test_code_t
test_export_info (gnutls_session session)
{
int ret2, ret;
gnutls_datum exp2, mod2;
const char *print;
if (verbose == 0 || export_true == 0)
return TEST_IGNORE;
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX (session, GNUTLS_KX_RSA_EXPORT);
ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_SUCCEED)
{
ret2 = gnutls_rsa_export_get_pubkey (session, &exp2, &mod2);
if (ret2 >= 0)
{
printf ("\n");
print = raw_to_string (exp2.data, exp2.size);
if (print)
printf (" Exponent [%d bits]: %s\n", exp2.size * 8, print);
print = raw_to_string (mod2.data, mod2.size);
if (print)
printf (" Modulus [%d bits]: %s\n", mod2.size * 8, print);
if (mod2.size != mod.size || exp2.size != exp.size ||
memcmp (mod2.data, mod.data, mod.size) != 0 ||
memcmp (exp2.data, exp.data, exp.size) != 0)
{
printf
(" (server uses different public keys per connection)\n");
}
}
}
return ret;
}
test_code_t
test_dhe_group (gnutls_session session)
{
int ret, ret2;
gnutls_datum gen, prime, pubkey2;
const char *print;
if (verbose == 0 || pubkey.data == NULL)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
ret2 = gnutls_dh_get_group (session, &gen, &prime);
if (ret2 >= 0)
{
printf ("\n");
print = raw_to_string (gen.data, gen.size);
if (print)
printf (" Generator [%d bits]: %s\n", gen.size * 8, print);
print = raw_to_string (prime.data, prime.size);
if (print)
printf (" Prime [%d bits]: %s\n", prime.size * 8, print);
gnutls_dh_get_pubkey (session, &pubkey2);
print = raw_to_string (pubkey2.data, pubkey2.size);
if (print)
printf (" Pubkey [%d bits]: %s\n", pubkey2.size * 8, print);
if (pubkey2.data && pubkey2.size == pubkey.size &&
memcmp (pubkey.data, pubkey2.data, pubkey.size) == 0)
{
printf (" (public key seems to be static among sessions)\n");
}
}
return ret;
}
test_code_t
test_export_info (gnutls_session_t session)
{
int ret2, ret;
gnutls_datum_t exp2, mod2;
const char *print;
if (verbose == 0 || export_true == 0)
return TEST_IGNORE;
sprintf (prio_str, INIT_STR
"+ARCFOUR-40:+RSA-EXPORT:" ALL_COMP ":" ALL_CERTTYPES ":%s:"
ALL_MACS ":" ALL_KX ":%s", protocol_str, rest);
_gnutls_priority_set_direct (session, prio_str);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_SUCCEED)
{
ret2 = gnutls_rsa_export_get_pubkey (session, &exp2, &mod2);
if (ret2 >= 0)
{
printf ("\n");
print = raw_to_string (exp2.data, exp2.size);
if (print)
printf (" Exponent [%d bits]: %s\n", exp2.size * 8, print);
print = raw_to_string (mod2.data, mod2.size);
if (print)
printf (" Modulus [%d bits]: %s\n", mod2.size * 8, print);
if (mod2.size != mod.size || exp2.size != exp.size ||
memcmp (mod2.data, mod.data, mod.size) != 0 ||
memcmp (exp2.data, exp.data, exp.size) != 0)
{
printf
(" (server uses different public keys per connection)\n");
}
}
}
return ret;
}
SEXP raw_list_to_character(SEXP _source) {
Rcpp::List source(_source);
Rcpp::CharacterVector dest(source.size());
for(int i = 0; i < source.size(); i++) {
dest[i] = raw_to_string(source[i]);
}
return Rcpp::wrap(dest);
}
test_code_t
test_dhe_group (gnutls_session_t session)
{
int ret, ret2;
gnutls_datum_t gen, prime, pubkey2;
const char *print;
if (verbose == 0 || pubkey.data == NULL)
return TEST_IGNORE;
sprintf (prio_str, INIT_STR
ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS
":+DHE-RSA:+DHE-DSS:%s", protocol_str, rest);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
ret2 = gnutls_dh_get_group (session, &gen, &prime);
if (ret2 >= 0)
{
printf ("\n");
print = raw_to_string (gen.data, gen.size);
if (print)
printf (" Generator [%d bits]: %s\n", gen.size * 8, print);
print = raw_to_string (prime.data, prime.size);
if (print)
printf (" Prime [%d bits]: %s\n", prime.size * 8, print);
gnutls_dh_get_pubkey (session, &pubkey2);
print = raw_to_string (pubkey2.data, pubkey2.size);
if (print)
printf (" Pubkey [%d bits]: %s\n", pubkey2.size * 8, print);
if (pubkey2.data && pubkey2.size == pubkey.size &&
memcmp (pubkey.data, pubkey2.data, pubkey.size) == 0)
{
printf (" (public key seems to be static among sessions)\n");
}
}
return ret;
}
int handle_rep(zmq_msg_t * msg)
{
msgpack_object obj;
msgpack_unpacked pack;
char *errmsg;
msgpack_unpacked_init(&pack);
if (!msgpack_unpack_next
(&pack, zmq_msg_data(msg), zmq_msg_size(msg), NULL)) {
LOG_ERROR("handle_rep: msgpack_unpack_next failed\n");
return (-1);
}
obj = pack.data;
if (obj.type != MSGPACK_OBJECT_ARRAY) {
LOG_ERROR("handle_rep: not an array\n");
return (-2);
}
if (obj.via.array.size < 1) {
LOG_ERROR("handle_rep: empty array\n");
return (-3);
}
if (obj.via.array.ptr[0].type != MSGPACK_OBJECT_BOOLEAN) {
LOG_ERROR("handle_rep: first entry is nota boolean\n");
return (-4);
}
if (obj.via.array.ptr[0].via.boolean == false) {
if (obj.via.array.size > 1
&& obj.via.array.ptr[1].type == MSGPACK_OBJECT_RAW) {
errmsg = raw_to_string(&(obj.via.array.ptr[1].via.raw));
if (errmsg) {
LOG_SERV("%s\n", errmsg);
free(errmsg);
}
}
msgpack_unpacked_destroy(&pack);
return (1);
}
if (obj.via.array.size > 1) {
/* Technically speaking unspecified, but I feel lazy */
msgpack_object_print(stdout, obj.via.array.ptr[1]);
printf("\n");
}
return (0);
}
int
print_info (gnutls_session_t session, int print_cert)
{
const char *tmp;
gnutls_credentials_type_t cred;
gnutls_kx_algorithm_t kx;
unsigned char session_id[33];
size_t session_id_size = sizeof (session_id);
/* print session ID */
gnutls_session_get_id (session, session_id, &session_id_size);
printf ("- Session ID: %s\n",
raw_to_string (session_id, session_id_size));
/* print the key exchange's algorithm name
*/
kx = gnutls_kx_get (session);
cred = gnutls_auth_get_type (session);
switch (cred)
{
#ifdef ENABLE_ANON
case GNUTLS_CRD_ANON:
if (kx == GNUTLS_KX_ANON_ECDH)
print_ecdh_info (session, "Anonymous ");
else
print_dh_info (session, "Anonymous ", verbose);
break;
#endif
#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
/* This should be only called in server
* side.
*/
if (gnutls_srp_server_get_username (session) != NULL)
printf ("- SRP authentication. Connected as '%s'\n",
gnutls_srp_server_get_username (session));
break;
#endif
#ifdef ENABLE_PSK
case GNUTLS_CRD_PSK:
/* This returns NULL in server side.
*/
if (gnutls_psk_client_get_hint (session) != NULL)
printf ("- PSK authentication. PSK hint '%s'\n",
gnutls_psk_client_get_hint (session));
/* This returns NULL in client side.
*/
if (gnutls_psk_server_get_username (session) != NULL)
printf ("- PSK authentication. Connected as '%s'\n",
gnutls_psk_server_get_username (session));
if (kx == GNUTLS_KX_DHE_PSK)
print_dh_info (session, "Ephemeral ", verbose);
if (kx == GNUTLS_KX_ECDHE_PSK)
print_ecdh_info (session, "Ephemeral ");
break;
#endif
case GNUTLS_CRD_IA:
printf ("- TLS/IA authentication\n");
break;
case GNUTLS_CRD_CERTIFICATE:
{
char dns[256];
size_t dns_size = sizeof (dns);
unsigned int type;
/* This fails in client side */
if (gnutls_server_name_get
(session, dns, &dns_size, &type, 0) == 0)
{
printf ("- Given server name[%d]: %s\n", type, dns);
}
}
print_cert_info (session,
verbose?GNUTLS_CRT_PRINT_FULL:GNUTLS_CRT_PRINT_COMPACT,
print_cert);
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
print_dh_info (session, "Ephemeral ", verbose);
else if (kx == GNUTLS_KX_ECDHE_RSA
|| kx == GNUTLS_KX_ECDHE_ECDSA)
print_ecdh_info (session, "Ephemeral ");
}
tmp =
SU (gnutls_protocol_get_name
(gnutls_protocol_get_version (session)));
printf ("- Version: %s\n", tmp);
tmp = SU (gnutls_kx_get_name (kx));
printf ("- Key Exchange: %s\n", tmp);
tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session)));
printf ("- Cipher: %s\n", tmp);
tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session)));
printf ("- MAC: %s\n", tmp);
tmp =
SU (gnutls_compression_get_name
(gnutls_compression_get (session)));
printf ("- Compression: %s\n", tmp);
if (verbose)
{
gnutls_datum_t cb;
int rc;
rc = gnutls_session_channel_binding (session,
GNUTLS_CB_TLS_UNIQUE, &cb);
if (rc)
fprintf (stderr, "Channel binding error: %s\n",
gnutls_strerror (rc));
else
{
size_t i;
printf ("- Channel binding 'tls-unique': ");
for (i = 0; i < cb.size; i++)
printf ("%02x", cb.data[i]);
printf ("\n");
}
}
/* Warning: Do not print anything more here. The 'Compression:'
output MUST be the last non-verbose output. This is used by
Emacs starttls.el code. */
fflush (stdout);
return 0;
}
int handle_req(void *socket, zmq_msg_t * msg)
{
int command_id;
char *query;
char *path = NULL;
msgpack_object obj;
msgpack_unpacked pack;
msgpack_unpacked_init(&pack);
if (!msgpack_unpack_next
(&pack, zmq_msg_data(msg), zmq_msg_size(msg), NULL)) {
LOG_ERROR("handle_req: msgpack_unpack_next failed\n");
return (-1);
}
obj = pack.data;
if (obj.type != MSGPACK_OBJECT_ARRAY) {
LOG_ERROR("handle_req: not an array\n");
pcma_send(socket, failed_packfn, "not an array");
return (-2);
}
const char *command = (const char *) obj.via.array.ptr[0].via.raw.ptr;
int command_size = obj.via.array.ptr[0].via.raw.size;
if (!command) {
LOG_ERROR("handle_req: no command\n");
pcma_send(socket, failed_packfn, "no command");
return (-3);
}
if (command_size == PING_COMMAND_SIZE &&
!bcmp(PING_COMMAND, command, PING_COMMAND_SIZE)) {
command_id = PING_COMMAND_ID;
} else if (command_size == LIST_COMMAND_SIZE &&
!bcmp(LIST_COMMAND, command, LIST_COMMAND_SIZE)) {
command_id = LIST_COMMAND_ID;
} else if (command_size == LOCK_COMMAND_SIZE &&
!bcmp(LOCK_COMMAND, command, LOCK_COMMAND_SIZE)) {
command_id = LOCK_COMMAND_ID;
} else if (command_size == UNLOCK_COMMAND_SIZE &&
!bcmp(UNLOCK_COMMAND, command, UNLOCK_COMMAND_SIZE)) {
command_id = UNLOCK_COMMAND_ID;
} else {
LOG_ERROR("handle_req: unknown command\n");
pcma_send(socket, failed_packfn, "unknown command");
return (-4);
}
switch (command_id) {
case PING_COMMAND_ID:
case LIST_COMMAND_ID:
if (obj.via.array.size != 1) {
LOG_ERROR("handle_req: no parameter expected\n");
pcma_send(socket, failed_packfn, "no parameter expected");
return (-5);
}
break;
case LOCK_COMMAND_ID:
case UNLOCK_COMMAND_ID:
if (obj.via.array.size != 2) {
LOG_ERROR("handle_req: 1 parameter expected\n");
pcma_send(socket, failed_packfn, "1 parameter expected");
return (-6);
}
if (obj.via.array.ptr[1].type != MSGPACK_OBJECT_RAW) {
LOG_ERROR("handle_req: RAW parameter expected\n");
pcma_send(socket, failed_packfn, "RAW parameter expected");
return (-7);
}
path = raw_to_string(&obj.via.array.ptr[1].via.raw);
if (!path) {
perror("raw_to_string");
pcma_send(socket, failed_packfn, "raw_to_string failure");
}
}
switch (command_id) {
case PING_COMMAND_ID:
handle_ping_request(socket);
break;
case LIST_COMMAND_ID:
handle_list_request(socket);
break;
case LOCK_COMMAND_ID:
handle_lock_request(socket, path);
break;
case UNLOCK_COMMAND_ID:
handle_unlock_request(socket, path);
break;
}
msgpack_unpacked_destroy(&pack);
if (path)
free(path);
return 0;
}
static void privkey_info_int(FILE *outfile, common_info_st * cinfo,
gnutls_x509_privkey_t key)
{
int ret, key_type;
unsigned int bits = 0;
size_t size;
const char *cprint;
/* Public key algorithm
*/
fprintf(outfile, "Public Key Info:\n");
ret = gnutls_x509_privkey_get_pk_algorithm2(key, &bits);
fprintf(outfile, "\tPublic Key Algorithm: ");
key_type = ret;
cprint = gnutls_pk_algorithm_get_name(key_type);
fprintf(outfile, "%s\n", cprint ? cprint : "Unknown");
fprintf(outfile, "\tKey Security Level: %s (%u bits)\n\n",
gnutls_sec_param_get_name(gnutls_x509_privkey_sec_param
(key)), bits);
/* Print the raw public and private keys
*/
if (key_type == GNUTLS_PK_RSA) {
gnutls_datum_t m, e, d, p, q, u, exp1, exp2;
ret =
gnutls_x509_privkey_export_rsa_raw2(key, &m, &e, &d,
&p, &q, &u, &exp1,
&exp2);
if (ret < 0)
fprintf(stderr,
"Error in key RSA data export: %s\n",
gnutls_strerror(ret));
else {
print_rsa_pkey(outfile, &m, &e, &d, &p, &q, &u,
&exp1, &exp2, cinfo->cprint);
gnutls_free(m.data);
gnutls_free(e.data);
gnutls_free(d.data);
gnutls_free(p.data);
gnutls_free(q.data);
gnutls_free(u.data);
gnutls_free(exp1.data);
gnutls_free(exp2.data);
}
} else if (key_type == GNUTLS_PK_DSA) {
gnutls_datum_t p, q, g, y, x;
ret =
gnutls_x509_privkey_export_dsa_raw(key, &p, &q, &g, &y,
&x);
if (ret < 0)
fprintf(stderr,
"Error in key DSA data export: %s\n",
gnutls_strerror(ret));
else {
print_dsa_pkey(outfile, &x, &y, &p, &q, &g,
cinfo->cprint);
gnutls_free(x.data);
gnutls_free(y.data);
gnutls_free(p.data);
gnutls_free(q.data);
gnutls_free(g.data);
}
} else if (key_type == GNUTLS_PK_EC) {
gnutls_datum_t y, x, k;
gnutls_ecc_curve_t curve;
ret =
gnutls_x509_privkey_export_ecc_raw(key, &curve, &x, &y,
&k);
if (ret < 0)
fprintf(stderr,
"Error in key ECC data export: %s\n",
gnutls_strerror(ret));
else {
cprint = gnutls_ecc_curve_get_name(curve);
bits = 0;
print_ecc_pkey(outfile, curve, &k, &x, &y,
cinfo->cprint);
gnutls_free(x.data);
gnutls_free(y.data);
gnutls_free(k.data);
}
}
fprintf(outfile, "\n");
size = lbuffer_size;
ret = gnutls_x509_privkey_get_seed(key, NULL, lbuffer, &size);
if (ret >= 0) {
fprintf(outfile, "Seed: %s\n",
raw_to_string(lbuffer, size));
}
size = lbuffer_size;
ret =
gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA256, lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "Error in key id calculation: %s\n",
gnutls_strerror(ret));
} else {
gnutls_datum_t art;
fprintf(outfile, "Public Key ID:\n\tsha256:%s\n",
raw_to_string(lbuffer, size));
size = lbuffer_size;
ret =
gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA1, lbuffer, &size);
if (ret >= 0) {
fprintf(outfile, "\tsha1:%s\n",
raw_to_string(lbuffer, size));
}
ret =
gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint,
bits, lbuffer, size, &art);
if (ret >= 0) {
fprintf(outfile, "Public key's random art:\n%s\n",
art.data);
gnutls_free(art.data);
}
}
fprintf(outfile, "\n");
}
int
print_info (gnutls_session_t session, const char *hostname, int insecure)
{
const char *tmp;
gnutls_credentials_type_t cred;
gnutls_kx_algorithm_t kx;
/* print the key exchange's algorithm name
*/
kx = gnutls_kx_get (session);
cred = gnutls_auth_get_type (session);
switch (cred)
{
#ifdef ENABLE_ANON
case GNUTLS_CRD_ANON:
print_dh_info (session, "Anonymous ");
break;
#endif
#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
/* This should be only called in server
* side.
*/
if (gnutls_srp_server_get_username (session) != NULL)
printf ("- SRP authentication. Connected as '%s'\n",
gnutls_srp_server_get_username (session));
break;
#endif
#ifdef ENABLE_PSK
case GNUTLS_CRD_PSK:
/* This returns NULL in server side.
*/
if (gnutls_psk_client_get_hint (session) != NULL)
printf ("- PSK authentication. PSK hint '%s'\n",
gnutls_psk_client_get_hint (session));
/* This returns NULL in client side.
*/
if (gnutls_psk_server_get_username (session) != NULL)
printf ("- PSK authentication. Connected as '%s'\n",
gnutls_psk_server_get_username (session));
if (kx == GNUTLS_KX_DHE_PSK)
print_dh_info (session, "Ephemeral ");
break;
#endif
case GNUTLS_CRD_IA:
printf ("- TLS/IA authentication\n");
break;
case GNUTLS_CRD_CERTIFICATE:
{
char dns[256];
size_t dns_size = sizeof (dns);
unsigned int type;
/* This fails in client side */
if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0)
{
printf ("- Given server name[%d]: %s\n", type, dns);
}
}
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
print_dh_info (session, "Ephemeral ");
print_cert_info (session, hostname, insecure);
print_cert_vrfy (session);
}
tmp = SU (gnutls_protocol_get_name (gnutls_protocol_get_version (session)));
printf ("- Version: %s\n", tmp);
tmp = SU (gnutls_kx_get_name (kx));
printf ("- Key Exchange: %s\n", tmp);
tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session)));
printf ("- Cipher: %s\n", tmp);
tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session)));
printf ("- MAC: %s\n", tmp);
tmp = SU (gnutls_compression_get_name (gnutls_compression_get (session)));
printf ("- Compression: %s\n", tmp);
if (verbose)
{
char id[32];
size_t id_size = sizeof (id);
gnutls_session_get_id (session, id, &id_size);
printf ("- Session ID: %s\n", raw_to_string (id, id_size));
}
fflush (stdout);
return 0;
}
