static CURLcode
gtls_connect_step1(struct connectdata *conn,
int sockindex)
{
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
#endif
struct SessionHandle *data = conn->data;
gnutls_session session;
int rc;
void *ssl_sessionid;
size_t ssl_idsize;
bool sni = TRUE; /* default is SNI enabled */
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
if(conn->ssl[sockindex].state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
same connection */
return CURLE_OK;
if(!gtls_inited)
Curl_gtls_init();
/* GnuTLS only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
/* allocate a cred struct */
rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_cert_all_cred() failed: %s", gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
rc = gnutls_srp_allocate_client_credentials(
&conn->ssl[sockindex].srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
gnutls_strerror(rc));
return CURLE_OUT_OF_MEMORY;
}
rc = gnutls_srp_set_client_credentials(conn->ssl[sockindex].
srp_client_cred,
data->set.ssl.username,
data->set.ssl.password);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_set_client_cred() failed: %s",
gnutls_strerror(rc));
return CURLE_BAD_FUNCTION_ARGUMENT;
}
}
#endif
if(data->set.ssl.CAfile) {
/* set the trusted CA cert bundle file */
gnutls_certificate_set_verify_flags(conn->ssl[sockindex].cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
data->set.ssl.CAfile,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CAfile);
}
if(data->set.ssl.CRLfile) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
data->set.ssl.CRLfile,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
failf(data, "error reading crl file %s (%s)",
data->set.ssl.CRLfile, gnutls_strerror(rc));
return CURLE_SSL_CRL_BADFILE;
}
else
infof(data, "found %d CRL in %s\n",
rc, data->set.ssl.CRLfile);
}
/* Initialize TLS session as a client */
rc = gnutls_init(&conn->ssl[sockindex].session, GNUTLS_CLIENT);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_init() failed: %d", rc);
return CURLE_SSL_CONNECT_ERROR;
}
/* convenient assign */
session = conn->ssl[sockindex].session;
if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
sni &&
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
strlen(conn->host.name)) < 0))
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");
/* Use default priorities */
rc = gnutls_set_default_priority(session);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
if(data->set.ssl.version == CURL_SSLVERSION_SSLv3) {
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
static const int protocol_priority[] = { GNUTLS_SSL3, 0 };
rc = gnutls_protocol_set_priority(session, protocol_priority);
#else
const char *err;
/* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
vulnerable to attacks such as the BEAST, why this code now explicitly
asks for that
*/
rc = gnutls_priority_set_direct(session,
"NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
"-CIPHER-ALL:+ARCFOUR-128",
&err);
#endif
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
}
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
/* Sets the priority on the certificate types supported by gnutls. Priority
is higher for types specified before others. After specifying the types
you want, you must append a 0. */
rc = gnutls_certificate_type_set_priority(session, cert_type_priority);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
#endif
if(data->set.str[STRING_CERT]) {
if(gnutls_certificate_set_x509_key_file(
conn->ssl[sockindex].cred,
data->set.str[STRING_CERT],
data->set.str[STRING_KEY] ?
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
GNUTLS_E_SUCCESS) {
failf(data, "error reading X.509 key or certificate file");
return CURLE_SSL_CONNECT_ERROR;
}
}
#ifdef USE_TLS_SRP
/* put the credentials to the current session */
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
conn->ssl[sockindex].srp_client_cred);
if(rc != GNUTLS_E_SUCCESS)
failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
}
else
#endif
rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
conn->ssl[sockindex].cred);
/* set the connection handle (file descriptor for the socket) */
gnutls_transport_set_ptr(session,
GNUTLS_INT_TO_POINTER_CAST(conn->sock[sockindex]));
/* register callback functions to send and receive data. */
gnutls_transport_set_push_function(session, Curl_gtls_push);
gnutls_transport_set_pull_function(session, Curl_gtls_pull);
/* lowat must be set to zero when using custom push and pull functions. */
gnutls_transport_set_lowat(session, 0);
/* This might be a reconnect, so we check for a session ID in the cache
to speed up things */
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize)) {
/* we got a session id, use it! */
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
/* Informational message */
infof (data, "SSL re-using session ID\n");
}
return CURLE_OK;
}
int
main (void)
{
int ret;
int sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_srp_client_credentials_t srp_cred;
gnutls_certificate_credentials_t cert_cred;
gnutls_global_init ();
/* now enable the gnutls-extra library which contains the
* SRP stuff.
*/
gnutls_global_init_extra ();
gnutls_srp_allocate_client_credentials (&srp_cred);
gnutls_certificate_allocate_credentials (&cert_cred);
gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_srp_set_client_credentials (srp_cred, USERNAME, PASSWORD);
/* connects to server
*/
sd = tcp_connect ();
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Set the priorities.
*/
gnutls_priority_set_direct (session, "NORMAL:+SRP:+SRP-RSA:+SRP-DSS", NULL);
/* put the SRP credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (gnutls_error_is_fatal (ret) == 1 || ret == 0)
{
if (ret == 0)
{
printf ("- Peer has closed the GNUTLS connection\n");
goto end;
}
else
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
}
else
check_alert (session, ret);
if (ret > 0)
{
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
}
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_srp_free_client_credentials (srp_cred);
gnutls_certificate_free_credentials (cert_cred);
gnutls_global_deinit ();
return 0;
}
static CURLcode
gtls_connect_step1(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
gnutls_session_t session;
int rc;
void *ssl_sessionid;
size_t ssl_idsize;
bool sni = TRUE; /* default is SNI enabled */
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
static const int cipher_priority[] = {
/* These two ciphers were added to GnuTLS as late as ver. 3.0.1,
but this code path is only ever used for ver. < 2.12.0.
GNUTLS_CIPHER_AES_128_GCM,
GNUTLS_CIPHER_AES_256_GCM,
*/
GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_AES_256_CBC,
GNUTLS_CIPHER_CAMELLIA_128_CBC,
GNUTLS_CIPHER_CAMELLIA_256_CBC,
GNUTLS_CIPHER_3DES_CBC,
};
static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
static int protocol_priority[] = { 0, 0, 0, 0 };
#else
#define GNUTLS_CIPHERS "NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509"
/* If GnuTLS was compiled without support for SRP it will error out if SRP is
requested in the priority string, so treat it specially
*/
#define GNUTLS_SRP "+SRP"
const char* prioritylist;
const char *err = NULL;
#endif
if(conn->ssl[sockindex].state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
same connection */
return CURLE_OK;
if(!gtls_inited)
Curl_gtls_init();
/* GnuTLS only supports SSLv3 and TLSv1 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3)
sni = FALSE; /* SSLv3 has no SNI */
/* allocate a cred struct */
rc = gnutls_certificate_allocate_credentials(&conn->ssl[sockindex].cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_cert_all_cred() failed: %s", gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
rc = gnutls_srp_allocate_client_credentials(
&conn->ssl[sockindex].srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
gnutls_strerror(rc));
return CURLE_OUT_OF_MEMORY;
}
rc = gnutls_srp_set_client_credentials(conn->ssl[sockindex].
srp_client_cred,
data->set.ssl.username,
data->set.ssl.password);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_srp_set_client_cred() failed: %s",
gnutls_strerror(rc));
return CURLE_BAD_FUNCTION_ARGUMENT;
}
}
#endif
if(data->set.ssl.CAfile) {
/* set the trusted CA cert bundle file */
gnutls_certificate_set_verify_flags(conn->ssl[sockindex].cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
data->set.ssl.CAfile,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CAfile);
}
#ifdef HAS_CAPATH
if(data->set.ssl.CApath) {
/* set the trusted CA cert directory */
rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
data->set.ssl.CApath,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CApath);
}
#endif
#ifdef CURL_CA_FALLBACK
/* use system ca certificate store as fallback */
if(data->set.ssl.verifypeer &&
!(data->set.ssl.CAfile || data->set.ssl.CApath)) {
gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
}
#endif
if(data->set.ssl.CRLfile) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
data->set.ssl.CRLfile,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
failf(data, "error reading crl file %s (%s)",
data->set.ssl.CRLfile, gnutls_strerror(rc));
return CURLE_SSL_CRL_BADFILE;
}
else
infof(data, "found %d CRL in %s\n",
rc, data->set.ssl.CRLfile);
}
/* Initialize TLS session as a client */
rc = gnutls_init(&conn->ssl[sockindex].session, GNUTLS_CLIENT);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_init() failed: %d", rc);
return CURLE_SSL_CONNECT_ERROR;
}
/* convenient assign */
session = conn->ssl[sockindex].session;
if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
sni &&
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, conn->host.name,
strlen(conn->host.name)) < 0))
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");
/* Use default priorities */
rc = gnutls_set_default_priority(session);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
rc = gnutls_cipher_set_priority(session, cipher_priority);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
/* Sets the priority on the certificate types supported by gnutls. Priority
is higher for types specified before others. After specifying the types
you want, you must append a 0. */
rc = gnutls_certificate_type_set_priority(session, cert_type_priority);
if(rc != GNUTLS_E_SUCCESS)
return CURLE_SSL_CONNECT_ERROR;
if(data->set.ssl.cipher_list != NULL) {
failf(data, "can't pass a custom cipher list to older GnuTLS"
" versions");
return CURLE_SSL_CONNECT_ERROR;
}
switch (data->set.ssl.version) {
case CURL_SSLVERSION_SSLv3:
protocol_priority[0] = GNUTLS_SSL3;
break;
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
protocol_priority[0] = GNUTLS_TLS1_0;
protocol_priority[1] = GNUTLS_TLS1_1;
protocol_priority[2] = GNUTLS_TLS1_2;
break;
case CURL_SSLVERSION_TLSv1_0:
protocol_priority[0] = GNUTLS_TLS1_0;
break;
case CURL_SSLVERSION_TLSv1_1:
protocol_priority[0] = GNUTLS_TLS1_1;
break;
case CURL_SSLVERSION_TLSv1_2:
protocol_priority[0] = GNUTLS_TLS1_2;
break;
case CURL_SSLVERSION_SSLv2:
default:
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
break;
}
rc = gnutls_protocol_set_priority(session, protocol_priority);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "Did you pass a valid GnuTLS cipher list?");
return CURLE_SSL_CONNECT_ERROR;
}
#else
/* Ensure +SRP comes at the *end* of all relevant strings so that it can be
* removed if a run-time error indicates that SRP is not supported by this
* GnuTLS version */
switch (data->set.ssl.version) {
case CURL_SSLVERSION_SSLv3:
prioritylist = GNUTLS_CIPHERS ":-VERS-TLS-ALL:+VERS-SSL3.0";
sni = false;
break;
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_TLSv1_0:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.0:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_TLSv1_1:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.1:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_TLSv1_2:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.2:" GNUTLS_SRP;
break;
case CURL_SSLVERSION_SSLv2:
default:
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
break;
}
rc = gnutls_priority_set_direct(session, prioritylist, &err);
if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
if(!strcmp(err, GNUTLS_SRP)) {
/* This GnuTLS was probably compiled without support for SRP.
* Note that fact and try again without it. */
int validprioritylen = curlx_uztosi(err - prioritylist);
char *prioritycopy = strdup(prioritylist);
if(!prioritycopy)
return CURLE_OUT_OF_MEMORY;
infof(data, "This GnuTLS does not support SRP\n");
if(validprioritylen)
/* Remove the :+SRP */
prioritycopy[validprioritylen - 1] = 0;
rc = gnutls_priority_set_direct(session, prioritycopy, &err);
free(prioritycopy);
}
}
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "Error %d setting GnuTLS cipher list starting with %s",
rc, err);
return CURLE_SSL_CONNECT_ERROR;
}
#endif
#ifdef HAS_ALPN
if(data->set.ssl_enable_alpn) {
int cur = 0;
gnutls_datum_t protocols[2];
#ifdef USE_NGHTTP2
if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
protocols[cur].data = (unsigned char *)NGHTTP2_PROTO_VERSION_ID;
protocols[cur].size = NGHTTP2_PROTO_VERSION_ID_LEN;
cur++;
infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
}
#endif
protocols[cur].data = (unsigned char *)ALPN_HTTP_1_1;
protocols[cur].size = ALPN_HTTP_1_1_LENGTH;
cur++;
infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
gnutls_alpn_set_protocols(session, protocols, cur, 0);
}
#endif
if(data->set.str[STRING_CERT]) {
if(data->set.str[STRING_KEY_PASSWD]) {
#if HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
const unsigned int supported_key_encryption_algorithms =
GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
GNUTLS_PKCS_USE_PBES2_AES_256;
rc = gnutls_certificate_set_x509_key_file2(
conn->ssl[sockindex].cred,
data->set.str[STRING_CERT],
data->set.str[STRING_KEY] ?
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
do_file_type(data->set.str[STRING_CERT_TYPE]),
data->set.str[STRING_KEY_PASSWD],
supported_key_encryption_algorithms);
if(rc != GNUTLS_E_SUCCESS) {
failf(data,
"error reading X.509 potentially-encrypted key file: %s",
gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
#else
failf(data, "gnutls lacks support for encrypted key files");
return CURLE_SSL_CONNECT_ERROR;
#endif
}
else {
rc = gnutls_certificate_set_x509_key_file(
conn->ssl[sockindex].cred,
data->set.str[STRING_CERT],
data->set.str[STRING_KEY] ?
data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
do_file_type(data->set.str[STRING_CERT_TYPE]) );
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "error reading X.509 key or certificate file: %s",
gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
}
}
#ifdef USE_TLS_SRP
/* put the credentials to the current session */
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
conn->ssl[sockindex].srp_client_cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
}
else
#endif
{
rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
conn->ssl[sockindex].cred);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
return CURLE_SSL_CONNECT_ERROR;
}
}
/* set the connection handle (file descriptor for the socket) */
gnutls_transport_set_ptr(session,
GNUTLS_INT_TO_POINTER_CAST(conn->sock[sockindex]));
/* register callback functions to send and receive data. */
gnutls_transport_set_push_function(session, Curl_gtls_push);
gnutls_transport_set_pull_function(session, Curl_gtls_pull);
/* lowat must be set to zero when using custom push and pull functions. */
gnutls_transport_set_lowat(session, 0);
#ifdef HAS_OCSP
if(data->set.ssl.verifystatus) {
rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc);
return CURLE_SSL_CONNECT_ERROR;
}
}
#endif
/* This might be a reconnect, so we check for a session ID in the cache
to speed up things */
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize)) {
/* we got a session id, use it! */
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
/* Informational message */
infof (data, "SSL re-using session ID\n");
}
return CURLE_OK;
}
static void
init_global_tls_stuff (void)
{
int ret;
/* X509 stuff */
if (gnutls_certificate_allocate_credentials (&xcred) < 0)
{
fprintf (stderr, "Certificate allocation memory error\n");
exit (1);
}
if (x509_cafile != NULL)
{
ret = gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 trust file\n");
}
else
{
printf ("Processed %d CA certificate(s).\n", ret);
}
}
#ifdef ENABLE_PKI
if (x509_crlfile != NULL)
{
ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,
x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 CRL file\n");
}
else
{
printf ("Processed %d CRL(s).\n", ret);
}
}
#endif
load_keys ();
#ifdef ENABLE_OPENPGP
if (pgp_keyring != NULL)
{
ret =
gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring,
GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
{
fprintf (stderr, "Error setting the OpenPGP keyring file\n");
}
}
#endif
#ifdef ENABLE_SRP
if (srp_username && srp_passwd)
{
/* SRP stuff */
if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0)
{
fprintf (stderr, "SRP authentication error\n");
}
gnutls_srp_set_client_credentials_function (srp_cred,
srp_username_callback);
}
#endif
#ifdef ENABLE_PSK
/* PSK stuff */
if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0)
{
fprintf (stderr, "PSK authentication error\n");
}
if (psk_username && psk_key.data)
{
ret = gnutls_psk_set_client_credentials (psk_cred,
psk_username, &psk_key,
GNUTLS_PSK_KEY_HEX);
if (ret < 0)
{
fprintf (stderr, "Error setting the PSK credentials: %s\n",
gnutls_strerror (ret));
}
}
gnutls_psk_set_client_credentials_function (psk_cred, psk_callback);
#endif
#ifdef ENABLE_ANON
/* ANON stuff */
if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0)
{
fprintf (stderr, "Anonymous authentication error\n");
}
#endif
}
static void
init_global_tls_stuff (void)
{
int ret;
if ((ret = gnutls_global_init ()) < 0)
{
fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
exit (1);
}
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug);
if ((ret = gnutls_global_init_extra ()) < 0)
{
fprintf (stderr, "global_init_extra: %s\n", gnutls_strerror (ret));
// exit (1);
}
/* X509 stuff */
if (gnutls_certificate_allocate_credentials (&xcred) < 0)
{
fprintf (stderr, "Certificate allocation memory error\n");
exit (1);
}
/* there are some CAs that have a v1 certificate *%&@#*%&
*/
gnutls_certificate_set_verify_flags (xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
if (x509_cafile != NULL)
{
ret =
gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 trust file\n");
}
else
{
printf ("Processed %d CA certificate(s).\n", ret);
}
}
#ifdef ENABLE_PKI
if (x509_crlfile != NULL)
{
ret =
gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile, x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 CRL file\n");
}
else
{
printf ("Processed %d CRL(s).\n", ret);
}
}
#endif
load_keys ();
#ifdef ENABLE_OPENPGP
if (pgp_keyring != NULL)
{
ret = gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring);
if (ret < 0)
{
fprintf (stderr, "Error setting the OpenPGP keyring file\n");
}
}
if (pgp_trustdb != NULL)
{
ret = gnutls_certificate_set_openpgp_trustdb (xcred, pgp_trustdb);
if (ret < 0)
{
fprintf (stderr, "Error setting the OpenPGP trustdb file\n");
}
}
#endif
#ifdef ENABLE_SRP
/* SRP stuff */
if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0)
{
fprintf (stderr, "SRP authentication error\n");
}
gnutls_srp_set_client_credentials_function (srp_cred,
srp_username_callback);
#endif
#ifdef ENABLE_PSK
/* SRP stuff */
if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0)
{
fprintf (stderr, "PSK authentication error\n");
}
gnutls_psk_set_client_credentials (psk_cred,
psk_username, &psk_key,
GNUTLS_PSK_KEY_HEX);
#endif
#ifdef ENABLE_ANON
/* ANON stuff */
if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0)
{
fprintf (stderr, "Anonymous authentication error\n");
}
#endif
}
int main(int argc, char **argv)
{
int ret;
int i;
gnutls_session_t state;
char portname[6];
socket_st hd;
char app_proto[32] = "";
cmd_parser(argc, argv);
#ifndef _WIN32
signal(SIGPIPE, SIG_IGN);
#endif
sockets_init();
if (gnutls_global_init() < 0) {
fprintf(stderr, "global state initialization error\n");
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(debug);
/* get server name */
snprintf(portname, sizeof(portname), "%d", port);
/* X509 stuff */
if (gnutls_certificate_allocate_credentials(&xcred) < 0) { /* space for 2 certificates */
fprintf(stderr, "memory error\n");
exit(1);
}
/* SRP stuff */
#ifdef ENABLE_SRP
if (gnutls_srp_allocate_client_credentials(&srp_cred) < 0) {
fprintf(stderr, "memory error\n");
exit(1);
}
#endif
#ifdef ENABLE_ANON
/* ANON stuff */
if (gnutls_anon_allocate_client_credentials(&anon_cred) < 0) {
fprintf(stderr, "memory error\n");
exit(1);
}
#endif
if (HAVE_OPT(STARTTLS_PROTO)) {
snprintf(app_proto, sizeof(app_proto), "%s", OPT_ARG(STARTTLS_PROTO));
}
if (app_proto[0] == 0) {
snprintf(app_proto, sizeof(app_proto), "%s", port_to_service(portname, "tcp"));
}
sockets_init();
i = 0;
printf("GnuTLS debug client %s\n", gnutls_check_version(NULL));
printf("Checking %s:%s\n", hostname, portname);
do {
if (tls_tests[i].test_name == NULL)
break; /* finished */
/* if neither of SSL3 and TLSv1 are supported, exit
*/
if (i > 6 && tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0
&& ssl3_ok == 0) {
fprintf(stderr,
"\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2\n");
break;
}
socket_open(&hd, hostname, portname, 0, NULL);
hd.verbose = verbose;
socket_starttls(&hd, app_proto);
gnutls_init(&state, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS);
gnutls_transport_set_ptr(state, (gnutls_transport_ptr_t)
gl_fd_to_handle(hd.fd));
set_read_funcs(state);
if (hostname && is_ip(hostname) == 0)
gnutls_server_name_set(state, GNUTLS_NAME_DNS,
hostname, strlen(hostname));
do {
if (strcmp(app_proto, "https") != 0 && tls_tests[i].https_only != 0) {
i++;
break;
}
ret = tls_tests[i].func(state);
if (ret != TEST_IGNORE) {
printf("%58s...", tls_tests[i].test_name);
fflush(stdout);
}
if (ret == TEST_SUCCEED) {
if (tls_tests[i].suc_str == NULL)
printf(" %s\n", ext_text);
else
printf(" %s\n", tls_tests[i].suc_str);
} else if (ret == TEST_FAILED)
printf(" %s\n", tls_tests[i].fail_str);
else if (ret == TEST_UNSURE)
printf(" %s\n", tls_tests[i].unsure_str);
else if (ret == TEST_IGNORE) {
if (tls_tests[i+1].test_name)
i++;
else
break;
}
}
while (ret == TEST_IGNORE
&& tls_tests[i].test_name != NULL);
gnutls_deinit(state);
socket_bye(&hd);
i++;
}
while (1);
#ifdef ENABLE_SRP
gnutls_srp_free_client_credentials(srp_cred);
#endif
gnutls_certificate_free_credentials(xcred);
#ifdef ENABLE_ANON
gnutls_anon_free_client_credentials(anon_cred);
#endif
gnutls_global_deinit();
return 0;
}
int
main (int argc, char **argv)
{
int err, ret;
int sd, i;
gnutls_session_t state;
char buffer[MAX_BUF + 1];
char portname[6];
struct addrinfo hints, *res, *ptr;
cmd_parser(argc, argv);
#ifndef _WIN32
signal (SIGPIPE, SIG_IGN);
#endif
sockets_init ();
if (gnutls_global_init () < 0)
{
fprintf (stderr, "global state initialization error\n");
exit (1);
}
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug);
printf ("Resolving '%s'...\n", hostname);
/* get server name */
memset (&hints, 0, sizeof (hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = 0;
snprintf (portname, sizeof (portname), "%d", port);
if ((err = getaddrinfo (hostname, portname, &hints, &res)) != 0)
{
fprintf (stderr, "Cannot resolve %s: %s\n", hostname,
gai_strerror (err));
exit (1);
}
/* X509 stuff */
if (gnutls_certificate_allocate_credentials (&xcred) < 0)
{ /* space for 2 certificates */
fprintf (stderr, "memory error\n");
exit (1);
}
/* SRP stuff */
#ifdef ENABLE_SRP
if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0)
{
fprintf (stderr, "memory error\n");
exit (1);
}
#endif
#ifdef ENABLE_ANON
/* ANON stuff */
if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0)
{
fprintf (stderr, "memory error\n");
exit (1);
}
#endif
i = 0;
do
{
if (tls_tests[i].test_name == NULL)
break; /* finished */
/* if neither of SSL3 and TLSv1 are supported, exit
*/
if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0)
{
fprintf (stderr,
"\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n");
break;
}
sd = -1;
for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
{
sd = socket (ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol);
if (sd == -1)
{
continue;
}
getnameinfo (ptr->ai_addr, ptr->ai_addrlen, buffer, MAX_BUF,
NULL, 0, NI_NUMERICHOST);
if (tt == 0)
{
printf ("Connecting to '%s:%d'...\n", buffer, port);
tt = 1;
}
if ((err = connect (sd, ptr->ai_addr, ptr->ai_addrlen)) != 0)
{
close (sd);
sd = -1;
continue;
}
else
break;
}
ERR (err, "connect");
gnutls_init (&state, GNUTLS_CLIENT|GNUTLS_NO_EXTENSIONS);
gnutls_transport_set_ptr (state, (gnutls_transport_ptr_t)
gl_fd_to_handle (sd));
if (hostname && !isdigit(hostname[0]) && strchr(hostname, ':') == 0)
gnutls_server_name_set (state, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
do
{
printf ("Checking %s...", tls_tests[i].test_name);
fflush(stdout);
ret = tls_tests[i].func (state);
if (ret == TEST_SUCCEED)
printf (" %s\n", tls_tests[i].suc_str);
else if (ret == TEST_FAILED)
printf (" %s\n", tls_tests[i].fail_str);
else if (ret == TEST_UNSURE)
printf (" %s\n", tls_tests[i].unsure_str);
else if (ret == TEST_IGNORE)
{
printf (" N/A\n");
i++;
}
}
while (ret == TEST_IGNORE && tls_tests[i].test_name != NULL);
gnutls_deinit (state);
shutdown (sd, SHUT_RDWR); /* no more receptions */
close (sd);
i++;
}
while (1);
freeaddrinfo (res);
#ifdef ENABLE_SRP
gnutls_srp_free_client_credentials (srp_cred);
#endif
gnutls_certificate_free_credentials (xcred);
#ifdef ENABLE_ANON
gnutls_anon_free_client_credentials (anon_cred);
#endif
gnutls_global_deinit ();
return 0;
}
srp_client_credentials::srp_client_credentials ():credentials
(GNUTLS_CRD_SRP)
{
RETWRAP (gnutls_srp_allocate_client_credentials (&cred));
set_ptr (cred);
}
static void set_client_passwd(gnutls_srp_client_credentials_t &cCredentials,
const struct sockaddr *aAddress, socklen_t lLength, const char *aActual)
{
//check for updates, but use previous if the file is inaccessible
parse_passwd();
gnutls_srp_allocate_client_credentials(&cCredentials);
std::string address;
int position = data::not_found;
if (forwarder_type == RSERVR_REMOTE_NET)
{
if (!aAddress || lLength != sizeof(struct sockaddr_in)) return;
char address_buffer[PARAM_DEFAULT_FORMAT_BUFFER];
int port = ntohs(((const struct sockaddr_in*) aAddress)->sin_port);
//try the verbatim request first...
if (aActual)
{
snprintf(address_buffer, sizeof address_buffer, "%s:%i", aActual, port);
position = srp_clients.f_find(address_buffer, &check_srp_key_regex);
}
//then try IP lookup...
if (position == data::not_found)
{
address = inet_ntoa(((const struct sockaddr_in*) aAddress)->sin_addr);
snprintf(address_buffer, sizeof address_buffer, "%s:%i", address.c_str(), port);
position = srp_clients.f_find(address_buffer, &check_srp_key_regex);
}
if (position == data::not_found)
//then try DNS lookup
{
char name_buffer[PARAM_DEFAULT_FORMAT_BUFFER];
if (getnameinfo(aAddress, lLength, name_buffer, sizeof name_buffer, NULL, 0, 0x00))
snprintf(address_buffer, sizeof address_buffer, "%s:%i", name_buffer, port);
position = srp_clients.f_find(address_buffer, &check_srp_key_regex);
}
}
else if (forwarder_type == RSERVR_REMOTE_LOCAL)
{
if (!aAddress) return;
//try the verbatim request first...
if (aActual)
position = srp_clients.f_find(aActual, &check_srp_key_regex);
if (position == data::not_found)
//then try the socket specs (probably the same file name)
{
address.resize(lLength);
strncpy(&address[0], ((const struct sockaddr_un*) aAddress)->sun_path,
lLength);
position = srp_clients.f_find(address.c_str(), &check_srp_key_regex);
}
}
else return;
if (position != data::not_found)
gnutls_srp_set_client_credentials(cCredentials,
srp_clients[position].value().user.c_str(),
srp_clients[position].value().passwd.c_str());
}