static void
server (int fd, int wait)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
/* this must be called once in the program
*/
global_init ();
if (debug)
{
gnutls_global_set_log_function (server_log_func);
gnutls_global_set_log_level (4711);
}
gnutls_anon_allocate_server_credentials (&anoncred);
initialize_tls_session (&session);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
if (wait) sleep(25);
else do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
gnutls_deinit (session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
}
static void
server (int fd, const char* prio)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
/* this must be called once in the program
*/
gnutls_global_init ();
memset(buffer, 0, sizeof(buffer));
if (debug)
{
gnutls_global_set_log_function (server_log_func);
gnutls_global_set_log_level (4711);
}
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_anon_allocate_server_credentials (&anoncred);
session = initialize_tls_session (prio);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0)
{
close (fd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
terminate();
}
if (debug)
success ("server: Handshake was completed\n");
if (debug)
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
close(fd);
gnutls_deinit (session);
gnutls_anon_free_server_credentials (anoncred);
gnutls_certificate_free_credentials (x509_cred);
gnutls_global_deinit ();
if (debug)
success ("server: finished\n");
}
void
global_stop (void)
{
success ("global stop\n");
gnutls_anon_free_server_credentials (anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
static void
global_stop (void)
{
if (debug)
success ("global stop\n");
gnutls_anon_free_server_credentials (anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
shutdown (listen_sd, SHUT_RDWR);
}
static void cleanup()
{
if (!initialized) return;
if (use_srp_auth)
gnutls_srp_free_server_credentials(srp_server);
else
gnutls_anon_free_server_credentials(credentials);
gnutls_global_deinit();
initialized = false;
}
static Ecore_Con_Ssl_Error
_ecore_con_ssl_server_shutdown_gnutls(Ecore_Con_Server *svr)
{
if (svr->session)
{
gnutls_bye(svr->session, GNUTLS_SHUT_RDWR);
gnutls_deinit(svr->session);
}
if (svr->cert_file)
free(svr->cert_file);
svr->cert_file = NULL;
if (svr->cert)
gnutls_certificate_free_credentials(svr->cert);
svr->cert = NULL;
if ((svr->type & ECORE_CON_SSL) && svr->created)
{
if (svr->dh_params)
{
gnutls_dh_params_deinit(svr->dh_params);
svr->dh_params = NULL;
}
if (svr->anoncred_s)
gnutls_anon_free_server_credentials(svr->anoncred_s);
// if (svr->pskcred_s)
// gnutls_psk_free_server_credentials(svr->pskcred_s);
svr->anoncred_s = NULL;
svr->pskcred_s = NULL;
}
else if (svr->type & ECORE_CON_SSL)
{
if (svr->anoncred_c)
gnutls_anon_free_client_credentials(svr->anoncred_c);
// if (svr->pskcred_c)
// gnutls_psk_free_client_credentials(svr->pskcred_c);
svr->anoncred_c = NULL;
svr->pskcred_c = NULL;
}
svr->session = NULL;
return ECORE_CON_SSL_ERROR_NONE;
}
int server_create(prelude_client_profile_t *cp, const char *addr, unsigned int port,
prelude_bool_t keepalive, const char *pass, gnutls_x509_privkey_t key, gnutls_x509_crt_t cacrt, gnutls_x509_crt_t crt)
{
int sock;
size_t size;
struct pollfd pfd[128];
gnutls_dh_params_t dh_params;
#ifdef GNUTLS_SRP_ENABLED
int ret;
ret = gnutls_srp_allocate_server_credentials(&srpcred);
if ( ret < 0 ) {
fprintf(stderr, "error creating SRP credentials: %s.\n", gnutls_strerror(ret));
return -1;
}
gnutls_srp_set_server_credentials_function(srpcred, srp_callback);
#endif
one_shot_passwd = pass;
gnutls_anon_allocate_server_credentials(&anoncred);
fprintf(stderr, "Generating %d bits Diffie-Hellman key for anonymous authentication...", ANON_DH_BITS);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, ANON_DH_BITS);
gnutls_anon_set_server_dh_params(anoncred, dh_params);
fprintf(stderr, "\n");
size = sizeof(pfd) / sizeof(*pfd);
sock = setup_server(addr, port, pfd, &size);
if ( sock < 0 )
return -1;
wait_connection(cp, sock, pfd, size, keepalive, key, cacrt, crt);
#ifdef GNUTLS_SRP_ENABLED
gnutls_srp_free_server_credentials(srpcred);
#endif
gnutls_anon_free_server_credentials(anoncred);
return 0;
}
static void
qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds)
{
if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
if (creds->data.client) {
gnutls_anon_free_client_credentials(creds->data.client);
creds->data.client = NULL;
}
} else {
if (creds->data.server) {
gnutls_anon_free_server_credentials(creds->data.server);
creds->data.server = NULL;
}
}
if (creds->parent_obj.dh_params) {
gnutls_dh_params_deinit(creds->parent_obj.dh_params);
creds->parent_obj.dh_params = NULL;
}
}
void
tls_free(struct gnutella_socket *s)
{
tls_context_t ctx;
socket_check(s);
ctx = s->tls.ctx;
if (ctx) {
if (ctx->session) {
gnutls_deinit(ctx->session);
}
if (ctx->server_cred) {
gnutls_anon_free_server_credentials(ctx->server_cred);
ctx->server_cred = NULL;
}
if (ctx->client_cred) {
gnutls_anon_free_client_credentials(ctx->client_cred);
ctx->client_cred = NULL;
}
WFREE(ctx);
s->tls.ctx = NULL;
}
}
static void server(int fd, int server_init)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_anon_server_credentials_t anoncred;
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
if (server_init) {
if (debug)
success("server: Sending dummy packet\n");
ret = gnutls_rehandshake(session);
if (ret < 0) {
fail("gnutls_rehandshake: %s\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Initiating rehandshake\n");
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("server: 2nd gnutls_handshake: %s\n",
gnutls_strerror(ret));
terminate();
}
}
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
do {
ret = gnutls_record_recv(session, buffer, MAX_BUF);
} while (ret == GNUTLS_E_AGAIN
|| ret == GNUTLS_E_INTERRUPTED);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
if (!server_init && ret == GNUTLS_E_REHANDSHAKE) {
if (debug)
success
("Initiating rehandshake due to client request\n");
do {
ret = gnutls_handshake(session);
}
while (ret < 0
&& gnutls_error_is_fatal(ret) == 0);
if (ret == 0)
break;
}
fail("server: Received corrupted data(%s). Closing...\n", gnutls_strerror(ret));
terminate();
} else if (ret > 0) {
/* echo data back to the client
*/
do {
ret =
gnutls_record_send(session, buffer,
strlen(buffer));
} while (ret == GNUTLS_E_AGAIN
|| ret == GNUTLS_E_INTERRUPTED);
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void
server (int fd, int server_init)
{
int ret, ret2;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
/* this must be called once in the program
*/
gnutls_global_init ();
if (debug)
{
gnutls_global_set_log_function (server_log_func);
gnutls_global_set_log_level (4711);
}
gnutls_anon_allocate_server_credentials (&anoncred);
session = initialize_tls_session ();
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
{
close (fd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
terminate ();
}
if (debug)
success ("server: Handshake was completed\n");
if (debug)
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
/* see the Getting peer's information example */
/* print_info(session); */
if (server_init)
{
do
{
ret =
gnutls_record_recv (session, buffer, sizeof (buffer));
if (ret == GNUTLS_E_HEARTBEAT_PING_RECEIVED)
{
if (debug)
success ("Ping received. Replying with pong.\n");
ret2 = gnutls_heartbeat_pong (session, 0);
if (ret2 < 0)
{
fail ("pong: %s\n", gnutls_strerror (ret));
terminate ();
}
}
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED
|| ret == GNUTLS_E_HEARTBEAT_PING_RECEIVED);
}
else
{
do
{
ret =
gnutls_heartbeat_ping (session, 256, 5,
GNUTLS_HEARTBEAT_WAIT);
if (debug)
success ("Ping sent.\n");
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0)
{
fail ("ping: %s\n", gnutls_strerror (ret));
terminate ();
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (fd);
gnutls_deinit (session);
gnutls_anon_free_server_credentials (anoncred);
gnutls_global_deinit ();
if (debug)
success ("server: finished\n");
}
GnuTLSServerAnon::~GnuTLSServerAnon()
{
gnutls_anon_free_server_credentials( m_anoncred );
gnutls_dh_params_deinit( m_dhParams );
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
gnutls_dh_params_t dh_params;
char buf[128];
const gnutls_datum_t p3 =
{ (unsigned char *) pkcs3, strlen(pkcs3) };
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(anoncred, dh_params);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
ret = gnutls_priority_set_direct(session,
"NORMAL:+ANON-DH:+ANON-ECDH", NULL);
if (ret < 0) {
fail("server: priority set failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
ret = gnutls_record_recv(session, buf, sizeof(buf));
} while(ret > 0);
if (ret < 0) {
fail("error: %s\n", gnutls_strerror(ret));
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int fd)
{
int ret;
gnutls_anon_server_credentials_t anoncred;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_handshake_set_timeout(session, 20 * 1000);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
do {
ret = gnutls_record_recv(session, buffer, sizeof(buffer));
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret != TXT2_SIZE || memcmp(buffer, TXT2, TXT2_SIZE) != 0) {
fail("didn't receive the expected data!\n");
terminate();
}
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: data sending has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
void
doit (void)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char *) pkcs3, strlen (pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
int n, cret = GNUTLS_E_AGAIN;
/* Need to enable anonymous KX specifically. */
const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
char buffer[MAX_BUF + 1];
ssize_t ns;
int ret;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
/* Init server */
gnutls_anon_allocate_server_credentials (&s_anoncred);
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_set_default_priority (server);
gnutls_kx_set_priority (server, kx_prio);
gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits (server, 1024);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_session_set_finished_function (server, server_finished_callback);
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_set_default_priority (client);
gnutls_kx_set_priority (client, kx_prio);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_session_set_finished_function (client, client_finished_callback);
do
{
if (cret == GNUTLS_E_AGAIN)
{
if (debug)
success ("loop invoking client:\n");
cret = gnutls_handshake (client);
if (debug)
success ("client %d: %s\n", cret, gnutls_strerror (cret));
}
if (sret == GNUTLS_E_AGAIN)
{
if (debug)
success ("loop invoking server:\n");
sret = gnutls_handshake (server);
if (debug)
success ("server %d: %s\n", sret, gnutls_strerror (sret));
}
}
while (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN);
if (debug)
success ("Handshake established\n");
ns = gnutls_record_send (client, MSG, strlen (MSG));
if (debug)
success ("client: sent %d\n", (int) ns);
ret = gnutls_record_recv (server, buffer, MAX_BUF);
if (ret == 0)
fail ("server: didn't receive any data\n");
else if (ret < 0)
fail ("server: error: %s\n", gnutls_strerror (ret));
else if (debug)
{
printf ("server: received %d: ", ret);
for (n = 0; n < ret; n++)
fputc (buffer[n], stdout);
fputs ("\n", stdout);
}
ns = gnutls_record_send (server, MSG, strlen (MSG));
if (debug)
success ("server: sent %d\n", (int) ns);
ret = gnutls_record_recv (client, buffer, MAX_BUF);
if (ret == 0)
{
fail ("client: Peer has closed the TLS connection\n");
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
}
else if (debug)
{
printf ("client: received %d: ", ret);
for (n = 0; n < ret; n++)
fputc (buffer[n], stdout);
fputs ("\n", stdout);
}
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
free (to_server);
free (to_client);
gnutls_anon_free_client_credentials (c_anoncred);
gnutls_anon_free_server_credentials (s_anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
int vnc_tls_client_setup(struct VncState *vs,
int needX509Creds) {
VNC_DEBUG("Do TLS setup\n");
if (vnc_tls_initialize() < 0) {
VNC_DEBUG("Failed to init TLS\n");
vnc_client_error(vs);
return -1;
}
if (vs->tls.session == NULL) {
if (gnutls_init(&vs->tls.session, GNUTLS_SERVER) < 0) {
vnc_client_error(vs);
return -1;
}
if (gnutls_set_default_priority(vs->tls.session) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (needX509Creds) {
gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd);
if (!x509_cred) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
gnutls_certificate_free_credentials(x509_cred);
vnc_client_error(vs);
return -1;
}
if (vs->vd->tls.x509verify) {
VNC_DEBUG("Requesting a client certificate\n");
gnutls_certificate_server_set_request (vs->tls.session, GNUTLS_CERT_REQUEST);
}
} else {
gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred();
if (!anon_cred) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_ANON, anon_cred) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
gnutls_anon_free_server_credentials(anon_cred);
vnc_client_error(vs);
return -1;
}
}
gnutls_transport_set_ptr(vs->tls.session, (gnutls_transport_ptr_t)vs);
gnutls_transport_set_push_function(vs->tls.session, vnc_tls_push);
gnutls_transport_set_pull_function(vs->tls.session, vnc_tls_pull);
}
return 0;
}
static void server(int fd, int profile)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
uint8_t km[MAX_KEY_MATERIAL];
char buf[2 * MAX_KEY_MATERIAL];
gnutls_datum_t cli_key, cli_salt, server_key, server_salt;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
if (profile)
ret =
gnutls_srtp_set_profile_direct(session,
"SRTP_AES128_CM_HMAC_SHA1_80",
NULL);
else
ret =
gnutls_srtp_set_profile_direct(session,
"SRTP_NULL_HMAC_SHA1_80",
NULL);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
ret =
gnutls_srtp_get_keys(session, km, sizeof(km), &cli_key,
&cli_salt, &server_key, &server_salt);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
if (debug) {
size_t size = sizeof(buf);
gnutls_hex_encode(&cli_key, buf, &size);
success("Client key: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&cli_salt, buf, &size);
success("Client salt: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&server_key, buf, &size);
success("Server key: %s\n", buf);
size = sizeof(buf);
gnutls_hex_encode(&server_salt, buf, &size);
success("Server salt: %s\n", buf);
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
char c;
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(2);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_dtls_set_timeouts(session, 50 * 1000, 600 * 1000);
gnutls_transport_set_push_function(session, odd_push);
gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_record_recv(session, &c, 1);
do {
do {
ret = gnutls_record_send(session, &c, 1);
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0) {
fail("send: %s\n", gnutls_strerror(ret));
terminate();
}
}
while (test_finished == 0);
gnutls_transport_set_push_function(session, n_push);
do {
ret = gnutls_bye(session, GNUTLS_SHUT_WR);
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int fd)
{
int ret, csend = 0;
gnutls_anon_server_credentials_t anoncred;
char buffer[MAX_BUF + 1];
gnutls_datum_t cookie_key;
gnutls_dtls_prestate_st prestate;
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
ret = gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
if (ret < 0) {
fail("Cannot generate key: %s\n", gnutls_strerror(ret));
terminate();
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_handshake_set_timeout(session, 20 * 1000);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
gnutls_transport_set_push_function(session, push);
for (;;) {
ret = recv(fd, buffer, sizeof(buffer), MSG_PEEK);
if (ret < 0) {
fail("Cannot receive data\n");
terminate();
}
memset(&prestate, 0, sizeof(prestate));
ret =
gnutls_dtls_cookie_verify(&cookie_key, CLI_ADDR,
CLI_ADDR_LEN, buffer, ret,
&prestate);
if (ret < 0) { /* cookie not valid */
if (debug)
success("Sending hello verify request\n");
ret =
gnutls_dtls_cookie_send(&cookie_key, CLI_ADDR,
CLI_ADDR_LEN,
&prestate,
(gnutls_transport_ptr_t)
(long) fd, push);
if (ret < 0) {
fail("Cannot send data\n");
terminate();
}
/* discard peeked data */
recv(fd, buffer, sizeof(buffer), 0);
csend++;
if (csend > 2) {
fail("too many cookies sent\n");
terminate();
}
continue;
}
/* success */
break;
}
gnutls_dtls_prestate_set(session, &prestate);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
do {
ret = gnutls_record_send(session, buffer, sizeof(buffer));
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: data sending has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_free(cookie_key.data);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int fd, const char *prio, unsigned etm)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
gnutls_certificate_credentials_t x509_cred;
unsigned to_send = sizeof(buffer)/4;
/* this must be called once in the program
*/
global_init();
memset(buffer, 0, sizeof(buffer));
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, prio, NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (etm != 0 && gnutls_session_etm_status(session) == 0) {
fail("server: EtM was not negotiated with %s!\n", prio);
exit(1);
} else if (etm == 0 && gnutls_session_etm_status(session) != 0) {
fail("server: EtM was negotiated with %s!\n", prio);
exit(1);
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
do {
ret =
gnutls_record_send(session, buffer,
sizeof(buffer));
} while (ret == GNUTLS_E_AGAIN
|| ret == GNUTLS_E_INTERRUPTED);
if (ret < 0) {
fail("Error sending %d byte packet: %s\n", to_send,
gnutls_strerror(ret));
terminate();
}
to_send++;
}
while (to_send < 64);
to_send = -1;
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
gnutls_session_t server;
int sret, cret;
const char *str;
char *suite = NULL;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_certificate_credentials_t c_certcred, s_certcred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
struct timespec tr_start, tr_stop;
double avg, sstddev;
gnutls_priority_t priority_cache;
total_diffs_size = 0;
/* Init server */
gnutls_certificate_allocate_credentials(&s_certcred);
gnutls_anon_allocate_server_credentials(&s_anoncred);
ret = 0;
if (pk == GNUTLS_PK_RSA_PSS)
ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_rsa_pss_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
else if (pk == GNUTLS_PK_RSA)
ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "Error in %d: %s\n", __LINE__,
gnutls_strerror(ret));
exit(1);
}
ret = 0;
if (pk == GNUTLS_PK_ECDSA)
ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ecc_cert,
&server_ecc_key,
GNUTLS_X509_FMT_PEM);
else if (pk == GNUTLS_PK_EDDSA_ED25519)
ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ed25519_cert,
&server_ed25519_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "Error in %d: %s\n", __LINE__,
gnutls_strerror(ret));
exit(1);
}
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_certificate_allocate_credentials(&c_certcred);
start_benchmark(&st);
ret = gnutls_priority_init(&priority_cache, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
do {
gnutls_init(&server, GNUTLS_SERVER);
ret =
gnutls_priority_set(server, priority_cache);
if (ret < 0) {
fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret));
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON,
s_anoncred);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
s_certcred);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server,
(gnutls_transport_ptr_t) server);
reset_buffers();
gnutls_init(&client, GNUTLS_CLIENT);
ret =
gnutls_priority_set(client, priority_cache);
if (ret < 0) {
fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret));
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON,
c_anoncred);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
c_certcred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client,
(gnutls_transport_ptr_t) client);
gettime(&tr_start);
HANDSHAKE(client, server);
gettime(&tr_stop);
if (suite == NULL)
suite =
gnutls_session_get_desc(server);
gnutls_deinit(client);
gnutls_deinit(server);
total_diffs[total_diffs_size++] = timespec_sub_ms(&tr_stop, &tr_start);
if (total_diffs_size > sizeof(total_diffs)/sizeof(total_diffs[0]))
abort();
st.size += 1;
}
while (benchmark_must_finish == 0);
fprintf(stdout, "%38s ", suite);
gnutls_free(suite);
stop_benchmark(&st, "transactions", 1);
gnutls_priority_deinit(priority_cache);
avg = calc_avg(total_diffs, total_diffs_size);
sstddev = calc_sstdev(total_diffs, total_diffs_size, avg);
printf("%32s %.2f ms, sample variance: %.2f)\n",
"(avg. handshake time:", avg, sstddev);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
}
static void test_ciphersuite(const char *cipher_prio, int size)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
gnutls_certificate_credentials_t c_certcred, s_certcred;
gnutls_session_t server;
int sret, cret;
const char *str;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
gnutls_packet_t packet;
const char *name;
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_certificate_allocate_credentials(&s_certcred);
gnutls_certificate_set_x509_key_mem(s_certcred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(s_certcred, &server_ecc_cert,
&server_ecc_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
ret = gnutls_priority_set_direct(server, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_certcred);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
reset_buffers();
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_certificate_allocate_credentials(&c_certcred);
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_certcred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
HANDSHAKE(client, server);
name = gnutls_cipher_get_name(gnutls_cipher_get(server));
fprintf(stdout, "%30s - %s ", name, gnutls_protocol_get_name(
gnutls_protocol_get_version(server)));
fflush(stdout);
ret = gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer));
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
start_benchmark(&st);
do {
do {
ret = gnutls_record_send(client, buffer, size);
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed sending to server\n");
exit(1);
}
do {
ret =
gnutls_record_recv_packet(server, &packet);
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed receiving from client: %s\n", gnutls_strerror(ret));
exit(1);
}
st.size += size;
gnutls_packet_deinit(packet);
}
while (benchmark_must_finish == 0);
stop_benchmark(&st, NULL, 1);
gnutls_bye(client, GNUTLS_SHUT_WR);
gnutls_bye(server, GNUTLS_SHUT_WR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
}
static void server(int fd, const char *protocol1, const char *protocol2, const char *expected)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
gnutls_datum_t t[2];
gnutls_datum_t selected;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
t[0].data = (void *) protocol1;
t[0].size = strlen(protocol1);
t[1].data = (void *) protocol2;
t[1].size = strlen(protocol2);
ret = gnutls_alpn_set_protocols(session, t, 2, GNUTLS_ALPN_SERVER_PRECEDENCE);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
ret = gnutls_alpn_get_selected_protocol(session, &selected);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
if (debug) {
success("Protocol: %.*s\n", (int) selected.size, selected.data);
}
if (selected.size != strlen(expected) || memcmp(selected.data, expected, selected.size) != 0) {
fail("did not select the expected protocol (selected %.*s, expected %s)\n", selected.size, selected.data, expected);
exit(1);
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
terminate();
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
/* avoid uninitialized warnings */
memset(buffer, 1, sizeof(buffer));
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 12);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 5048);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
gnutls_dtls_set_mtu(session, MAX_MTU);
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 12);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 5048);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret > 16384 || ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
/* test cork and uncork */
gnutls_record_cork(session);
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret = gnutls_record_uncork(session, 0);
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
gnutls_record_cork(session);
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) - 16);
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret = gnutls_record_uncork(session, GNUTLS_RECORD_WAIT);
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void test_ciphersuite(const char *cipher_prio, int size)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char *) pkcs3, strlen(pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret, cret;
const char *str;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
gnutls_init(&server, GNUTLS_SERVER);
ret = gnutls_priority_set_direct(server, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits(server, 1024);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
reset_buffers();
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
HANDSHAKE(client, server);
fprintf(stdout, "Testing %s with %d packet size: ",
gnutls_cipher_suite_get_name(gnutls_kx_get(server),
gnutls_cipher_get(server),
gnutls_mac_get(server)), size);
fflush(stdout);
gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer));
start_benchmark(&st);
do {
do {
ret = gnutls_record_send(client, buffer, size);
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed sending to server\n");
exit(1);
}
do {
ret = gnutls_record_recv(server, buffer, sizeof(buffer));
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed receiving from client\n");
exit(1);
}
st.size += size;
}
while (benchmark_must_finish == 0);
stop_benchmark(&st, NULL);
gnutls_bye(client, GNUTLS_SHUT_WR);
gnutls_bye(server, GNUTLS_SHUT_WR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_dh_params_deinit(dh_params);
}
int
main (void)
{
int err, listen_sd;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
gnutls_session_t session;
char buffer[MAX_BUF + 1];
int optval = 1;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_anon_allocate_server_credentials (&anoncred);
generate_dh_params ();
gnutls_anon_set_server_dh_params (anoncred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
SOCKET_ERR (listen_sd, "socket");
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
SOCKET_ERR (err, "bind");
err = listen (listen_sd, 1024);
SOCKET_ERR (err, "listen");
printf ("Server ready. Listening to port '%d'.\n\n", PORT);
client_len = sizeof (sa_cli);
for (;;)
{
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
printf ("- connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
continue;
}
printf ("- Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("\n- Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fprintf (stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
printf ("\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_anon_free_server_credentials (anoncred);
gnutls_global_deinit ();
return 0;
}
static void server(int sds[], struct params_res *params)
{
gnutls_anon_server_credentials_t anoncred;
static gnutls_datum_t session_ticket_key = { NULL, 0 };
int ret;
size_t t;
gnutls_session_t session;
/* this must be called once in the program, it is mostly for the server.
*/
if (debug) {
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(3);
}
global_init();
gnutls_anon_allocate_server_credentials(&anoncred);
if (debug)
success("Launched, generating DH parameters...\n");
gnutls_anon_set_server_dh_params(anoncred, dh_params);
if (params->enable_db) {
wrap_db_init();
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_key_generate(&session_ticket_key);
for (t = 0; t < SESSIONS; t++) {
int sd = sds[t];
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_dh_set_prime_bits(session, DH_BITS);
if (params->enable_db) {
gnutls_db_set_retrieve_function(session, wrap_db_fetch);
gnutls_db_set_remove_function(session, wrap_db_delete);
gnutls_db_set_store_function(session, wrap_db_store);
gnutls_db_set_ptr(session, NULL);
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_enable_server(session,
&session_ticket_key);
gnutls_transport_set_int(session, sd);
gnutls_dtls_set_timeouts(session, 3*1000, 240 * 1000);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && (ret == GNUTLS_E_INTERRUPTED||ret == GNUTLS_E_AGAIN));
if (ret < 0) {
close(sd);
gnutls_deinit(session);
kill(child, SIGTERM);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
kill(child, SIGTERM);
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
}
if (params->enable_db) {
wrap_db_deinit();
}
gnutls_free(session_ticket_key.data);
session_ticket_key.data = NULL;
gnutls_anon_free_server_credentials(anoncred);
if (debug)
success("server: finished\n");
}
int vnc_tls_client_setup(struct VncState *vs,
int needX509Creds) {
static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
VNC_DEBUG("Do TLS setup\n");
if (vnc_tls_initialize() < 0) {
VNC_DEBUG("Failed to init TLS\n");
vnc_client_error(vs);
return -1;
}
if (vs->tls.session == NULL) {
if (gnutls_init(&vs->tls.session, GNUTLS_SERVER) < 0) {
vnc_client_error(vs);
return -1;
}
if (gnutls_set_default_priority(vs->tls.session) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (needX509Creds) {
gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd);
if (!x509_cred) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
gnutls_certificate_free_credentials(x509_cred);
vnc_client_error(vs);
return -1;
}
if (vs->vd->tls.x509verify) {
VNC_DEBUG("Requesting a client certificate\n");
gnutls_certificate_server_set_request (vs->tls.session, GNUTLS_CERT_REQUEST);
}
} else {
gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred();
if (!anon_cred) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
vnc_client_error(vs);
return -1;
}
if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_ANON, anon_cred) < 0) {
gnutls_deinit(vs->tls.session);
vs->tls.session = NULL;
gnutls_anon_free_server_credentials(anon_cred);
vnc_client_error(vs);
return -1;
}
}
gnutls_transport_set_ptr(vs->tls.session, (gnutls_transport_ptr_t)vs);
gnutls_transport_set_push_function(vs->tls.session, vnc_tls_push);
gnutls_transport_set_pull_function(vs->tls.session, vnc_tls_pull);
}
return 0;
}
void
doit (void)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (void *) pkcs3, strlen (pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret, cret;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
char buffer[MAX_BUF + 1];
ssize_t ns;
int ret, transferred = 0, msglen;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (99);
/* Init server */
gnutls_anon_allocate_server_credentials (&s_anoncred);
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
gnutls_init (&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK);
ret = gnutls_priority_set_direct (server, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
if (ret < 0)
exit(1);
gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits (server, 1024);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_transport_set_pull_timeout_function (server, server_pull_timeout_func);
gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);
/* Init client */
gnutls_anon_allocate_client_credentials (&c_anoncred);
gnutls_init (&client, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK);
cret = gnutls_priority_set_direct (client, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
if (cret < 0)
exit(1);
gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_transport_set_pull_timeout_function (client, client_pull_timeout_func);
gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);
handshake = 1;
HANDSHAKE(client, server);
handshake = 0;
if (debug)
success ("Handshake established\n");
do
{
ret = gnutls_record_send (client, MSG, strlen (MSG));
}
while(ret == GNUTLS_E_AGAIN);
//success ("client: sent %d\n", ns);
msglen = strlen(MSG);
TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF);
if (debug)
fputs ("\n", stdout);
gnutls_bye (client, GNUTLS_SHUT_WR);
gnutls_bye (server, GNUTLS_SHUT_WR);
gnutls_deinit (client);
gnutls_deinit (server);
gnutls_anon_free_client_credentials (c_anoncred);
gnutls_anon_free_server_credentials (s_anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
static void test_ciphersuite_kx(const char *cipher_prio)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char *) pkcs3, strlen(pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret, cret;
const char *str;
const char *suite = NULL;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
start_benchmark(&st);
do {
gnutls_init(&server, GNUTLS_SERVER);
ret = gnutls_priority_set_direct(server, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
reset_buffers();
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
HANDSHAKE(client, server);
if (suite == NULL)
suite = gnutls_cipher_suite_get_name(gnutls_kx_get(server),
gnutls_cipher_get(server),
gnutls_mac_get(server));
gnutls_deinit(client);
gnutls_deinit(server);
st.size += 1;
}
while (benchmark_must_finish == 0);
fprintf(stdout, "Tested %s: ", suite);
stop_benchmark(&st, "transactions");
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_dh_params_deinit(dh_params);
}
