struct rfbssl_ctx *rfbssl_init_global(char *key, char *cert)
{
int ret = GNUTLS_E_SUCCESS;
struct rfbssl_ctx *ctx = NULL;
if (NULL == (ctx = malloc(sizeof(struct rfbssl_ctx)))) {
ret = GNUTLS_E_MEMORY_ERROR;
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_global_init())) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_allocate_credentials(&ctx->x509_cred))) {
/* */
} else if ((ret = gnutls_certificate_set_x509_trust_file(ctx->x509_cred, cert, GNUTLS_X509_FMT_PEM)) < 0) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_set_x509_key_file(ctx->x509_cred, cert, key, GNUTLS_X509_FMT_PEM))) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = generate_dh_params(ctx))) {
/* */
#ifdef I_LIKE_RSA_PARAMS_THAT_MUCH
} else if (!GNUTLS_E_SUCCESS == (ret = generate_rsa_params(ctx))) {
/* */
#endif
} else {
gnutls_global_set_log_function(rfbssl_log_func);
gnutls_global_set_log_level(1);
gnutls_certificate_set_dh_params(ctx->x509_cred, ctx->dh_params);
/* newly allocated memory should be initialized, at least where it is important */
ctx->peekstart = ctx->peeklen = 0;
return ctx;
}
free(ctx);
return NULL;
}
void
server_start (void)
{
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_certificate_set_dh_params (x509_cred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
if (err == -1)
{
perror ("socket");
fail ("server: socket failed\n");
return;
}
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
if (err == -1)
{
perror ("bind");
fail ("server: bind failed\n");
return;
}
err = listen (listen_sd, 1024);
if (err == -1)
{
perror ("listen");
fail ("server: listen failed\n");
return;
}
success ("server: ready. Listening to port '%d'.\n", PORT);
}
void doit(void)
{
generate_dh_params();
run_test("NORMAL:-KX-ALL:+PSK");
run_test("NORMAL:-KX-ALL:+ECDHE-PSK");
run_test("NORMAL:-KX-ALL:+DHE-PSK");
gnutls_dh_params_deinit(dh_params);
}
void
global_start (void)
{
/* this must be called once in the program, it is mostly for the server.
*/
gnutls_global_init ();
gnutls_anon_allocate_server_credentials (&anoncred);
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_anon_set_server_dh_params (anoncred, dh_params);
if (TLS_SESSION_CACHE != 0)
{
wrap_db_init ();
}
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
if (err == -1)
{
perror ("socket");
fail ("server: socket failed\n");
return;
}
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
if (err == -1)
{
perror ("bind");
fail ("server: bind failed\n");
return;
}
err = listen (listen_sd, 1024);
if (err == -1)
{
perror ("listen");
fail ("server: listen failed\n");
return;
}
success ("server: ready. Listening to port '%d'.\n", PORT);
}
void doit(void)
{
int i, err;
signal(SIGCHLD, SIG_IGN);
signal(SIGPIPE, SIG_IGN);
generate_dh_params();
for (i = 0; resume_tests[i].desc; i++) {
int client_sds[SESSIONS], server_sds[SESSIONS];
int j;
printf("%s\n", resume_tests[i].desc);
for (j = 0; j < SESSIONS; j++) {
int sockets[2];
err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets);
if (err == -1) {
perror("socketpair");
fail("socketpair failed\n");
return;
}
server_sds[j] = sockets[0];
client_sds[j] = sockets[1];
}
child = fork();
if (child < 0) {
perror("fork");
fail("fork");
return;
}
if (child) {
int status = 0;
/* parent */
for (j = 0; j < SESSIONS; j++)
close(client_sds[j]);
server(server_sds, &resume_tests[i]);
wait(&status);
check_wait_status(status);
} else {
for (j = 0; j < SESSIONS; j++)
close(server_sds[j]);
client(client_sds, &resume_tests[i]);
gnutls_global_deinit();
exit(0);
}
}
global_stop();
}
gtlsGlobalServerData::gtlsGlobalServerData(std::string const& _CAfile,
/*std::string const& _CRLFile,*/
std::string const& _CertFile,
std::string const& _keyFile)
: cert_cred(0),
initialized_(true)
{
int ret = 0;
// Logging.
gnutls_global_set_log_level(loglevel);
gnutls_global_set_log_function(gtlsGeneric::logCallback);
// Allocate the structures used to keep certificates in.
ret = gnutls_certificate_allocate_credentials(&cert_cred);
// printerror("gnutls_certificate_allocate_credentials", ret);
if (ret < 0) { initialized_ = false; }
// Set the CA certificate.
// GNUTLS_NOTICE("Setting CA, file='" << _CAfile << "'");
ret = gnutls_certificate_set_x509_trust_file(cert_cred,
_CAfile.c_str(),
GNUTLS_X509_FMT_PEM);
// printerror("gnutls_certificate_set_x509_trust_file", ret);
if (ret < 0) { initialized_ = false; }
// GNUTLS_NOTICE("Processed " << ret << " certificates.");
// Set the certificate and priate key pair.
//GNUTLS_NOTICE("Setting certificate, file='" << _CertFile << "'");
//GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'");
ret = gnutls_certificate_set_x509_key_file(cert_cred,
_CertFile.c_str(),
_keyFile.c_str(),
GNUTLS_X509_FMT_PEM);
// printerror("gnutls_certificate_set_x509_key_file", ret);
if (ret < 0) { initialized_ = false; }
// GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s).");
// Generate and set DH params.
generate_dh_params();
gnutls_certificate_set_dh_params(cert_cred, dh_params);
}
void
server (void)
{
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_certificate_set_dh_params (x509_cred, dh_params);
client_len = sizeof (sa_cli);
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
return;
}
success ("server: Handshake was completed\n");
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version (session)));
/* see the Getting peer's information example */
print_info (session);
i = 0;
for (;;)
{
bzero (buffer, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
success ("server: Peer has closed the GNUTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
success ("server: finished\n");
}
static void server(int sd)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
gnutls_certificate_allocate_credentials(&x509_cred);
ret = gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
if (ret == 0) {
fail("server: no CAs loaded\n");
}
gnutls_certificate_set_x509_key_mem(x509_cred,
&server_ca3_localhost_cert,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success("Launched, generating DH parameters...\n");
generate_dh_params();
gnutls_certificate_set_dh_params(x509_cred, dh_params);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits(session, DH_BITS);
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session, 20 * 1000);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
if (debug)
print_info(session);
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int sd)
{
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_mem(x509_cred, &ca,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success("Launched, generating DH parameters...\n");
generate_dh_params();
gnutls_certificate_set_dh_params(x509_cred, dh_params);
session = initialize_tls_session();
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug) {
success("server: Handshake was completed\n");
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
}
/* see the Getting peer's information example */
if (debug)
print_info(session);
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
if (debug)
success
("server: got data, forcing rehandshake.\n");
ret = gnutls_rehandshake(session);
if (ret < 0) {
fail("server: rehandshake failed\n");
gnutls_perror(ret);
break;
}
ret = gnutls_handshake(session);
if (ret < 0) {
fail("server: (re)handshake failed\n");
gnutls_perror(ret);
break;
}
if (debug)
success("server: rehandshake complete.\n");
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
int
main (void)
{
int listen_sd;
int sock, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in cli_addr;
socklen_t cli_addr_size;
gnutls_session_t session;
char buffer[MAX_BUFFER];
priv_data_st priv;
gnutls_datum_t cookie_key;
gnutls_dtls_prestate_st prestate;
int mtu = 1400;
unsigned char sequence[8];
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE,
GNUTLS_X509_FMT_PEM);
ret = gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
printf("No certificate or key were found\n");
exit(1);
}
generate_dh_params ();
gnutls_certificate_set_dh_params (x509_cred, dh_params);
gnutls_priority_init (&priority_cache,
"PERFORMANCE:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE",
NULL);
gnutls_key_generate (&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_DGRAM, 0);
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT);
{ /* DTLS requires the IP don't fragment (DF) bit to be set */
#if defined(IP_DONTFRAG)
int optval = 1;
setsockopt (listen_sd, IPPROTO_IP, IP_DONTFRAG,
(const void *) &optval, sizeof (optval));
#elif defined(IP_MTU_DISCOVER)
int optval = IP_PMTUDISC_DO;
setsockopt(listen_sd, IPPROTO_IP, IP_MTU_DISCOVER,
(const void*) &optval, sizeof (optval));
#endif
}
bind (listen_sd, (struct sockaddr *) &sa_serv, sizeof (sa_serv));
printf ("UDP server ready. Listening to port '%d'.\n\n", PORT);
for (;;)
{
printf ("Waiting for connection...\n");
sock = wait_for_connection (listen_sd);
if (sock < 0)
continue;
cli_addr_size = sizeof (cli_addr);
ret = recvfrom (sock, buffer, sizeof (buffer), MSG_PEEK,
(struct sockaddr *) &cli_addr, &cli_addr_size);
if (ret > 0)
{
memset (&prestate, 0, sizeof (prestate));
ret = gnutls_dtls_cookie_verify (&cookie_key, &cli_addr,
sizeof (cli_addr), buffer, ret,
&prestate);
if (ret < 0) /* cookie not valid */
{
priv_data_st s;
memset (&s, 0, sizeof (s));
s.fd = sock;
s.cli_addr = (void *) &cli_addr;
s.cli_addr_size = sizeof (cli_addr);
printf ("Sending hello verify request to %s\n",
human_addr ((struct sockaddr *) &cli_addr,
sizeof (cli_addr), buffer,
sizeof (buffer)));
gnutls_dtls_cookie_send (&cookie_key, &cli_addr,
sizeof (cli_addr), &prestate,
(gnutls_transport_ptr_t) & s,
push_func);
/* discard peeked data */
recvfrom (sock, buffer, sizeof (buffer), 0,
(struct sockaddr *) &cli_addr, &cli_addr_size);
usleep (100);
continue;
}
printf ("Accepted connection from %s\n",
human_addr ((struct sockaddr *)
&cli_addr, sizeof (cli_addr), buffer,
sizeof (buffer)));
}
else
continue;
session = initialize_tls_session ();
gnutls_dtls_prestate_set (session, &prestate);
gnutls_dtls_set_mtu (session, mtu);
priv.session = session;
priv.fd = sock;
priv.cli_addr = (struct sockaddr *) &cli_addr;
priv.cli_addr_size = sizeof (cli_addr);
gnutls_transport_set_ptr (session, &priv);
gnutls_transport_set_push_function (session, push_func);
gnutls_transport_set_pull_function (session, pull_func);
gnutls_transport_set_pull_timeout_function (session, pull_timeout_func);
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
fprintf (stderr, "Error in handshake(): %s\n",
gnutls_strerror (ret));
gnutls_deinit (session);
continue;
}
printf ("- Handshake was completed\n");
for (;;)
{
do
{
ret = gnutls_record_recv_seq (session, buffer, MAX_BUFFER,
sequence);
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0)
{
fprintf (stderr, "Error in recv(): %s\n",
gnutls_strerror (ret));
break;
}
if (ret == 0)
{
printf ("EOF\n\n");
break;
}
buffer[ret] = 0;
printf ("received[%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x]: %s\n",
sequence[0], sequence[1], sequence[2], sequence[3],
sequence[4], sequence[5], sequence[6], sequence[7], buffer);
/* reply back */
ret = gnutls_record_send (session, buffer, ret);
if (ret < 0)
{
fprintf (stderr, "Error in send(): %s\n",
gnutls_strerror (ret));
break;
}
}
gnutls_bye (session, GNUTLS_SHUT_WR);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_priority_deinit (priority_cache);
gnutls_global_deinit ();
return 0;
}
int main (void)
{
/*
* Variable init
*/
int err, listen_sd;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
gnutls_session_t session;
int optval = 1;
/*
* SSL TLS utility init
* This will add the certificate files properly
* to the TLS session we are about to create.
*/
gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM);
gnutls_psk_allocate_server_credentials (&psk_cred);
gnutls_psk_set_server_credentials_function (psk_cred, pskfunc);
generate_dh_params ();
gnutls_priority_init (&priority_cache, "NORMAL:PSK", NULL);
gnutls_certificate_set_dh_params (x509_cred, dh_params);
/*
* Web server socket stuff
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
SOCKET_ERR (listen_sd, "socket");
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
SOCKET_ERR (err, "bind");
err = listen (listen_sd, 1024);
SOCKET_ERR (err, "listen");
/*
* Listening for clients this will SSLize
* the incoming connection by properly doing the "handshake"
*/
client_len = sizeof (sa_cli);
for (;;)
{
session = initialize_tls_session ();
sd = accept(listen_sd, (SA *) & sa_cli, &client_len);
pid_t pid = fork();
if (pid == 0)
break;
else
continue;
}
printf ("Connection received from %s:%d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)),
ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "\tSSL handshake failed!\n\tError: %s\n\n", gnutls_strerror(ret));
}
printf ("\tSSL handshake successful!\n");
/*
* Send it for processing
*/
process_request(session);
printf ("\n");
/*
* Closing connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
// close (sd);
gnutls_deinit (session);
/*
* Properly closing the TLS connection
* we created to the web server.
*/
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_psk_free_server_credentials (psk_cred);
gnutls_priority_deinit (priority_cache);
gnutls_global_deinit ();
return 0;
}
int
main (void)
{
int err, listen_sd, i;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
gnutls_session_t session;
char buffer[MAX_BUF + 1];
int optval = 1;
/* to disallow usage of the blocking /dev/random
*/
gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE,
GNUTLS_X509_FMT_PEM);
gnutls_psk_allocate_server_credentials (&psk_cred);
gnutls_psk_set_server_credentials_function (psk_cred, pskfunc);
generate_dh_params ();
gnutls_priority_init (&priority_cache, "NORMAL:PSK", NULL);
gnutls_certificate_set_dh_params (x509_cred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
SOCKET_ERR (listen_sd, "socket");
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
SOCKET_ERR (err, "bind");
err = listen (listen_sd, 1024);
SOCKET_ERR (err, "listen");
printf ("Server ready. Listening to port '%d'.\n\n", PORT);
client_len = sizeof (sa_cli);
for (;;)
{
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
printf ("- connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
continue;
}
printf ("- Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
i = 0;
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("\n- Peer has closed the GNUTLS connection\n");
break;
}
else if (ret < 0)
{
fprintf (stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
printf ("\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_psk_free_server_credentials (psk_cred);
gnutls_priority_deinit (priority_cache);
gnutls_global_deinit ();
return 0;
}
static void
server (struct params_res *params)
{
size_t t;
/* this must be called once in the program, it is mostly for the server.
*/
if (debug)
{
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (2);
}
gnutls_global_init ();
gnutls_anon_allocate_server_credentials (&anoncred);
if (debug)
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_anon_set_server_dh_params (anoncred, dh_params);
if (params->enable_db)
{
wrap_db_init ();
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_key_generate (&session_ticket_key);
for (t = 0; t < 2; t++)
{
client_len = sizeof (sa_cli);
session = initialize_tls_session (params);
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
if (debug)
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
return;
}
if (debug)
success ("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
i = 0;
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("server: Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
if (params->enable_db)
{
wrap_db_deinit ();
}
gnutls_free (session_ticket_key.data);
session_ticket_key.data = NULL;
if (debug)
success ("server: finished\n");
}
int main(int argc, char *argv[])
{
char errbuf[ERRBUFLEN + 1];
apr_pool_t *pool;
apr_proc_t proc;
dynalogin_session_t *h;
apr_status_t res;
apr_sockaddr_t *sa;
apr_socket_t *socket, *socket_new;
char *cfg_filename;
char *bind_address;
int bind_port;
int qlen = 32;
int cfg_detach = 1;
int ret;
int done = 0;
apr_hash_t *config;
if(apr_initialize() != APR_SUCCESS)
{
fprintf(stderr, "apr_initialize failed\n");
return 1;
}
/* Just return an error if a client closes a socket */
apr_signal_block(SIGPIPE);
openlog(argv[0], LOG_PID, LOG_AUTHPRIV);
if((res = apr_pool_create(&pool, NULL)) != APR_SUCCESS)
{
syslog(LOG_ERR, "failed to create root pool: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
return 1;
}
if(argc == 2)
cfg_filename = argv[1];
else
cfg_filename = apr_psprintf(pool, "%s%c%s",
SYSCONFDIR, DIR_SEP, DEFAULT_CONFIG_FILENAME);
if(cfg_filename == NULL)
{
syslog(LOG_ERR, "apr_psprintf failed to create filename: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
return 1;
}
/* Read config */
if(dynalogin_read_config_from_file(&config, cfg_filename, pool)
!= DYNALOGIN_SUCCESS)
{
syslog(LOG_ERR, "failed to read config file %s",
cfg_filename);
return 1;
}
/* Set up DYNALOGIN session (threadsafe?) */
if(dynalogin_init(&h, pool, config) != DYNALOGIN_SUCCESS)
{
syslog(LOG_ERR, "failed to init dynalogin stack");
return 1;
}
/* Daemonize? */
GET_INT_PARAM(cfg_detach, config, DYNALOGIND_PARAM_DETACH)
if((res=apr_proc_detach(cfg_detach)) != APR_SUCCESS)
{
syslog(LOG_ERR, "failed to detach: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
return 1;
}
/* Create socket for clients */
if((res=apr_socket_create(&socket,
APR_INET, SOCK_STREAM, APR_PROTO_TCP, pool))!=APR_SUCCESS)
{
syslog(LOG_ERR, "failed to create listening socket: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
return 1;
}
GET_STRING_PARAM_DEF(bind_address, config, DYNALOGIND_PARAM_BIND_ADDR, DEFAULT_BIND_ADDR)
GET_INT_PARAM_DEF(bind_port, config, DYNALOGIND_PARAM_BIND_PORT, DEFAULT_BIND_PORT)
if((res=apr_sockaddr_info_get(&sa, bind_address, APR_UNSPEC,
bind_port, APR_IPV4_ADDR_OK || APR_IPV6_ADDR_OK, pool))!=APR_SUCCESS)
{
syslog(LOG_ERR, "failed to resolve bind address: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
apr_socket_close(socket);
return 1;
}
if((res=apr_socket_opt_set(socket, APR_SO_REUSEADDR, 1))!=APR_SUCCESS)
{
syslog(LOG_ERR, "failed to set APR_SO_REUSEADDR: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
apr_socket_close(socket);
return 1;
}
if((res=apr_socket_bind(socket, sa))!=APR_SUCCESS)
{
syslog(LOG_ERR, "failed to bind: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
apr_socket_close(socket);
return 1;
}
GET_STRING_PARAM_DEF(tls_cert, config, DYNALOGIND_PARAM_TLS_CERT, NULL)
GET_STRING_PARAM_DEF(tls_key, config, DYNALOGIND_PARAM_TLS_KEY, NULL)
if(tls_cert != NULL)
{
if(tls_key == NULL)
{
syslog(LOG_ERR, "%s specified, but %s not specified", DYNALOGIND_PARAM_TLS_CERT,
DYNALOGIND_PARAM_TLS_KEY);
return 1;
}
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
ret = gnutls_certificate_set_x509_key_file (x509_cred, tls_cert, tls_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
syslog(LOG_ERR, "No certificate or key were found");
return 1;
}
generate_dh_params ();
gnutls_priority_init (&priority_cache, "PERFORMANCE:%SERVER_PRECEDENCE", NULL);
gnutls_certificate_set_dh_params (x509_cred, dh_params);
}
else if(tls_key == NULL)
{
syslog(LOG_ERR, "%s specified, but %s not specified", DYNALOGIND_PARAM_TLS_KEY,
DYNALOGIND_PARAM_TLS_CERT);
return 1;
}
/* Main loop */
while(done != 1)
{
if((res=apr_socket_listen(socket, qlen))!=APR_SUCCESS)
{
syslog(LOG_ERR, "failed apr_socket_listen: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
apr_socket_close(socket);
return 1;
}
if((res=apr_socket_accept(&socket_new, socket, pool))!=APR_SUCCESS)
{
syslog(LOG_ERR, "failed to accept incoming connection: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
apr_socket_close(socket);
return 1;
}
syslog(LOG_INFO, "new incoming connection");
if((res=handle_new_client(socket_new, pool, h))!=APR_SUCCESS)
{
syslog(LOG_ERR, "failed to handle incoming connection: %s",
apr_strerror(res, errbuf, ERRBUFLEN));
apr_socket_close(socket);
return 1;
}
}
apr_socket_close(socket);
return 0;
}
static void server(int sds[])
{
int j;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(5);
if (debug)
success("Launched, setting DH parameters...\n");
generate_dh_params();
for (j = 0; j < SESSIONS; j++) {
int sd = sds[j];
if (j == 0) {
gnutls_certificate_allocate_credentials(&pgp_cred);
ret =
gnutls_certificate_set_openpgp_key_mem2
(pgp_cred, &server_crt, &server_key, "auto",
GNUTLS_OPENPGP_FMT_BASE64);
} else {
gnutls_certificate_free_credentials(pgp_cred);
gnutls_certificate_allocate_credentials(&pgp_cred);
ret =
gnutls_certificate_set_openpgp_key_mem2
(pgp_cred, &cert2048, &key2048, "auto",
GNUTLS_OPENPGP_FMT_BASE64);
}
if (ret < 0) {
fail("Could not set server key files...\n");
goto end;
}
gnutls_certificate_set_dh_params(pgp_cred, dh_params);
session = initialize_tls_session();
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake %d has failed (%s)\n\n",
j, gnutls_strerror(ret));
goto end;
}
if (debug)
success("server: Handshake %d was completed\n", j);
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
if (debug)
print_info(session);
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%d). Closing...\n", ret);
goto end;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
}
end:
gnutls_certificate_free_credentials(pgp_cred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
int
main (void)
{
int err, listen_sd;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
gnutls_session_t session;
char buffer[MAX_BUF + 1];
int optval = 1;
char name[256];
strcpy (name, "Echo Server");
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&cred);
gnutls_certificate_set_openpgp_keyring_file (cred, RINGFILE,
GNUTLS_OPENPGP_FMT_BASE64);
gnutls_certificate_set_openpgp_key_file (cred, CERTFILE, KEYFILE,
GNUTLS_OPENPGP_FMT_BASE64);
generate_dh_params ();
gnutls_certificate_set_dh_params (cred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
SOCKET_ERR (listen_sd, "socket");
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
SOCKET_ERR (err, "bind");
err = listen (listen_sd, 1024);
SOCKET_ERR (err, "listen");
printf ("%s ready. Listening to port '%d'.\n\n", name, PORT);
client_len = sizeof (sa_cli);
for (;;)
{
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
printf ("- connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
continue;
}
printf ("- Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("\n- Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fprintf (stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
printf ("\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_certificate_free_credentials (cred);
gnutls_global_deinit ();
return 0;
}
int main(void)
{
int err, listen_sd;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
socklen_t client_len;
char topbuf[512];
gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
gnutls_psk_server_credentials_t psk_cred;
gnutls_priority_t priority_cache;
char buffer[MAX_BUF + 1];
int optval = 1;
int kx;
if (gnutls_check_version("3.1.4") == NULL) {
fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n");
exit(1);
}
gnutls_global_init();
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_file(x509_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file(x509_cred, CRLFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE, KEYFILE,
GNUTLS_X509_FMT_PEM);
gnutls_psk_allocate_server_credentials(&psk_cred);
gnutls_psk_set_server_credentials_function(psk_cred, pskfunc);
generate_dh_params();
gnutls_priority_init(&priority_cache,
"NORMAL:+PSK:+ECDHE-PSK:+DHE-PSK",
NULL);
gnutls_certificate_set_dh_params(x509_cred, dh_params);
/* Socket operations
*/
listen_sd = socket(AF_INET, SOCK_STREAM, 0);
SOCKET_ERR(listen_sd, "socket");
memset(&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons(PORT); /* Server Port number */
setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
sizeof(int));
err =
bind(listen_sd, (struct sockaddr *) &sa_serv, sizeof(sa_serv));
SOCKET_ERR(err, "bind");
err = listen(listen_sd, 1024);
SOCKET_ERR(err, "listen");
printf("Server ready. Listening to port '%d'.\n\n", PORT);
client_len = sizeof(sa_cli);
for (;;) {
gnutls_init(&session, GNUTLS_SERVER);
gnutls_priority_set(session, priority_cache);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
x509_cred);
gnutls_credentials_set(session, GNUTLS_CRD_PSK, psk_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
sd = accept(listen_sd, (struct sockaddr *) &sa_cli,
&client_len);
printf("- connection from %s, port %d\n",
inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf,
sizeof(topbuf)), ntohs(sa_cli.sin_port));
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fprintf(stderr,
"*** Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
continue;
}
printf("- Handshake was completed\n");
kx = gnutls_kx_get(session);
if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK ||
kx == GNUTLS_KX_ECDHE_PSK) {
printf("- User %s was connected\n",
gnutls_psk_server_get_username(session));
}
/* see the Getting peer's information example */
/* print_info(session); */
for (;;) {
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf
("\n- Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0
&& gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n",
gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n",
ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer, ret);
}
}
printf("\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
}
close(listen_sd);
gnutls_certificate_free_credentials(x509_cred);
gnutls_psk_free_server_credentials(psk_cred);
gnutls_priority_deinit(priority_cache);
gnutls_global_deinit();
return 0;
}
