_x509_privkey_deinit(this->key); if (this->init.contains("global")) gnutls_global_deinit(); this->init.clear(); }
void relay_config_change_network_ssl_priorities (void *data, struct t_config_option *option) { /* make C compiler happy */ (void) data; (void) option; #ifdef HAVE_GNUTLS if (relay_network_init_ok && relay_gnutls_priority_cache) { gnutls_priority_deinit (*relay_gnutls_priority_cache); relay_network_set_priority (); } #endif }
static void ssl_gnutls_uninit(void) { gnutls_global_deinit(); gnutls_certificate_free_credentials(xcred); xcred = NULL; #ifdef HAVE_GNUTLS_PRIORITY_FUNCS if (host_priorities) { g_hash_table_destroy(host_priorities); host_priorities = NULL; } gnutls_priority_deinit(default_priority); default_priority = NULL; #endif }
static void tlsg_ctx_free ( tls_ctx *ctx ) { tlsg_ctx *c = (tlsg_ctx *)ctx; int refcount; if ( !c ) return; LDAP_MUTEX_LOCK( &c->ref_mutex ); refcount = --c->refcount; LDAP_MUTEX_UNLOCK( &c->ref_mutex ); if ( refcount ) return; gnutls_priority_deinit( c->prios ); gnutls_certificate_free_credentials( c->cred ); if ( c->dh_params ) gnutls_dh_params_deinit( c->dh_params ); ber_memfree ( c ); }
void DTLS_Shutdown(void) { int index; for (index = 0;index < MAX_DTLS_SESSIONS; index++) { if (sessions[index].Session) { FreeSession(&sessions[index]); } } if (_CertCredentials) { gnutls_certificate_free_credentials(_CertCredentials); _CertCredentials = NULL; } // gnutls_dh_params_deinit(_DHParameters); gnutls_priority_deinit(_PriorityCache); gnutls_global_deinit(); }
int relay_config_check_network_ssl_priorities (void *data, struct t_config_option *option, const char *value) { #ifdef HAVE_GNUTLS gnutls_priority_t priority_cache; const char *pos_error; int rc; /* make C compiler happy */ (void) data; (void) option; pos_error = value; if (value && value[0]) { rc = gnutls_priority_init (&priority_cache, value, &pos_error); if (rc == GNUTLS_E_SUCCESS) { gnutls_priority_deinit (priority_cache); return 1; } } weechat_printf (NULL, _("%s%s: invalid priorities string, error " "at this position in string: \"%s\""), weechat_prefix ("error"), RELAY_PLUGIN_NAME, (pos_error) ? pos_error : value); return 0; #else /* make C compiler happy */ (void) data; (void) option; (void) value; return 1; #endif }
static void tlsg_ctx_free ( tls_ctx *ctx ) { tlsg_ctx *c = (tlsg_ctx *)ctx; int refcount; if ( !c ) return; LDAP_MUTEX_LOCK( &c->ref_mutex ); refcount = --c->refcount; LDAP_MUTEX_UNLOCK( &c->ref_mutex ); if ( refcount ) return; #ifdef HAVE_CIPHERSUITES gnutls_priority_deinit( c->prios ); #else LDAP_FREE( c->kx_list ); #endif gnutls_certificate_free_credentials( c->cred ); ber_memfree ( c ); }
/** * @short Removes the allocated data * @memberof onion_t */ void onion_free(onion *onion){ ONION_DEBUG("Onion free"); #ifdef HAVE_PTHREADS if (onion->flags&O_THREADS_ENABLED){ int ntries=5; int c; for(;ntries--;){ sem_getvalue(&onion->thread_count,&c); if (c==onion->max_threads){ break; } ONION_INFO("Still some petitions on process (%d). Wait a little bit (%d).",c,ntries); sleep(1); } } #endif close(onion->listenfd); if (onion->poller) onion_poller_free(onion->poller); if (onion->username) free(onion->username); #ifdef HAVE_GNUTLS if (onion->flags&O_SSL_ENABLED){ gnutls_certificate_free_credentials (onion->x509_cred); gnutls_dh_params_deinit(onion->dh_params); gnutls_priority_deinit (onion->priority_cache); if (!(onion->flags&O_SSL_NO_DEINIT)) gnutls_global_deinit(); // This may cause problems if several characters use the gnutls on the same binary. } #endif if (onion->port) free(onion->port); if (onion->hostname) free(onion->hostname); onion_server_free(onion->server); free(onion); }
void relay_network_end () { if (relay_network_init_ok) { #ifdef HAVE_GNUTLS if (relay_gnutls_priority_cache) { gnutls_priority_deinit (*relay_gnutls_priority_cache); free (relay_gnutls_priority_cache); relay_gnutls_priority_cache = NULL; } if (relay_gnutls_dh_params) { gnutls_dh_params_deinit (*relay_gnutls_dh_params); free (relay_gnutls_dh_params); relay_gnutls_dh_params = NULL; } gnutls_certificate_free_credentials (relay_gnutls_x509_cred); #endif relay_network_init_ok = 0; } }
SslDriver::~SslDriver() { TRACE("~SslDriver()"); gnutls_priority_deinit(priorities_); delete[] items_; }
int main (void) { int ret, sd, ii; gnutls_session_t session; gnutls_priority_t priorities_cache; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; /* Allow connections to servers that have OpenPGP keys as well. */ gnutls_global_init (); load_keys (); /* X509 stuff */ gnutls_certificate_allocate_credentials (&xcred); /* priorities */ gnutls_priority_init( &priorities_cache, "NORMAL", NULL); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_priority_set (session, priorities_cache); /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_priority_deinit( priorities_cache); gnutls_global_deinit (); return 0; }
int main (void) { int listen_sd; int sock, ret; struct sockaddr_in sa_serv; struct sockaddr_in cli_addr; socklen_t cli_addr_size; gnutls_session_t session; char buffer[MAX_BUFFER]; priv_data_st priv; gnutls_datum_t cookie_key; gnutls_dtls_prestate_st prestate; int mtu = 1400; unsigned char sequence[8]; /* this must be called once in the program */ gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM); ret = gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM); if (ret < 0) { printf("No certificate or key were found\n"); exit(1); } generate_dh_params (); gnutls_certificate_set_dh_params (x509_cred, dh_params); gnutls_priority_init (&priority_cache, "PERFORMANCE:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE", NULL); gnutls_key_generate (&cookie_key, GNUTLS_COOKIE_KEY_SIZE); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_DGRAM, 0); memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); { /* DTLS requires the IP don't fragment (DF) bit to be set */ #if defined(IP_DONTFRAG) int optval = 1; setsockopt (listen_sd, IPPROTO_IP, IP_DONTFRAG, (const void *) &optval, sizeof (optval)); #elif defined(IP_MTU_DISCOVER) int optval = IP_PMTUDISC_DO; setsockopt(listen_sd, IPPROTO_IP, IP_MTU_DISCOVER, (const void*) &optval, sizeof (optval)); #endif } bind (listen_sd, (struct sockaddr *) &sa_serv, sizeof (sa_serv)); printf ("UDP server ready. Listening to port '%d'.\n\n", PORT); for (;;) { printf ("Waiting for connection...\n"); sock = wait_for_connection (listen_sd); if (sock < 0) continue; cli_addr_size = sizeof (cli_addr); ret = recvfrom (sock, buffer, sizeof (buffer), MSG_PEEK, (struct sockaddr *) &cli_addr, &cli_addr_size); if (ret > 0) { memset (&prestate, 0, sizeof (prestate)); ret = gnutls_dtls_cookie_verify (&cookie_key, &cli_addr, sizeof (cli_addr), buffer, ret, &prestate); if (ret < 0) /* cookie not valid */ { priv_data_st s; memset (&s, 0, sizeof (s)); s.fd = sock; s.cli_addr = (void *) &cli_addr; s.cli_addr_size = sizeof (cli_addr); printf ("Sending hello verify request to %s\n", human_addr ((struct sockaddr *) &cli_addr, sizeof (cli_addr), buffer, sizeof (buffer))); gnutls_dtls_cookie_send (&cookie_key, &cli_addr, sizeof (cli_addr), &prestate, (gnutls_transport_ptr_t) & s, push_func); /* discard peeked data */ recvfrom (sock, buffer, sizeof (buffer), 0, (struct sockaddr *) &cli_addr, &cli_addr_size); usleep (100); continue; } printf ("Accepted connection from %s\n", human_addr ((struct sockaddr *) &cli_addr, sizeof (cli_addr), buffer, sizeof (buffer))); } else continue; session = initialize_tls_session (); gnutls_dtls_prestate_set (session, &prestate); gnutls_dtls_set_mtu (session, mtu); priv.session = session; priv.fd = sock; priv.cli_addr = (struct sockaddr *) &cli_addr; priv.cli_addr_size = sizeof (cli_addr); gnutls_transport_set_ptr (session, &priv); gnutls_transport_set_push_function (session, push_func); gnutls_transport_set_pull_function (session, pull_func); gnutls_transport_set_pull_timeout_function (session, pull_timeout_func); do { ret = gnutls_handshake (session); } while (ret < 0 && gnutls_error_is_fatal (ret) == 0); if (ret < 0) { fprintf (stderr, "Error in handshake(): %s\n", gnutls_strerror (ret)); gnutls_deinit (session); continue; } printf ("- Handshake was completed\n"); for (;;) { do { ret = gnutls_record_recv_seq (session, buffer, MAX_BUFFER, sequence); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { fprintf (stderr, "Error in recv(): %s\n", gnutls_strerror (ret)); break; } if (ret == 0) { printf ("EOF\n\n"); break; } buffer[ret] = 0; printf ("received[%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x]: %s\n", sequence[0], sequence[1], sequence[2], sequence[3], sequence[4], sequence[5], sequence[6], sequence[7], buffer); /* reply back */ ret = gnutls_record_send (session, buffer, ret); if (ret < 0) { fprintf (stderr, "Error in send(): %s\n", gnutls_strerror (ret)); break; } } gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit (session); } close (listen_sd); gnutls_certificate_free_credentials (x509_cred); gnutls_priority_deinit (priority_cache); gnutls_global_deinit (); return 0; }
~Priority() { gnutls_priority_deinit(priority); }
void SSLi_deinit() { gnutls_certificate_free_credentials(certificate); gnutls_priority_deinit(cipherCache); gnutls_global_deinit(); }
int main (void) { int err, listen_sd, i; int sd, ret; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; int client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; /* to disallow usage of the blocking /dev/random */ gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); /* this must be called once in the program */ gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM); gnutls_psk_allocate_server_credentials (&psk_cred); gnutls_psk_set_server_credentials_function (psk_cred, pskfunc); generate_dh_params (); gnutls_priority_init (&priority_cache, "NORMAL:PSK", NULL); gnutls_certificate_set_dh_params (x509_cred, dh_params); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); SOCKET_ERR (listen_sd, "socket"); memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); SOCKET_ERR (err, "bind"); err = listen (listen_sd, 1024); SOCKET_ERR (err, "listen"); printf ("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof (sa_cli); for (;;) { session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); printf ("- connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fprintf (stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror (ret)); continue; } printf ("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("\n- Peer has closed the GNUTLS connection\n"); break; } else if (ret < 0) { fprintf (stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } printf ("\n"); /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); } close (listen_sd); gnutls_certificate_free_credentials (x509_cred); gnutls_psk_free_server_credentials (psk_cred); gnutls_priority_deinit (priority_cache); gnutls_global_deinit (); return 0; }
int /* O - 0 on success, -1 on failure */ _httpTLSStart(http_t *http) /* I - Connection to server */ { char hostname[256], /* Hostname */ *hostptr; /* Pointer into hostname */ int status; /* Status of handshake */ gnutls_certificate_credentials_t *credentials; /* TLS credentials */ char priority_string[1024]; /* Priority string */ DEBUG_printf(("3_httpTLSStart(http=%p)", http)); if (tls_options < 0) { DEBUG_puts("4_httpTLSStart: Setting defaults."); _cupsSetDefaults(); DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options)); } if (http->mode == _HTTP_MODE_SERVER && !tls_keypath) { DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called."); http->error = errno = EINVAL; http->status = HTTP_STATUS_ERROR; _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1); return (-1); } credentials = (gnutls_certificate_credentials_t *) malloc(sizeof(gnutls_certificate_credentials_t)); if (credentials == NULL) { DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s", strerror(errno))); http->error = errno; http->status = HTTP_STATUS_ERROR; _cupsSetHTTPError(HTTP_STATUS_ERROR); return (-1); } gnutls_certificate_allocate_credentials(credentials); status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER); if (!status) status = gnutls_set_default_priority(http->tls); if (status) { http->error = EIO; http->status = HTTP_STATUS_ERROR; DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status))); _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0); gnutls_deinit(http->tls); gnutls_certificate_free_credentials(*credentials); free(credentials); http->tls = NULL; return (-1); } if (http->mode == _HTTP_MODE_CLIENT) { /* * Client: get the hostname to use for TLS... */ if (httpAddrLocalhost(http->hostaddr)) { strlcpy(hostname, "localhost", sizeof(hostname)); } else { /* * Otherwise make sure the hostname we have does not end in a trailing dot. */ strlcpy(hostname, http->hostname, sizeof(hostname)); if ((hostptr = hostname + strlen(hostname) - 1) >= hostname && *hostptr == '.') *hostptr = '\0'; } status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname)); } else { /* * Server: get certificate and private key... */ char crtfile[1024], /* Certificate file */ keyfile[1024]; /* Private key file */ int have_creds = 0; /* Have credentials? */ if (http->fields[HTTP_FIELD_HOST][0]) { /* * Use hostname for TLS upgrade... */ strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); } else { /* * Resolve hostname from connection address... */ http_addr_t addr; /* Connection address */ socklen_t addrlen; /* Length of address */ addrlen = sizeof(addr); if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) { DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno))); hostname[0] = '\0'; } else if (httpAddrLocalhost(&addr)) hostname[0] = '\0'; else { httpAddrLookup(&addr, hostname, sizeof(hostname)); DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname)); } } if (isdigit(hostname[0] & 255) || hostname[0] == '[') hostname[0] = '\0'; /* Don't allow numeric addresses */ if (hostname[0]) { http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt"); http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key"); have_creds = !access(crtfile, 0) && !access(keyfile, 0); } else if (tls_common_name) { http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt"); http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key"); have_creds = !access(crtfile, 0) && !access(keyfile, 0); } if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name)) { DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name)); if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400)) { DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed."); http->error = errno = EINVAL; http->status = HTTP_STATUS_ERROR; _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1); return (-1); } } DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile)); status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM); } if (!status) status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials); if (status) { http->error = EIO; http->status = HTTP_STATUS_ERROR; DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status))); _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0); gnutls_deinit(http->tls); gnutls_certificate_free_credentials(*credentials); free(credentials); http->tls = NULL; return (-1); } strlcpy(priority_string, "NORMAL", sizeof(priority_string)); if (tls_options & _HTTP_TLS_DENY_TLS10) strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string)); else if (tls_options & _HTTP_TLS_ALLOW_SSL3) strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string)); else strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string)); if (!(tls_options & _HTTP_TLS_ALLOW_RC4)) strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string)); if (!(tls_options & _HTTP_TLS_ALLOW_DH)) strlcat(priority_string, ":!ANON-DH", sizeof(priority_string)); #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT gnutls_priority_set_direct(http->tls, priority_string, NULL); #else gnutls_priority_t priority; /* Priority */ gnutls_priority_init(&priority, priority_string, NULL); gnutls_priority_set(http->tls, priority); gnutls_priority_deinit(priority); #endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */ gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http); gnutls_transport_set_pull_function(http->tls, http_gnutls_read); #ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait); #endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */ gnutls_transport_set_push_function(http->tls, http_gnutls_write); while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS) { DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)", status, gnutls_strerror(status))); if (gnutls_error_is_fatal(status)) { http->error = EIO; http->status = HTTP_STATUS_ERROR; _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0); gnutls_deinit(http->tls); gnutls_certificate_free_credentials(*credentials); free(credentials); http->tls = NULL; return (-1); } } http->tls_credentials = credentials; return (0); }
static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; gnutls_session_t server; int sret, cret; const char *str; char *suite = NULL; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_certificate_credentials_t c_certcred, s_certcred; gnutls_session_t client; /* Need to enable anonymous KX specifically. */ int ret; struct benchmark_st st; struct timespec tr_start, tr_stop; double avg, sstddev; gnutls_priority_t priority_cache; total_diffs_size = 0; /* Init server */ gnutls_certificate_allocate_credentials(&s_certcred); gnutls_anon_allocate_server_credentials(&s_anoncred); ret = 0; if (pk == GNUTLS_PK_RSA_PSS) ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_rsa_pss_cert, &server_key, GNUTLS_X509_FMT_PEM); else if (pk == GNUTLS_PK_RSA) ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "Error in %d: %s\n", __LINE__, gnutls_strerror(ret)); exit(1); } ret = 0; if (pk == GNUTLS_PK_ECDSA) ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ecc_cert, &server_ecc_key, GNUTLS_X509_FMT_PEM); else if (pk == GNUTLS_PK_EDDSA_ED25519) ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ed25519_cert, &server_ed25519_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "Error in %d: %s\n", __LINE__, gnutls_strerror(ret)); exit(1); } /* Init client */ gnutls_anon_allocate_client_credentials(&c_anoncred); gnutls_certificate_allocate_credentials(&c_certcred); start_benchmark(&st); ret = gnutls_priority_init(&priority_cache, cipher_prio, &str); if (ret < 0) { fprintf(stderr, "Error in %s\n", str); exit(1); } do { gnutls_init(&server, GNUTLS_SERVER); ret = gnutls_priority_set(server, priority_cache); if (ret < 0) { fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_certcred); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server); reset_buffers(); gnutls_init(&client, GNUTLS_CLIENT); ret = gnutls_priority_set(client, priority_cache); if (ret < 0) { fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_certcred); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client); gettime(&tr_start); HANDSHAKE(client, server); gettime(&tr_stop); if (suite == NULL) suite = gnutls_session_get_desc(server); gnutls_deinit(client); gnutls_deinit(server); total_diffs[total_diffs_size++] = timespec_sub_ms(&tr_stop, &tr_start); if (total_diffs_size > sizeof(total_diffs)/sizeof(total_diffs[0])) abort(); st.size += 1; } while (benchmark_must_finish == 0); fprintf(stdout, "%38s ", suite); gnutls_free(suite); stop_benchmark(&st, "transactions", 1); gnutls_priority_deinit(priority_cache); avg = calc_avg(total_diffs, total_diffs_size); sstddev = calc_sstdev(total_diffs, total_diffs_size, avg); printf("%32s %.2f ms, sample variance: %.2f)\n", "(avg. handshake time:", avg, sstddev); gnutls_anon_free_client_credentials(c_anoncred); gnutls_anon_free_server_credentials(s_anoncred); }
/* main - Asks for a list of relays, initializes a TLS server and starts a thread for every client. */ int main (void) { int client_socket_descriptor; struct sockaddr_in sockaddr_client; socklen_t client_adress_length; char topbuf[512]; int ret; int file; struct stat fileinfo; ret = stat(FILE_LIST_RELAYS, &fileinfo); if (ret != 0) { fprintf (stderr, "Impossible to find file \"%s\"\n", FILE_LIST_RELAYS); return -1; } nbr_relays = fileinfo.st_size/sizeof(MYSOCKET); list_relays = malloc (nbr_relays*sizeof(MYSOCKET)); file = open (FILE_LIST_RELAYS, O_RDONLY); if (file == -1) { ret = errno; fprintf (stderr, "Impossible to open \"%s\", errno = %d\n", FILE_LIST_RELAYS, ret); free (list_relays); return -1; } ret = read (file, list_relays, sizeof(MYSOCKET)*nbr_relays); if (ret != sizeof(MYSOCKET)*nbr_relays) { fprintf (stderr, "Error in reading : %d bytes read instead of %d\n", ret, sizeof(MYSOCKET)*nbr_relays); free (list_relays); return -1; } int i; for (i=0;i<nbr_relays;i++) { int ip = ((MYSOCKET*)list_relays)[i].ip; printf("Relay[%i], ip=%d.%d.%d.%d, port=%i\n",i,(ip) & 0xFF,(ip>>8) & 0xFF, (ip>>16) & 0xFF, (ip>>24) & 0xFF,ntohs(((MYSOCKET*)list_relays)[i].port)); } close (file); printf ("%d trusted relays successfully read from file \"%s\"\n", nbr_relays, FILE_LIST_RELAYS); if (mytls_server_init (DIRECTORY_PORT, &xcred, &priority_cache, &listen_socket_descriptor, &sockaddr_server, 0) != 0) { return -1; } client_adress_length = sizeof (sockaddr_client); for (;;) { client_socket_descriptor = accept (listen_socket_descriptor, (struct sockaddr *) &sockaddr_client, &client_adress_length); printf ("- connection from %s, port %d\n", inet_ntop (AF_INET, &sockaddr_client.sin_addr, topbuf, sizeof (topbuf)), ntohs(sockaddr_client.sin_port)); pthread_t thread; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); pthread_create(&thread, &attr, handle_connection, (void *)client_socket_descriptor); } close (listen_socket_descriptor); gnutls_certificate_free_credentials (xcred); gnutls_priority_deinit (priority_cache); gnutls_global_deinit (); free (list_relays); return 0; }
int main(void) { int listen_sd; int sd, ret; gnutls_certificate_credentials_t x509_cred; gnutls_priority_t priority_cache; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; socklen_t client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; /* for backwards compatibility with gnutls < 3.3.0 */ CHECK(gnutls_global_init()); CHECK(gnutls_certificate_allocate_credentials(&x509_cred)); CHECK(gnutls_certificate_set_x509_trust_file(x509_cred, CAFILE, GNUTLS_X509_FMT_PEM)); CHECK(gnutls_certificate_set_x509_crl_file(x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM)); /* The following code sets the certificate key pair as well as, * an OCSP response which corresponds to it. It is possible * to set multiple key-pairs and multiple OCSP status responses * (the latter since 3.5.6). See the manual pages of the individual * functions for more information. */ CHECK(gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM)); CHECK(gnutls_certificate_set_ocsp_status_request_file(x509_cred, OCSP_STATUS_FILE, 0)); CHECK(gnutls_priority_init(&priority_cache, NULL, NULL)); /* Instead of the default options as shown above one could specify * additional options such as server precedence in ciphersuite selection * as follows: * gnutls_priority_init2(&priority_cache, * "%SERVER_PRECEDENCE", * NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND); */ #if GNUTLS_VERSION_NUMBER >= 0x030506 /* only available since GnuTLS 3.5.6, on previous versions see * gnutls_certificate_set_dh_params(). */ gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); #endif /* Socket operations */ listen_sd = socket(AF_INET, SOCK_STREAM, 0); memset(&sa_serv, '\0', sizeof(sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons(PORT); /* Server Port number */ setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, sizeof(int)); bind(listen_sd, (struct sockaddr *) &sa_serv, sizeof(sa_serv)); listen(listen_sd, 1024); printf("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof(sa_cli); for (;;) { CHECK(gnutls_init(&session, GNUTLS_SERVER)); CHECK(gnutls_priority_set(session, priority_cache)); CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred)); /* We don't request any certificate from the client. * If we did we would need to verify it. One way of * doing that is shown in the "Verifying a certificate" * example. */ gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); sd = accept(listen_sd, (struct sockaddr *) &sa_cli, &client_len); printf("- connection from %s, port %d\n", inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf, sizeof(topbuf)), ntohs(sa_cli.sin_port)); gnutls_transport_set_int(session, sd); LOOP_CHECK(ret, gnutls_handshake(session)); if (ret < 0) { close(sd); gnutls_deinit(session); fprintf(stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror(ret)); continue; } printf("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF)); if (ret == 0) { printf ("\n- Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ CHECK(gnutls_record_send(session, buffer, ret)); } } printf("\n"); /* do not wait for the peer to close the connection. */ LOOP_CHECK(ret, gnutls_bye(session, GNUTLS_SHUT_WR)); close(sd); gnutls_deinit(session); } close(listen_sd); gnutls_certificate_free_credentials(x509_cred); gnutls_priority_deinit(priority_cache); gnutls_global_deinit(); return 0; }