Esempio n. 1
0
static mod_context *mod_gnutls_context_new(liServer *srv) {
	mod_context *ctx = g_slice_new0(mod_context);
	int r;

	if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&ctx->server_cert))) {
		ERROR(srv, "gnutls_certificate_allocate_credentials failed(%s): %s",
			gnutls_strerror_name(r), gnutls_strerror(r));
		goto error0;
	}

	if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority, "NORMAL", NULL))) {
		ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s",
			gnutls_strerror_name(r), gnutls_strerror(r));
		goto error1;
	}

	if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL))) {
		int r1;
		if (GNUTLS_E_SUCCESS > (r1 = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL", NULL))) {
			ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s",
				gnutls_strerror_name(r1), gnutls_strerror(r1));
			goto error2;
		} else {
			ERROR(srv, "gnutls_priority_init('NORMAL:-CIPHER-ALL:+ARCFOUR-128') failed(%s): %s. Using 'NORMAL' instead (BEAST mitigation not available)",
				gnutls_strerror_name(r), gnutls_strerror(r));
		}
	}

#ifdef HAVE_SESSION_TICKET
	if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_key_generate(&ctx->ticket_key))) {
		ERROR(srv, "gnutls_session_ticket_key_generate failed(%s): %s",
			gnutls_strerror_name(r), gnutls_strerror(r));
		goto error3;
	}
#endif

	ctx->srv = srv;

	ctx->ocsp = li_gnutls_ocsp_new();

	ctx->refcount = 1;
	ctx->protect_against_beast = 1;

	return ctx;

error3:
	gnutls_priority_deinit(ctx->server_priority_beast);

error2:
	gnutls_priority_deinit(ctx->server_priority);

error1:
	gnutls_certificate_free_credentials(ctx->server_cert);

error0:
	g_slice_free(mod_context, ctx);
	return NULL;
}
Esempio n. 2
0
    void TLSSocket::init(const std::string& caPath,
            const std::string& crlPath,
            const std::string& certPath,
            const std::string& keyPath) {
        gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
        gnutls_global_init();    	
        gnutls_certificate_allocate_credentials(&xcred);
        if (!caPath.empty()) {
            gnutls_certificate_set_x509_trust_file(xcred, 
                    caPath.c_str(), 
                    GNUTLS_X509_FMT_PEM);
            gnutls_certificate_set_verify_flags (xcred,
                    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
        }
        if (!crlPath.empty()) {
            gnutls_certificate_set_x509_crl_file(xcred,
                    crlPath.c_str(), 
                    GNUTLS_X509_FMT_PEM);
        }
        gnutls_certificate_set_x509_key_file(xcred,
                certPath.c_str(),
                keyPath.c_str(),
                GNUTLS_X509_FMT_PEM);
        gnutls_dh_params_init(&dh_params);
        gnutls_dh_params_generate2(dh_params, 1024);
        gnutls_priority_init(&priority_cache, "NORMAL", NULL);
        gnutls_certificate_set_dh_params(xcred, dh_params);

    }
Esempio n. 3
0
		static std::string RemoveUnknownTokens(const std::string& prio)
		{
			std::string ret;
			irc::sepstream ss(prio, ':');
			for (std::string token; ss.GetToken(token); )
			{
				// Save current position so we can revert later if needed
				const std::string::size_type prevpos = ret.length();
				// Append next token
				if (!ret.empty())
					ret.push_back(':');
				ret.append(token);

				gnutls_priority_t test;
				if (gnutls_priority_init(&test, ret.c_str(), NULL) < 0)
				{
					// The new token broke the priority string, revert to the previously working one
					ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Priority string token not recognized: \"%s\"", token.c_str());
					ret.erase(prevpos);
				}
				else
				{
					// Worked
					gnutls_priority_deinit(test);
				}
			}
			return ret;
		}
Esempio n. 4
0
void SslSocket::setupSession()
{
    qDebug() << "Initialise client session";

    // Setup the trust store
    gnutls_certificate_allocate_credentials(&d->x509cred);
    gnutls_certificate_set_x509_trust_file(d->x509cred, "/etc/ssl/ca-bundle.pem", GNUTLS_X509_FMT_PEM);

    // Configure the session
    gnutls_init(&d->session, GNUTLS_CLIENT);
    gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509cred);

    const char *err;
    gnutls_priority_init(&d->priority_cache, "NORMAL", &err);
    gnutls_priority_set(d->session, d->priority_cache);

    // Setup the transport functions to use QTcpSocket
    gnutls_transport_set_ptr(d->session, this);
    gnutls_transport_set_pull_function(d->session, read_callback);

#ifdef NO_VECTOR_WRITES
    gnutls_transport_set_push_function(d->session, write_callback);
#else
    gnutls_transport_set_vec_push_function(d->session, write_vector_callback);
#endif
}
Esempio n. 5
0
bool    Plugin::onLoad(LightBird::IApi *api)
{
    int         error;
    const char  *err_pos = NULL;

    this->api = api;
    try
    {
        ASSERT_INIT(gnutls_global_init(), "global");
        if (!gnutls_check_version(GNUTLS_CHECK_VERSION))
            throw Properties("error", "Bad GnuTLS version").add("version required", GNUTLS_CHECK_VERSION);
        gnutls_global_set_audit_log_function(Plugin::log);
        this->_loadConfiguration();
        this->_loadPrivateKey();
        this->_loadCertificate();
        this->_loadDHParams();
        ASSERT_INIT(gnutls_certificate_allocate_credentials(&this->x509_cred), "credentials");
        ASSERT(gnutls_certificate_set_x509_key(this->x509_cred, &this->crt, 1, this->key));
        ASSERT_INIT(gnutls_priority_init(&this->priority, this->priorityStrings.data(), &err_pos), "priority");
        gnutls_certificate_set_dh_params(this->x509_cred, this->dhParams);
    }
    catch (Properties p)
    {
        if (err_pos)
            p.add("error position", err_pos).add("priority string", this->priorityStrings);
        LOG_FATAL("Unable to initialize GnuTLS", p.toMap(), "Plugin", "onLoad");
        this->_deinit();
        return (false);
    }
    this->api->contexts().declareInstance("handshake", (this->handshake = new Handshake(this->api, this->handshakeTimeout)));
    this->api->contexts().declareInstance("record", (this->record = new Record(this->api)));
    return (true);
}
Esempio n. 6
0
/** Configuration parsing.
 * Sets up the default values, and parses the command-line options
 * using argp.
 *
 * @note Does not return if an error occurred.
 */
static crywrap_config_t *_crywrap_config_parse(int argc, char **argv)
{
	crywrap_config_t *config =
	    (crywrap_config_t *) malloc(sizeof(crywrap_config_t));

	if (config == NULL)
		return NULL;

	config->listen.port = 0;
	config->listen.addr = NULL;
	config->dest.port = 0;
	config->dest.addr = NULL;
	config->priority = NULL;
	config->uid = _CRYWRAP_UID;
	config->pidfile = _CRYWRAP_PIDFILE;
	config->inetd = 0;
	config->anon = 0;
	config->verify = 0;

	argp_parse(&_crywrap_argp, argc, argv, 0, 0, config);

	if (config->priority == NULL)
		gnutls_priority_init(&config->priority, "NORMAL", NULL);

	return config;
}
Esempio n. 7
0
/**
  * gnutls_priority_set_direct - Sets priorities for the cipher suites supported by gnutls.
  * @session: is a #gnutls_session_t structure.
  * @priorities: is a string describing priorities
  * @err_pos: In case of an error this will have the position in the string the error occured
  *
  * Sets the priorities to use on the ciphers, key exchange methods,
  * macs and compression methods. This function avoids keeping a
  * priority cache and is used to directly set string priorities to a
  * TLS session.  For documentation check the gnutls_priority_init().
  *
  * On syntax error GNUTLS_E_INVALID_REQUEST is returned and 0 on success.
  *
  **/
int
gnutls_priority_set_direct (gnutls_session_t session, const char *priorities,
			    const char **err_pos)
{
  gnutls_priority_t prio;
  int ret;

  ret = gnutls_priority_init (&prio, priorities, err_pos);
  if (ret < 0)
    {
      gnutls_assert ();
      return ret;
    }

  ret = gnutls_priority_set (session, prio);
  if (ret < 0)
    {
      gnutls_assert ();
      return ret;
    }

  gnutls_priority_deinit (prio);

  return 0;
}
Esempio n. 8
0
void
relay_network_init ()
{
#ifdef HAVE_GNUTLS

    /* credentials */
    gnutls_certificate_allocate_credentials (&relay_gnutls_x509_cred);
    relay_network_set_ssl_cert_key (0);

    /* priority */
    relay_gnutls_priority_cache = malloc (sizeof (*relay_gnutls_priority_cache));
    if (relay_gnutls_priority_cache)
    {
        if (gnutls_priority_init (relay_gnutls_priority_cache,
                                  "PERFORMANCE", NULL) != GNUTLS_E_SUCCESS)
        {
            weechat_printf (NULL,
                            _("%s%s: unable to initialize priority for SSL"),
                            weechat_prefix ("error"), RELAY_PLUGIN_NAME);
            free (relay_gnutls_priority_cache);
            relay_gnutls_priority_cache = NULL;
        }
    }
#endif
    relay_network_init_ok = 1;
}
Esempio n. 9
0
static void
try_prio (const char* prio, unsigned expected_cs, unsigned expected_ciphers)
{
int ret;
gnutls_priority_t p;
const char* err;
const unsigned int * t;
unsigned i, si, count = 0;

  /* this must be called once in the program
   */
  global_init ();
  
  ret = gnutls_priority_init(&p, prio, &err);
  if (ret < 0)
    {
      fprintf(stderr, "error: %s: %s\n", gnutls_strerror(ret), err);
      exit(1);
    }
  
  for (i=0;;i++)
    {
      ret = gnutls_priority_get_cipher_suite_index(p, i, &si);
      if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
      	continue;
      else if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
      	break;
      else if (ret == 0)
        {
          count++;
          /* fprintf(stderr, "%s\n", gnutls_cipher_suite_info(si, NULL, NULL, NULL, NULL, NULL)); */
        }

    }
  
  ret = gnutls_priority_cipher_list (p, &t);
  if ((unsigned)ret != expected_ciphers)
    {
#if 0
for (i=0;i<ret;i++)
  fprintf(stderr, "%s\n", gnutls_cipher_get_name(t[i]));
#endif
      fail("expected %d ciphers, found %d\n", expected_ciphers, ret);
      exit(1);
    }
  
  gnutls_priority_deinit(p);
  
  /* fprintf(stderr, "count: %d\n", count); */

  if (debug)
    success ("finished: %s\n", prio);
  
  if (count != expected_cs) 
    {
      fail("expected %d ciphersuites, found %d\n", expected_cs, count);
      exit(1);
    }
}
Esempio n. 10
0
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
{
	const char *err;
	int rc = gnutls_priority_init( &ctx->prios, suites, &err );
	if ( rc )
		ctx->prios = NULL;
	return rc;
}
void DTLS_Init(void)
{
    memset(sessions,0,sizeof(DTLS_Session) * MAX_DTLS_SESSIONS);
    gnutls_global_init();
    //    unsigned int bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
    //    gnutls_dh_params_init(&_DHParameters);
    //    gnutls_dh_params_generate2(_DHParameters, bits);
    gnutls_priority_init(&_PriorityCache, "NONE:+VERS-ALL:+ECDHE-ECDSA:+ECDHE-PSK:+PSK:+CURVE-ALL:+AES-128-CCM-8:+AES-128-CBC:+MAC-ALL:-SHA1:+COMP-ALL:+SIGN-ALL:+CTYPE-X.509", NULL);
}
Esempio n. 12
0
void TLSServer::init (
  const std::string& ca,
  const std::string& crl,
  const std::string& cert,
  const std::string& key)
{
  _ca   = ca;
  _crl  = crl;
  _cert = cert;
  _key  = key;

  int ret = gnutls_global_init ();
  if (ret < 0)
    throw format ("TLS init error. {1}", gnutls_strerror (ret));

  ret = gnutls_certificate_allocate_credentials (&_credentials);
  if (ret < 0)
    throw format ("TLS allocation error. {1}", gnutls_strerror (ret));

  if (_ca != "" &&
      (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
    throw format ("Bad CA file. {1}", gnutls_strerror (ret));

  if ( _crl != "" &&
      (ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
    throw format ("Bad CRL file. {1}", gnutls_strerror (ret));

  if (_cert != "" &&
      _key != "" &&
      (ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
    throw format ("Bad CERT file. {1}", gnutls_strerror (ret));

#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
  unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
  unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
  unsigned int bits = DH_BITS;
#endif
  gnutls_dh_params_init (&_params);
  gnutls_dh_params_generate2 (_params, bits);

  if (_ciphers == "")
    _ciphers = "NORMAL";
  gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
  gnutls_certificate_set_dh_params (_credentials, _params);

#if GNUTLS_VERSION_NUMBER >= 0x02090a
  // The automatic verification for the client certificate with
  // gnutls_certificate_set_verify_function only works with gnutls
  // >=2.9.10. So with older versions we should call the verify function
  // manually after the gnutls handshake.
  gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
Esempio n. 13
0
void SSLi_init()
{
	if(gnutls_priority_init(&cipherCache, ciphers, NULL) != GNUTLS_E_SUCCESS)
	{
		Log_fatal("Failed to set priorities");
	}

	initializeCertificate();

	Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
}
Esempio n. 14
0
void SslDriver::setPriorities(const std::string& value)
{
	TRACE("setPriorities: \"%s\"", value.c_str());

	const char *errp = nullptr;
	int rv = gnutls_priority_init(&priorities_, value.c_str(), &errp);

	if (rv != GNUTLS_E_SUCCESS) {
		TRACE("gnutls_priority_init: error: %s \"%s\"", gnutls_strerror(rv), errp ? errp : "");
	}
}
Esempio n. 15
0
struct cert* loadCert(const char* ca, const char* cert, const char* key) {
	struct cert* oc = xmalloc(sizeof(struct cert));
	gnutls_certificate_allocate_credentials(&oc->cert);
	if (ca != NULL) gnutls_certificate_set_x509_trust_file(oc->cert, ca, GNUTLS_X509_FMT_PEM);
	int e1 = gnutls_certificate_set_x509_key_file(oc->cert, cert, key, GNUTLS_X509_FMT_PEM);
	if (e1 < 0) {
		return NULL;
	}
	gnutls_priority_init(&oc->priority, "PERFORMANCE:%SERVER_PRECEDENCE", NULL);
	gnutls_certificate_set_dh_params(oc->cert, dh_params);
	return oc;
}
		Priority(const std::string& priorities)
		{
			// Try to set the priorities for ciphers, kex methods etc. to the user supplied string
			// If the user did not supply anything then the string is already set to "NORMAL"
			const char* priocstr = priorities.c_str();
			const char* prioerror;

			int ret = gnutls_priority_init(&priority, priocstr, &prioerror);
			if (ret < 0)
			{
				// gnutls did not understand the user supplied string
				throw Exception("Unable to initialize priorities to \"" + priorities + "\": " + gnutls_strerror(ret) + " Syntax error at position " + ConvToStr((unsigned int) (prioerror - priocstr)));
			}
		}
Esempio n. 17
0
bool secure::init(void)
{
    static bool initialized = false;

    if(!initialized) {
        Thread::init();
        Socket::init();

        gnutls_global_init();
        gnutls_priority_init (&context::priority_cache, "NORMAL", NULL);
        atexit(secure_shutdown);
        initialized = true;
    }
    return true;
}
Esempio n. 18
0
wxString CTlsSocket::ListTlsCiphers(wxString priority)
{
	if (priority.IsEmpty())
		priority = wxString::FromUTF8(ciphers);

	wxString list = wxString::Format(_T("Ciphers for %s:\n"), priority.c_str());

#if GNUTLS_VERSION_NUMBER >= 0x030009
	gnutls_priority_t pcache;
	const char *err = 0;
	int ret = gnutls_priority_init(&pcache, priority.mb_str(), &err);
	if (ret < 0)
	{
		list += wxString::Format(_T("gnutls_priority_init failed with code %d: %s"), ret, wxString::FromUTF8(err ? err : "").c_str());
		return list;
	}
	else
	{
		for (size_t i = 0; ; i++)
		{
			unsigned int idx;
			ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx);
			if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
				break;
			if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
				continue;

			gnutls_protocol_t version;
			unsigned char id[2];
			const char* name = gnutls_cipher_suite_info(idx, id, NULL, NULL, NULL, &version);

			if (name != 0)
			{
				list += wxString::Format(
					_T("%-50s    0x%02x, 0x%02x    %s\n"),
					wxString::FromUTF8(name).c_str(),
					(unsigned char)id[0],
					(unsigned char)id[1],
					wxString::FromUTF8(gnutls_protocol_get_name(version)).c_str());
			}
		}
	}
#else
	list += _T("Unknown\n");
#endif

	return list;
}
Esempio n. 19
0
void TLSServer::init (
  const std::string& ca,
  const std::string& crl,
  const std::string& cert,
  const std::string& key)
{
  _ca   = ca;
  _crl  = crl;
  _cert = cert;
  _key  = key;

  gnutls_global_init ();
  gnutls_certificate_allocate_credentials (&_credentials);
  if (_ca != "" &&
      gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
    throw std::string ("Missing CA file.");

  if ( _crl != "" &&
      gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0)
    throw std::string ("Missing CRL file.");

  if (_cert != "" &&
      _key != "" &&
      gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
    throw std::string ("Missing CERT file.");

#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
  unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
  unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
  unsigned int bits = DH_BITS;
#endif
  gnutls_dh_params_init (&_params);
  gnutls_dh_params_generate2 (_params, bits);

  if (_ciphers == "")
    _ciphers = "NORMAL";
  gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
  gnutls_certificate_set_dh_params (_credentials, _params);

#if GNUTLS_VERSION_NUMBER >= 0x02090a
  gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
Esempio n. 20
0
/// Enables TLS on the given server.
static void onion_enable_tls(onion *o){
#ifdef HAVE_PTHREADS
	gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
#endif
	if (!(o->flags&O_USE_DEV_RANDOM)){
		gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
	}
	gnutls_global_init ();
  gnutls_certificate_allocate_credentials (&o->x509_cred);

	gnutls_dh_params_init (&o->dh_params);
  gnutls_dh_params_generate2 (o->dh_params, 1024);
  gnutls_certificate_set_dh_params (o->x509_cred, o->dh_params);
  gnutls_priority_init (&o->priority_cache, "NORMAL", NULL);
	
	o->flags|=O_SSL_ENABLED;
}
Esempio n. 21
0
void
relay_network_set_priority ()
{
#ifdef HAVE_GNUTLS
    if (gnutls_priority_init (relay_gnutls_priority_cache,
                              weechat_config_string (
                                  relay_config_network_ssl_priorities),
                              NULL) != GNUTLS_E_SUCCESS)
    {
        weechat_printf (NULL,
                        _("%s%s: unable to initialize priority for SSL"),
                        weechat_prefix ("error"), RELAY_PLUGIN_NAME);
        free (relay_gnutls_priority_cache);
        relay_gnutls_priority_cache = NULL;
    }
#endif
}
Esempio n. 22
0
static void print_cipher_suite_list(const char *priorities)
{
        size_t i;
        int ret;
        unsigned int idx;
        const char *name;
        const char *err;
        unsigned char id[2];
        gnutls_protocol_t version;
        gnutls_priority_t pcache;

        if (priorities != NULL) {
                printf("Cipher suites for %s\n", priorities);

                ret = gnutls_priority_init(&pcache, priorities, &err);
                if (ret < 0) {
                        fprintf(stderr, "Syntax error at: %s\n", err);
                        exit(1);
                }

                for (i = 0;; i++) {
                        ret =
                            gnutls_priority_get_cipher_suite_index(pcache,
                                                                   i,
                                                                   &idx);
                        if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
                                break;
                        if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
                                continue;

                        name =
                            gnutls_cipher_suite_info(idx, id, NULL, NULL,
                                                     NULL, &version);

                        if (name != NULL)
                                printf("%-50s\t0x%02x, 0x%02x\t%s\n",
                                       name, (unsigned char) id[0],
                                       (unsigned char) id[1],
                                       gnutls_protocol_get_name(version));
                }

                return;
        }
}
Esempio n. 23
0
int
relay_config_check_network_ssl_priorities (void *data,
                                           struct t_config_option *option,
                                           const char *value)
{
#ifdef HAVE_GNUTLS
    gnutls_priority_t priority_cache;
    const char *pos_error;
    int rc;

    /* make C compiler happy */
    (void) data;
    (void) option;

    pos_error = value;

    if (value && value[0])
    {
        rc = gnutls_priority_init (&priority_cache, value, &pos_error);
        if (rc == GNUTLS_E_SUCCESS)
        {
            gnutls_priority_deinit (priority_cache);
            return 1;
        }
    }

    weechat_printf (NULL,
                    _("%s%s: invalid priorities string, error "
                      "at this position in string: \"%s\""),
                    weechat_prefix ("error"), RELAY_PLUGIN_NAME,
                    (pos_error) ? pos_error : value);

    return 0;
#else
    /* make C compiler happy */
    (void) data;
    (void) option;
    (void) value;

    return 1;
#endif
}
Esempio n. 24
0
int
manos_tls_global_init (const char *priorities)
{
	int err;

	priority_cache = NULL;
	dh_params = NULL;
   
	err = gnutls_global_init ();
	if (err != 0) {
		return -1;
	}

	err = gnutls_priority_init (&priority_cache, priorities, NULL);
	if (err != 0) {
		return -2;
	}

	return 0;
}
Esempio n. 25
0
static tls_ctx *
tlsg_ctx_new ( struct ldapoptions *lo )
{
	tlsg_ctx *ctx;

	ctx = ber_memcalloc ( 1, sizeof (*ctx) );
	if ( ctx ) {
		ctx->lo = lo;
		if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
			ber_memfree( ctx );
			return NULL;
		}
		ctx->refcount = 1;
		gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
#ifdef LDAP_R_COMPILE
		ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
#endif
	}
	return (tls_ctx *)ctx;
}
Esempio n. 26
0
int tls_init(void)
{
    int ret = 0;

    if (!_tls_init)
    {
        ret = gnutls_global_init();
        if (ret != GNUTLS_E_SUCCESS)
        {
            return SOCK_TLS_INIT_ERROR;
        }
        ret = gnutls_priority_init(&_tls_priority_cache, "NORMAL", NULL);
        if (ret != GNUTLS_E_SUCCESS)
        {
            return SOCK_TLS_INIT_ERROR;
        }
        _tls_init = 1;
    }
    return SOCK_OK;
}
Esempio n. 27
0
void SSLi_init()
{
	unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);

	gnutls_priority_init(&cipherCache, ciphers, NULL);
	initializeCertificate();

	gnutls_dh_params_init(&dhParameters);

	Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount);
	int error = gnutls_dh_params_generate2(dhParameters, bitCount);

	if(!error) {
		Log_info("Successfully generated Diffie-Hellman parameters");
	} else {
		Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error));
	}

	gnutls_certificate_set_dh_params(certificate, dhParameters);

	Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));

}
Esempio n. 28
0
	tls->ny = ny;
	tls->tls_error = NULL;
	tls->sess_error = NULL;
	tls->sess_destroy = NULL;
	tls->sess_readable = NULL;
	tls->sess_writable = NULL;

	tls->trans_recv = NULL;
	tls->trans_send_vec = NULL;
	tls->trans_close = NULL;

	/* Initialise GnuTLS */
	gnutls_global_init();

	char const *err_pos;
	_ = gnutls_priority_init(&tls->prio_cache,
		prio ? prio : NY_TLS_DEFAULT_PRIO, &err_pos);
	if (unlikely(_)) {
		ny_error_set(&tls->ny->error, NY_ERROR_DOMAIN_GTLS, _);
		goto exit;
	}

	/* Generate Diffie‐Hellman parameters */
	unsigned int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
		GNUTLS_SEC_PARAM_HIGH);

	_ = gnutls_dh_params_init(&tls->dh_params);
	if (unlikely(_)) {
		ny_error_set(&tls->ny->error, NY_ERROR_DOMAIN_GTLS, _);
		goto deinit_gtls;
	}
Esempio n. 29
0
void
print_list (const char *priorities, int verbose)
{
    size_t i;
    int ret;
    unsigned int idx;
    const char *name;
    const char *err;
    unsigned char id[2];
    gnutls_kx_algorithm_t kx;
    gnutls_cipher_algorithm_t cipher;
    gnutls_mac_algorithm_t mac;
    gnutls_protocol_t version;
    gnutls_priority_t pcache;
    const unsigned int *list;

    if (priorities != NULL)
      {
          printf ("Cipher suites for %s\n", priorities);

          ret = gnutls_priority_init (&pcache, priorities, &err);
          if (ret < 0)
            {
                fprintf (stderr, "Syntax error at: %s\n", err);
                exit (1);
            }

          for (i = 0;; i++)
            {
                ret =
                    gnutls_priority_get_cipher_suite_index (pcache, i,
                                                            &idx);
                if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
                    break;
                if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
                    continue;

                name =
                    gnutls_cipher_suite_info (idx, id, NULL, NULL, NULL,
                                              &version);

                if (name != NULL)
                    printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
                            name, (unsigned char) id[0],
                            (unsigned char) id[1],
                            gnutls_protocol_get_name (version));
            }

          printf("\n");
          {
              ret = gnutls_priority_certificate_type_list (pcache, &list);

              printf ("Certificate types: ");
              if (ret == 0) printf("none\n");
              for (i = 0; i < (unsigned)ret; i++)
                {
                    printf ("CTYPE-%s",
                            gnutls_certificate_type_get_name (list[i]));
                    if (i+1!=(unsigned)ret)
                        printf (", ");
                    else
                        printf ("\n");
                }
          }

          {
              ret = gnutls_priority_protocol_list (pcache, &list);

              printf ("Protocols: ");
              if (ret == 0) printf("none\n");
              for (i = 0; i < (unsigned)ret; i++)
                {
                    printf ("VERS-%s", gnutls_protocol_get_name (list[i]));
                    if (i+1!=(unsigned)ret)
                        printf (", ");
                    else
                        printf ("\n");
                }
          }

          {
              ret = gnutls_priority_compression_list (pcache, &list);

              printf ("Compression: ");
              if (ret == 0) printf("none\n");
              for (i = 0; i < (unsigned)ret; i++)
                {
                    printf ("COMP-%s",
                            gnutls_compression_get_name (list[i]));
                    if (i+1!=(unsigned)ret)
                        printf (", ");
                    else
                        printf ("\n");
                }
          }

          {
              ret = gnutls_priority_ecc_curve_list (pcache, &list);

              printf ("Elliptic curves: ");
              if (ret == 0) printf("none\n");
              for (i = 0; i < (unsigned)ret; i++)
                {
                    printf ("CURVE-%s",
                            gnutls_ecc_curve_get_name (list[i]));
                    if (i+1!=(unsigned)ret)
                        printf (", ");
                    else
                        printf ("\n");
                }
          }

          {
              ret = gnutls_priority_sign_list (pcache, &list);

              printf ("PK-signatures: ");
              if (ret == 0) printf("none\n");
              for (i = 0; i < (unsigned)ret; i++)
                {
                    printf ("SIGN-%s",
                            gnutls_sign_algorithm_get_name (list[i]));
                    if (i+1!=(unsigned)ret)
                        printf (", ");
                    else
                        printf ("\n");
                }
          }

          return;
      }

    printf ("Cipher suites:\n");
    for (i = 0; (name = gnutls_cipher_suite_info
                 (i, id, &kx, &cipher, &mac, &version)); i++)
      {
          printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
                  name,
                  (unsigned char) id[0], (unsigned char) id[1],
                  gnutls_protocol_get_name (version));
          if (verbose)
              printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
                      gnutls_kx_get_name (kx),
                      gnutls_cipher_get_name (cipher),
                      gnutls_mac_get_name (mac));
      }

    printf("\n");
    {
        const gnutls_certificate_type_t *p =
            gnutls_certificate_type_list ();

        printf ("Certificate types: ");
        for (; *p; p++)
          {
              printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_protocol_t *p = gnutls_protocol_list ();

        printf ("Protocols: ");
        for (; *p; p++)
          {
              printf ("VERS-%s", gnutls_protocol_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();

        printf ("Ciphers: ");
        for (; *p; p++)
          {
              printf ("%s", gnutls_cipher_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_mac_algorithm_t *p = gnutls_mac_list ();

        printf ("MACs: ");
        for (; *p; p++)
          {
              printf ("%s", gnutls_mac_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_kx_algorithm_t *p = gnutls_kx_list ();

        printf ("Key exchange algorithms: ");
        for (; *p; p++)
          {
              printf ("%s", gnutls_kx_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_compression_method_t *p = gnutls_compression_list ();

        printf ("Compression: ");
        for (; *p; p++)
          {
              printf ("COMP-%s", gnutls_compression_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list ();

        printf ("Elliptic curves: ");
        for (; *p; p++)
          {
              printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_pk_algorithm_t *p = gnutls_pk_list ();

        printf ("Public Key Systems: ");
        for (; *p; p++)
          {
              printf ("%s", gnutls_pk_algorithm_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }

    {
        const gnutls_sign_algorithm_t *p = gnutls_sign_list ();

        printf ("PK-signatures: ");
        for (; *p; p++)
          {
              printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p));
              if (*(p + 1))
                  printf (", ");
              else
                  printf ("\n");
          }
    }
}
Esempio n. 30
0
/** Argument parsing routine.
 * Used by the argp suite.
 */
static error_t
_crywrap_config_parse_opt(int key, char *arg, struct argp_state *state)
{
	crywrap_config_t *cfg = (crywrap_config_t *) state->input;
	int ret;

	switch (key) {
	case 'D':
		cfg->debug = 1;
		cry_log = debug_log;
		cry_error = debug_log;
		break;
	case 'd':
		if (_crywrap_parse_ip
		    (arg, &cfg->dest.port, &cfg->dest.addr,
		     &cfg->dest.host) < 0)
			argp_error(state,
				   "Could not resolve address: `%s'", arg);
		break;
	case 'l':
		if (_crywrap_parse_ip(arg, &cfg->listen.port,
				      &cfg->listen.addr, NULL) < 0)
			argp_error(state,
				   "Could not resolve address: `%s'", arg);
		break;
	case 'u':
		cfg->uid = atoi(arg);
		break;
	case 'P':
		if (arg && *arg)
			cfg->pidfile = strdup(arg);
		else
			cfg->pidfile = NULL;
		break;
	case 'r':
		if (arg && *arg) {
			dh_file = load_file(arg);
			if (dh_file.data == NULL)
				argp_error(state,
					   "error loading Diffie Hellman parameters file: %s.",
					   arg);
		}
		break;
	case 'p':
		if (arg && *arg) {
			const char *pos;
			ret =
			    gnutls_priority_init(&cfg->priority, arg,
						 &pos);
			if (ret < 0)
				argp_error(state,
					   "error in priority string at: %s.",
					   pos);
		}
		break;
	case 'c':
		if (arg && *arg)
			pem_cert = strdup(arg);
		break;
	case 'k':
		if (arg && *arg)
			pem_key = strdup(arg);
		break;

		break;
	case 'i':
		cfg->inetd = 1;
		break;
	case 'a':
		{
			const char *pos;
			ret =
			    gnutls_priority_init(&cfg->priority,
						 "NORMAL:+ANON-ECDH:+ANON-DH",
						 &pos);
			if (ret < 0)
				argp_error(state,
					   "error in priority string at: %s.",
					   pos);
		}
		cfg->verify = 0;
		cfg->anon = 1;
		break;
	case 'v':
		cfg->verify = (arg) ? atoi(arg) : 1;
		break;
	case 'z':
		ret = gnutls_certificate_set_x509_trust_file(cred, arg,
							     GNUTLS_X509_FMT_PEM);
		if (ret < 0)
			argp_error(state,
				   "error reading X.509 CA file: %s.",
				   gnutls_strerror(ret));
		break;

	case ARGP_KEY_END:
		if (!cfg->inetd) {
			if (!cfg->listen.addr || !cfg->dest.addr)
				argp_error
				    (state,
				     "a listening and a destination address must be set!");
		} else if (!cfg->dest.addr)
			argp_error(state,
				   "a destination address must be set!");
		if (cfg->anon)
			break;
		if (pem_cert == NULL || pem_key == NULL)
			ret =
			    gnutls_certificate_set_x509_key_file(cred,
								 _CRYWRAP_PEMFILE,
								 _CRYWRAP_PEMFILE,
								 GNUTLS_X509_FMT_PEM);
		else
			ret =
			    gnutls_certificate_set_x509_key_file(cred,
								 pem_cert,
								 pem_key,
								 GNUTLS_X509_FMT_PEM);

		if (ret < 0)
			argp_error(state,
				   "Error reading X.509 key or certificate file: %s",
				   gnutls_strerror(ret));
		break;
	default:
		return ARGP_ERR_UNKNOWN;
	}

	return 0;
}