static mod_context *mod_gnutls_context_new(liServer *srv) {
mod_context *ctx = g_slice_new0(mod_context);
int r;
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&ctx->server_cert))) {
ERROR(srv, "gnutls_certificate_allocate_credentials failed(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error0;
}
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority, "NORMAL", NULL))) {
ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error1;
}
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL))) {
int r1;
if (GNUTLS_E_SUCCESS > (r1 = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL", NULL))) {
ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s",
gnutls_strerror_name(r1), gnutls_strerror(r1));
goto error2;
} else {
ERROR(srv, "gnutls_priority_init('NORMAL:-CIPHER-ALL:+ARCFOUR-128') failed(%s): %s. Using 'NORMAL' instead (BEAST mitigation not available)",
gnutls_strerror_name(r), gnutls_strerror(r));
}
}
#ifdef HAVE_SESSION_TICKET
if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_key_generate(&ctx->ticket_key))) {
ERROR(srv, "gnutls_session_ticket_key_generate failed(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error3;
}
#endif
ctx->srv = srv;
ctx->ocsp = li_gnutls_ocsp_new();
ctx->refcount = 1;
ctx->protect_against_beast = 1;
return ctx;
error3:
gnutls_priority_deinit(ctx->server_priority_beast);
error2:
gnutls_priority_deinit(ctx->server_priority);
error1:
gnutls_certificate_free_credentials(ctx->server_cert);
error0:
g_slice_free(mod_context, ctx);
return NULL;
}
void TLSSocket::init(const std::string& caPath,
const std::string& crlPath,
const std::string& certPath,
const std::string& keyPath) {
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
gnutls_global_init();
gnutls_certificate_allocate_credentials(&xcred);
if (!caPath.empty()) {
gnutls_certificate_set_x509_trust_file(xcred,
caPath.c_str(),
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_flags (xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
}
if (!crlPath.empty()) {
gnutls_certificate_set_x509_crl_file(xcred,
crlPath.c_str(),
GNUTLS_X509_FMT_PEM);
}
gnutls_certificate_set_x509_key_file(xcred,
certPath.c_str(),
keyPath.c_str(),
GNUTLS_X509_FMT_PEM);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, 1024);
gnutls_priority_init(&priority_cache, "NORMAL", NULL);
gnutls_certificate_set_dh_params(xcred, dh_params);
}
static std::string RemoveUnknownTokens(const std::string& prio)
{
std::string ret;
irc::sepstream ss(prio, ':');
for (std::string token; ss.GetToken(token); )
{
// Save current position so we can revert later if needed
const std::string::size_type prevpos = ret.length();
// Append next token
if (!ret.empty())
ret.push_back(':');
ret.append(token);
gnutls_priority_t test;
if (gnutls_priority_init(&test, ret.c_str(), NULL) < 0)
{
// The new token broke the priority string, revert to the previously working one
ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Priority string token not recognized: \"%s\"", token.c_str());
ret.erase(prevpos);
}
else
{
// Worked
gnutls_priority_deinit(test);
}
}
return ret;
}
void SslSocket::setupSession()
{
qDebug() << "Initialise client session";
// Setup the trust store
gnutls_certificate_allocate_credentials(&d->x509cred);
gnutls_certificate_set_x509_trust_file(d->x509cred, "/etc/ssl/ca-bundle.pem", GNUTLS_X509_FMT_PEM);
// Configure the session
gnutls_init(&d->session, GNUTLS_CLIENT);
gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509cred);
const char *err;
gnutls_priority_init(&d->priority_cache, "NORMAL", &err);
gnutls_priority_set(d->session, d->priority_cache);
// Setup the transport functions to use QTcpSocket
gnutls_transport_set_ptr(d->session, this);
gnutls_transport_set_pull_function(d->session, read_callback);
#ifdef NO_VECTOR_WRITES
gnutls_transport_set_push_function(d->session, write_callback);
#else
gnutls_transport_set_vec_push_function(d->session, write_vector_callback);
#endif
}
bool Plugin::onLoad(LightBird::IApi *api)
{
int error;
const char *err_pos = NULL;
this->api = api;
try
{
ASSERT_INIT(gnutls_global_init(), "global");
if (!gnutls_check_version(GNUTLS_CHECK_VERSION))
throw Properties("error", "Bad GnuTLS version").add("version required", GNUTLS_CHECK_VERSION);
gnutls_global_set_audit_log_function(Plugin::log);
this->_loadConfiguration();
this->_loadPrivateKey();
this->_loadCertificate();
this->_loadDHParams();
ASSERT_INIT(gnutls_certificate_allocate_credentials(&this->x509_cred), "credentials");
ASSERT(gnutls_certificate_set_x509_key(this->x509_cred, &this->crt, 1, this->key));
ASSERT_INIT(gnutls_priority_init(&this->priority, this->priorityStrings.data(), &err_pos), "priority");
gnutls_certificate_set_dh_params(this->x509_cred, this->dhParams);
}
catch (Properties p)
{
if (err_pos)
p.add("error position", err_pos).add("priority string", this->priorityStrings);
LOG_FATAL("Unable to initialize GnuTLS", p.toMap(), "Plugin", "onLoad");
this->_deinit();
return (false);
}
this->api->contexts().declareInstance("handshake", (this->handshake = new Handshake(this->api, this->handshakeTimeout)));
this->api->contexts().declareInstance("record", (this->record = new Record(this->api)));
return (true);
}
/** Configuration parsing.
* Sets up the default values, and parses the command-line options
* using argp.
*
* @note Does not return if an error occurred.
*/
static crywrap_config_t *_crywrap_config_parse(int argc, char **argv)
{
crywrap_config_t *config =
(crywrap_config_t *) malloc(sizeof(crywrap_config_t));
if (config == NULL)
return NULL;
config->listen.port = 0;
config->listen.addr = NULL;
config->dest.port = 0;
config->dest.addr = NULL;
config->priority = NULL;
config->uid = _CRYWRAP_UID;
config->pidfile = _CRYWRAP_PIDFILE;
config->inetd = 0;
config->anon = 0;
config->verify = 0;
argp_parse(&_crywrap_argp, argc, argv, 0, 0, config);
if (config->priority == NULL)
gnutls_priority_init(&config->priority, "NORMAL", NULL);
return config;
}
/**
* gnutls_priority_set_direct - Sets priorities for the cipher suites supported by gnutls.
* @session: is a #gnutls_session_t structure.
* @priorities: is a string describing priorities
* @err_pos: In case of an error this will have the position in the string the error occured
*
* Sets the priorities to use on the ciphers, key exchange methods,
* macs and compression methods. This function avoids keeping a
* priority cache and is used to directly set string priorities to a
* TLS session. For documentation check the gnutls_priority_init().
*
* On syntax error GNUTLS_E_INVALID_REQUEST is returned and 0 on success.
*
**/
int
gnutls_priority_set_direct (gnutls_session_t session, const char *priorities,
const char **err_pos)
{
gnutls_priority_t prio;
int ret;
ret = gnutls_priority_init (&prio, priorities, err_pos);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_priority_set (session, prio);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
gnutls_priority_deinit (prio);
return 0;
}
void
relay_network_init ()
{
#ifdef HAVE_GNUTLS
/* credentials */
gnutls_certificate_allocate_credentials (&relay_gnutls_x509_cred);
relay_network_set_ssl_cert_key (0);
/* priority */
relay_gnutls_priority_cache = malloc (sizeof (*relay_gnutls_priority_cache));
if (relay_gnutls_priority_cache)
{
if (gnutls_priority_init (relay_gnutls_priority_cache,
"PERFORMANCE", NULL) != GNUTLS_E_SUCCESS)
{
weechat_printf (NULL,
_("%s%s: unable to initialize priority for SSL"),
weechat_prefix ("error"), RELAY_PLUGIN_NAME);
free (relay_gnutls_priority_cache);
relay_gnutls_priority_cache = NULL;
}
}
#endif
relay_network_init_ok = 1;
}
static void
try_prio (const char* prio, unsigned expected_cs, unsigned expected_ciphers)
{
int ret;
gnutls_priority_t p;
const char* err;
const unsigned int * t;
unsigned i, si, count = 0;
/* this must be called once in the program
*/
global_init ();
ret = gnutls_priority_init(&p, prio, &err);
if (ret < 0)
{
fprintf(stderr, "error: %s: %s\n", gnutls_strerror(ret), err);
exit(1);
}
for (i=0;;i++)
{
ret = gnutls_priority_get_cipher_suite_index(p, i, &si);
if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
continue;
else if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
break;
else if (ret == 0)
{
count++;
/* fprintf(stderr, "%s\n", gnutls_cipher_suite_info(si, NULL, NULL, NULL, NULL, NULL)); */
}
}
ret = gnutls_priority_cipher_list (p, &t);
if ((unsigned)ret != expected_ciphers)
{
#if 0
for (i=0;i<ret;i++)
fprintf(stderr, "%s\n", gnutls_cipher_get_name(t[i]));
#endif
fail("expected %d ciphers, found %d\n", expected_ciphers, ret);
exit(1);
}
gnutls_priority_deinit(p);
/* fprintf(stderr, "count: %d\n", count); */
if (debug)
success ("finished: %s\n", prio);
if (count != expected_cs)
{
fail("expected %d ciphersuites, found %d\n", expected_cs, count);
exit(1);
}
}
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
{
const char *err;
int rc = gnutls_priority_init( &ctx->prios, suites, &err );
if ( rc )
ctx->prios = NULL;
return rc;
}
void DTLS_Init(void)
{
memset(sessions,0,sizeof(DTLS_Session) * MAX_DTLS_SESSIONS);
gnutls_global_init();
// unsigned int bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
// gnutls_dh_params_init(&_DHParameters);
// gnutls_dh_params_generate2(_DHParameters, bits);
gnutls_priority_init(&_PriorityCache, "NONE:+VERS-ALL:+ECDHE-ECDSA:+ECDHE-PSK:+PSK:+CURVE-ALL:+AES-128-CCM-8:+AES-128-CBC:+MAC-ALL:-SHA1:+COMP-ALL:+SIGN-ALL:+CTYPE-X.509", NULL);
}
void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
int ret = gnutls_global_init ();
if (ret < 0)
throw format ("TLS init error. {1}", gnutls_strerror (ret));
ret = gnutls_certificate_allocate_credentials (&_credentials);
if (ret < 0)
throw format ("TLS allocation error. {1}", gnutls_strerror (ret));
if (_ca != "" &&
(ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CA file. {1}", gnutls_strerror (ret));
if ( _crl != "" &&
(ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CRL file. {1}", gnutls_strerror (ret));
if (_cert != "" &&
_key != "" &&
(ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CERT file. {1}", gnutls_strerror (ret));
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
// The automatic verification for the client certificate with
// gnutls_certificate_set_verify_function only works with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
void SSLi_init()
{
if(gnutls_priority_init(&cipherCache, ciphers, NULL) != GNUTLS_E_SUCCESS)
{
Log_fatal("Failed to set priorities");
}
initializeCertificate();
Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
}
void SslDriver::setPriorities(const std::string& value)
{
TRACE("setPriorities: \"%s\"", value.c_str());
const char *errp = nullptr;
int rv = gnutls_priority_init(&priorities_, value.c_str(), &errp);
if (rv != GNUTLS_E_SUCCESS) {
TRACE("gnutls_priority_init: error: %s \"%s\"", gnutls_strerror(rv), errp ? errp : "");
}
}
struct cert* loadCert(const char* ca, const char* cert, const char* key) {
struct cert* oc = xmalloc(sizeof(struct cert));
gnutls_certificate_allocate_credentials(&oc->cert);
if (ca != NULL) gnutls_certificate_set_x509_trust_file(oc->cert, ca, GNUTLS_X509_FMT_PEM);
int e1 = gnutls_certificate_set_x509_key_file(oc->cert, cert, key, GNUTLS_X509_FMT_PEM);
if (e1 < 0) {
return NULL;
}
gnutls_priority_init(&oc->priority, "PERFORMANCE:%SERVER_PRECEDENCE", NULL);
gnutls_certificate_set_dh_params(oc->cert, dh_params);
return oc;
}
Priority(const std::string& priorities)
{
// Try to set the priorities for ciphers, kex methods etc. to the user supplied string
// If the user did not supply anything then the string is already set to "NORMAL"
const char* priocstr = priorities.c_str();
const char* prioerror;
int ret = gnutls_priority_init(&priority, priocstr, &prioerror);
if (ret < 0)
{
// gnutls did not understand the user supplied string
throw Exception("Unable to initialize priorities to \"" + priorities + "\": " + gnutls_strerror(ret) + " Syntax error at position " + ConvToStr((unsigned int) (prioerror - priocstr)));
}
}
bool secure::init(void)
{
static bool initialized = false;
if(!initialized) {
Thread::init();
Socket::init();
gnutls_global_init();
gnutls_priority_init (&context::priority_cache, "NORMAL", NULL);
atexit(secure_shutdown);
initialized = true;
}
return true;
}
wxString CTlsSocket::ListTlsCiphers(wxString priority)
{
if (priority.IsEmpty())
priority = wxString::FromUTF8(ciphers);
wxString list = wxString::Format(_T("Ciphers for %s:\n"), priority.c_str());
#if GNUTLS_VERSION_NUMBER >= 0x030009
gnutls_priority_t pcache;
const char *err = 0;
int ret = gnutls_priority_init(&pcache, priority.mb_str(), &err);
if (ret < 0)
{
list += wxString::Format(_T("gnutls_priority_init failed with code %d: %s"), ret, wxString::FromUTF8(err ? err : "").c_str());
return list;
}
else
{
for (size_t i = 0; ; i++)
{
unsigned int idx;
ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
break;
if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
continue;
gnutls_protocol_t version;
unsigned char id[2];
const char* name = gnutls_cipher_suite_info(idx, id, NULL, NULL, NULL, &version);
if (name != 0)
{
list += wxString::Format(
_T("%-50s 0x%02x, 0x%02x %s\n"),
wxString::FromUTF8(name).c_str(),
(unsigned char)id[0],
(unsigned char)id[1],
wxString::FromUTF8(gnutls_protocol_get_name(version)).c_str());
}
}
}
#else
list += _T("Unknown\n");
#endif
return list;
}
void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&_credentials);
if (_ca != "" &&
gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CA file.");
if ( _crl != "" &&
gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CRL file.");
if (_cert != "" &&
_key != "" &&
gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CERT file.");
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
/// Enables TLS on the given server.
static void onion_enable_tls(onion *o){
#ifdef HAVE_PTHREADS
gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
#endif
if (!(o->flags&O_USE_DEV_RANDOM)){
gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
}
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&o->x509_cred);
gnutls_dh_params_init (&o->dh_params);
gnutls_dh_params_generate2 (o->dh_params, 1024);
gnutls_certificate_set_dh_params (o->x509_cred, o->dh_params);
gnutls_priority_init (&o->priority_cache, "NORMAL", NULL);
o->flags|=O_SSL_ENABLED;
}
void
relay_network_set_priority ()
{
#ifdef HAVE_GNUTLS
if (gnutls_priority_init (relay_gnutls_priority_cache,
weechat_config_string (
relay_config_network_ssl_priorities),
NULL) != GNUTLS_E_SUCCESS)
{
weechat_printf (NULL,
_("%s%s: unable to initialize priority for SSL"),
weechat_prefix ("error"), RELAY_PLUGIN_NAME);
free (relay_gnutls_priority_cache);
relay_gnutls_priority_cache = NULL;
}
#endif
}
static void print_cipher_suite_list(const char *priorities)
{
size_t i;
int ret;
unsigned int idx;
const char *name;
const char *err;
unsigned char id[2];
gnutls_protocol_t version;
gnutls_priority_t pcache;
if (priorities != NULL) {
printf("Cipher suites for %s\n", priorities);
ret = gnutls_priority_init(&pcache, priorities, &err);
if (ret < 0) {
fprintf(stderr, "Syntax error at: %s\n", err);
exit(1);
}
for (i = 0;; i++) {
ret =
gnutls_priority_get_cipher_suite_index(pcache,
i,
&idx);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
break;
if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
continue;
name =
gnutls_cipher_suite_info(idx, id, NULL, NULL,
NULL, &version);
if (name != NULL)
printf("%-50s\t0x%02x, 0x%02x\t%s\n",
name, (unsigned char) id[0],
(unsigned char) id[1],
gnutls_protocol_get_name(version));
}
return;
}
}
int
relay_config_check_network_ssl_priorities (void *data,
struct t_config_option *option,
const char *value)
{
#ifdef HAVE_GNUTLS
gnutls_priority_t priority_cache;
const char *pos_error;
int rc;
/* make C compiler happy */
(void) data;
(void) option;
pos_error = value;
if (value && value[0])
{
rc = gnutls_priority_init (&priority_cache, value, &pos_error);
if (rc == GNUTLS_E_SUCCESS)
{
gnutls_priority_deinit (priority_cache);
return 1;
}
}
weechat_printf (NULL,
_("%s%s: invalid priorities string, error "
"at this position in string: \"%s\""),
weechat_prefix ("error"), RELAY_PLUGIN_NAME,
(pos_error) ? pos_error : value);
return 0;
#else
/* make C compiler happy */
(void) data;
(void) option;
(void) value;
return 1;
#endif
}
int
manos_tls_global_init (const char *priorities)
{
int err;
priority_cache = NULL;
dh_params = NULL;
err = gnutls_global_init ();
if (err != 0) {
return -1;
}
err = gnutls_priority_init (&priority_cache, priorities, NULL);
if (err != 0) {
return -2;
}
return 0;
}
static tls_ctx *
tlsg_ctx_new ( struct ldapoptions *lo )
{
tlsg_ctx *ctx;
ctx = ber_memcalloc ( 1, sizeof (*ctx) );
if ( ctx ) {
ctx->lo = lo;
if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
ber_memfree( ctx );
return NULL;
}
ctx->refcount = 1;
gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
#endif
}
return (tls_ctx *)ctx;
}
int tls_init(void)
{
int ret = 0;
if (!_tls_init)
{
ret = gnutls_global_init();
if (ret != GNUTLS_E_SUCCESS)
{
return SOCK_TLS_INIT_ERROR;
}
ret = gnutls_priority_init(&_tls_priority_cache, "NORMAL", NULL);
if (ret != GNUTLS_E_SUCCESS)
{
return SOCK_TLS_INIT_ERROR;
}
_tls_init = 1;
}
return SOCK_OK;
}
void SSLi_init()
{
unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
gnutls_priority_init(&cipherCache, ciphers, NULL);
initializeCertificate();
gnutls_dh_params_init(&dhParameters);
Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount);
int error = gnutls_dh_params_generate2(dhParameters, bitCount);
if(!error) {
Log_info("Successfully generated Diffie-Hellman parameters");
} else {
Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error));
}
gnutls_certificate_set_dh_params(certificate, dhParameters);
Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
}
tls->ny = ny;
tls->tls_error = NULL;
tls->sess_error = NULL;
tls->sess_destroy = NULL;
tls->sess_readable = NULL;
tls->sess_writable = NULL;
tls->trans_recv = NULL;
tls->trans_send_vec = NULL;
tls->trans_close = NULL;
/* Initialise GnuTLS */
gnutls_global_init();
char const *err_pos;
_ = gnutls_priority_init(&tls->prio_cache,
prio ? prio : NY_TLS_DEFAULT_PRIO, &err_pos);
if (unlikely(_)) {
ny_error_set(&tls->ny->error, NY_ERROR_DOMAIN_GTLS, _);
goto exit;
}
/* Generate Diffie‐Hellman parameters */
unsigned int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
GNUTLS_SEC_PARAM_HIGH);
_ = gnutls_dh_params_init(&tls->dh_params);
if (unlikely(_)) {
ny_error_set(&tls->ny->error, NY_ERROR_DOMAIN_GTLS, _);
goto deinit_gtls;
}
void
print_list (const char *priorities, int verbose)
{
size_t i;
int ret;
unsigned int idx;
const char *name;
const char *err;
unsigned char id[2];
gnutls_kx_algorithm_t kx;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
gnutls_priority_t pcache;
const unsigned int *list;
if (priorities != NULL)
{
printf ("Cipher suites for %s\n", priorities);
ret = gnutls_priority_init (&pcache, priorities, &err);
if (ret < 0)
{
fprintf (stderr, "Syntax error at: %s\n", err);
exit (1);
}
for (i = 0;; i++)
{
ret =
gnutls_priority_get_cipher_suite_index (pcache, i,
&idx);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
break;
if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
continue;
name =
gnutls_cipher_suite_info (idx, id, NULL, NULL, NULL,
&version);
if (name != NULL)
printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
name, (unsigned char) id[0],
(unsigned char) id[1],
gnutls_protocol_get_name (version));
}
printf("\n");
{
ret = gnutls_priority_certificate_type_list (pcache, &list);
printf ("Certificate types: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("CTYPE-%s",
gnutls_certificate_type_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_protocol_list (pcache, &list);
printf ("Protocols: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("VERS-%s", gnutls_protocol_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_compression_list (pcache, &list);
printf ("Compression: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("COMP-%s",
gnutls_compression_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_ecc_curve_list (pcache, &list);
printf ("Elliptic curves: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("CURVE-%s",
gnutls_ecc_curve_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
{
ret = gnutls_priority_sign_list (pcache, &list);
printf ("PK-signatures: ");
if (ret == 0) printf("none\n");
for (i = 0; i < (unsigned)ret; i++)
{
printf ("SIGN-%s",
gnutls_sign_algorithm_get_name (list[i]));
if (i+1!=(unsigned)ret)
printf (", ");
else
printf ("\n");
}
}
return;
}
printf ("Cipher suites:\n");
for (i = 0; (name = gnutls_cipher_suite_info
(i, id, &kx, &cipher, &mac, &version)); i++)
{
printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
name,
(unsigned char) id[0], (unsigned char) id[1],
gnutls_protocol_get_name (version));
if (verbose)
printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
gnutls_kx_get_name (kx),
gnutls_cipher_get_name (cipher),
gnutls_mac_get_name (mac));
}
printf("\n");
{
const gnutls_certificate_type_t *p =
gnutls_certificate_type_list ();
printf ("Certificate types: ");
for (; *p; p++)
{
printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_protocol_t *p = gnutls_protocol_list ();
printf ("Protocols: ");
for (; *p; p++)
{
printf ("VERS-%s", gnutls_protocol_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
printf ("Ciphers: ");
for (; *p; p++)
{
printf ("%s", gnutls_cipher_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
printf ("MACs: ");
for (; *p; p++)
{
printf ("%s", gnutls_mac_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
printf ("Key exchange algorithms: ");
for (; *p; p++)
{
printf ("%s", gnutls_kx_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_compression_method_t *p = gnutls_compression_list ();
printf ("Compression: ");
for (; *p; p++)
{
printf ("COMP-%s", gnutls_compression_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list ();
printf ("Elliptic curves: ");
for (; *p; p++)
{
printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
printf ("Public Key Systems: ");
for (; *p; p++)
{
printf ("%s", gnutls_pk_algorithm_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
{
const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
printf ("PK-signatures: ");
for (; *p; p++)
{
printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p));
if (*(p + 1))
printf (", ");
else
printf ("\n");
}
}
}
/** Argument parsing routine.
* Used by the argp suite.
*/
static error_t
_crywrap_config_parse_opt(int key, char *arg, struct argp_state *state)
{
crywrap_config_t *cfg = (crywrap_config_t *) state->input;
int ret;
switch (key) {
case 'D':
cfg->debug = 1;
cry_log = debug_log;
cry_error = debug_log;
break;
case 'd':
if (_crywrap_parse_ip
(arg, &cfg->dest.port, &cfg->dest.addr,
&cfg->dest.host) < 0)
argp_error(state,
"Could not resolve address: `%s'", arg);
break;
case 'l':
if (_crywrap_parse_ip(arg, &cfg->listen.port,
&cfg->listen.addr, NULL) < 0)
argp_error(state,
"Could not resolve address: `%s'", arg);
break;
case 'u':
cfg->uid = atoi(arg);
break;
case 'P':
if (arg && *arg)
cfg->pidfile = strdup(arg);
else
cfg->pidfile = NULL;
break;
case 'r':
if (arg && *arg) {
dh_file = load_file(arg);
if (dh_file.data == NULL)
argp_error(state,
"error loading Diffie Hellman parameters file: %s.",
arg);
}
break;
case 'p':
if (arg && *arg) {
const char *pos;
ret =
gnutls_priority_init(&cfg->priority, arg,
&pos);
if (ret < 0)
argp_error(state,
"error in priority string at: %s.",
pos);
}
break;
case 'c':
if (arg && *arg)
pem_cert = strdup(arg);
break;
case 'k':
if (arg && *arg)
pem_key = strdup(arg);
break;
break;
case 'i':
cfg->inetd = 1;
break;
case 'a':
{
const char *pos;
ret =
gnutls_priority_init(&cfg->priority,
"NORMAL:+ANON-ECDH:+ANON-DH",
&pos);
if (ret < 0)
argp_error(state,
"error in priority string at: %s.",
pos);
}
cfg->verify = 0;
cfg->anon = 1;
break;
case 'v':
cfg->verify = (arg) ? atoi(arg) : 1;
break;
case 'z':
ret = gnutls_certificate_set_x509_trust_file(cred, arg,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
argp_error(state,
"error reading X.509 CA file: %s.",
gnutls_strerror(ret));
break;
case ARGP_KEY_END:
if (!cfg->inetd) {
if (!cfg->listen.addr || !cfg->dest.addr)
argp_error
(state,
"a listening and a destination address must be set!");
} else if (!cfg->dest.addr)
argp_error(state,
"a destination address must be set!");
if (cfg->anon)
break;
if (pem_cert == NULL || pem_key == NULL)
ret =
gnutls_certificate_set_x509_key_file(cred,
_CRYWRAP_PEMFILE,
_CRYWRAP_PEMFILE,
GNUTLS_X509_FMT_PEM);
else
ret =
gnutls_certificate_set_x509_key_file(cred,
pem_cert,
pem_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
argp_error(state,
"Error reading X.509 key or certificate file: %s",
gnutls_strerror(ret));
break;
default:
return ARGP_ERR_UNKNOWN;
}
return 0;
}