static bool ConnSSL_LoadServerKey_gnutls(void) { int err; const char *cert_file; err = gnutls_certificate_allocate_credentials(&x509_cred); if (err < 0) { Log(LOG_ERR, "gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err)); return false; } cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile; if (!cert_file) { Log(LOG_NOTICE, "No SSL server key configured, SSL disabled."); return false; } if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) Log(LOG_WARNING, "Ignoring KeyFilePassword: Not supported by GNUTLS."); if (!Load_DH_params()) return false; gnutls_certificate_set_dh_params(x509_cred, dh_params); err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM); if (err < 0) { Log(LOG_ERR, "gnutls_certificate_set_x509_key_file (cert %s, key %s): %s", cert_file, Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", gnutls_strerror(err)); return false; } return true; }
struct rfbssl_ctx *rfbssl_init_global(char *key, char *cert) { int ret = GNUTLS_E_SUCCESS; struct rfbssl_ctx *ctx = NULL; if (NULL == (ctx = malloc(sizeof(struct rfbssl_ctx)))) { ret = GNUTLS_E_MEMORY_ERROR; } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_global_init())) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_allocate_credentials(&ctx->x509_cred))) { /* */ } else if ((ret = gnutls_certificate_set_x509_trust_file(ctx->x509_cred, cert, GNUTLS_X509_FMT_PEM)) < 0) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_set_x509_key_file(ctx->x509_cred, cert, key, GNUTLS_X509_FMT_PEM))) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = generate_dh_params(ctx))) { /* */ #ifdef I_LIKE_RSA_PARAMS_THAT_MUCH } else if (!GNUTLS_E_SUCCESS == (ret = generate_rsa_params(ctx))) { /* */ #endif } else { gnutls_global_set_log_function(rfbssl_log_func); gnutls_global_set_log_level(1); gnutls_certificate_set_dh_params(ctx->x509_cred, ctx->dh_params); /* newly allocated memory should be initialized, at least where it is important */ ctx->peekstart = ctx->peeklen = 0; return ctx; } free(ctx); return NULL; }
void TLSSocket::init(const std::string& caPath, const std::string& crlPath, const std::string& certPath, const std::string& keyPath) { gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); gnutls_global_init(); gnutls_certificate_allocate_credentials(&xcred); if (!caPath.empty()) { gnutls_certificate_set_x509_trust_file(xcred, caPath.c_str(), GNUTLS_X509_FMT_PEM); gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); } if (!crlPath.empty()) { gnutls_certificate_set_x509_crl_file(xcred, crlPath.c_str(), GNUTLS_X509_FMT_PEM); } gnutls_certificate_set_x509_key_file(xcred, certPath.c_str(), keyPath.c_str(), GNUTLS_X509_FMT_PEM); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, 1024); gnutls_priority_init(&priority_cache, "NORMAL", NULL); gnutls_certificate_set_dh_params(xcred, dh_params); }
bool Plugin::onLoad(LightBird::IApi *api) { int error; const char *err_pos = NULL; this->api = api; try { ASSERT_INIT(gnutls_global_init(), "global"); if (!gnutls_check_version(GNUTLS_CHECK_VERSION)) throw Properties("error", "Bad GnuTLS version").add("version required", GNUTLS_CHECK_VERSION); gnutls_global_set_audit_log_function(Plugin::log); this->_loadConfiguration(); this->_loadPrivateKey(); this->_loadCertificate(); this->_loadDHParams(); ASSERT_INIT(gnutls_certificate_allocate_credentials(&this->x509_cred), "credentials"); ASSERT(gnutls_certificate_set_x509_key(this->x509_cred, &this->crt, 1, this->key)); ASSERT_INIT(gnutls_priority_init(&this->priority, this->priorityStrings.data(), &err_pos), "priority"); gnutls_certificate_set_dh_params(this->x509_cred, this->dhParams); } catch (Properties p) { if (err_pos) p.add("error position", err_pos).add("priority string", this->priorityStrings); LOG_FATAL("Unable to initialize GnuTLS", p.toMap(), "Plugin", "onLoad"); this->_deinit(); return (false); } this->api->contexts().declareInstance("handshake", (this->handshake = new Handshake(this->api, this->handshakeTimeout))); this->api->contexts().declareInstance("record", (this->record = new Record(this->api))); return (true); }
////////////////////////////////////////////////////////////////////// // GnuTlsX509Cred // GnuTlsX509Cred::GnuTlsX509Cred(const char* certificateFile, const char* privateKeyFile) { int ret; log_debug("gnutls_certificate_allocate_credentials"); ret = gnutls_certificate_allocate_credentials(&_x509_cred); if (ret != 0) throw GnuTlsException("gnutls_certificate_allocate_credentials", ret); log_debug("gnutls_certificate_allocate_credentials => " << _x509_cred); // gnutls_certificate_set_x509_trust_file(x509_cred, caFile, GNUTLS_X509_FMT_PEM); // gnutls_certificate_set_x509_crl_file(x509_cred, crlFile, GNUTLS_X509_FMT_PEM); try { log_debug("gnutls_certificate_set_x509_key_file(x509_cred, \"" << certificateFile << "\", \"" << privateKeyFile << "\", GNUTLS_X509_FMT_PEM)"); ret = gnutls_certificate_set_x509_key_file(_x509_cred, certificateFile, privateKeyFile, GNUTLS_X509_FMT_PEM); if (ret < 0) throw GnuTlsException("gnutls_certificate_set_x509_key_file", ret); log_debug("gnutls_certificate_set_dh_params"); gnutls_certificate_set_dh_params(_x509_cred, _init.getDhParams()); } catch (...) { log_debug("gnutls_certificate_free_credentials"); gnutls_certificate_free_credentials(_x509_cred); throw; } }
int rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile) { int ret; gnutls_datum_t *d_cert, *d_key; if(cert == NULL) { rb_lib_log("rb_setup_ssl_server: No certificate file"); return 0; } if((d_cert = rb_load_file_into_datum_t(cert)) == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno)); return 0; } if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno)); return 0; } if((ret = gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) { rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s", gnutls_strerror(ret)); return 0; } rb_free_datum_t(d_cert); rb_free_datum_t(d_key); if(dhfile != NULL) { if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS) { gnutls_datum_t *data; int xret; data = rb_load_file_into_datum_t(dhfile); if(data != NULL) { xret = gnutls_dh_params_import_pkcs3(dh_params, data, GNUTLS_X509_FMT_PEM); if(xret < 0) rb_lib_log ("rb_setup_ssl_server: Error parsing DH file: %s\n", gnutls_strerror(xret)); rb_free_datum_t(data); } gnutls_certificate_set_dh_params(x509, dh_params); } else rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters"); } return 1; }
/** Generate initial DH and RSA params. * Loads the pre-generated DH primes. */ static void _crywrap_tls_init(void) { gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &dh_file, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_dh_params(cred, dh_params); }
void TLSServer::init ( const std::string& ca, const std::string& crl, const std::string& cert, const std::string& key) { _ca = ca; _crl = crl; _cert = cert; _key = key; int ret = gnutls_global_init (); if (ret < 0) throw format ("TLS init error. {1}", gnutls_strerror (ret)); ret = gnutls_certificate_allocate_credentials (&_credentials); if (ret < 0) throw format ("TLS allocation error. {1}", gnutls_strerror (ret)); if (_ca != "" && (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CA file. {1}", gnutls_strerror (ret)); if ( _crl != "" && (ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CRL file. {1}", gnutls_strerror (ret)); if (_cert != "" && _key != "" && (ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CERT file. {1}", gnutls_strerror (ret)); #if GNUTLS_VERSION_NUMBER >= 0x020b00 #if GNUTLS_VERSION_NUMBER >= 0x03000d unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); #else unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); #endif #else unsigned int bits = DH_BITS; #endif gnutls_dh_params_init (&_params); gnutls_dh_params_generate2 (_params, bits); if (_ciphers == "") _ciphers = "NORMAL"; gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL); gnutls_certificate_set_dh_params (_credentials, _params); #if GNUTLS_VERSION_NUMBER >= 0x02090a // The automatic verification for the client certificate with // gnutls_certificate_set_verify_function only works with gnutls // >=2.9.10. So with older versions we should call the verify function // manually after the gnutls handshake. gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif }
void server_start (void) { /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); success ("Launched, generating DH parameters...\n"); generate_dh_params (); gnutls_certificate_set_dh_params (x509_cred, dh_params); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); if (err == -1) { perror ("socket"); fail ("server: socket failed\n"); return; } memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); if (err == -1) { perror ("bind"); fail ("server: bind failed\n"); return; } err = listen (listen_sd, 1024); if (err == -1) { perror ("listen"); fail ("server: listen failed\n"); return; } success ("server: ready. Listening to port '%d'.\n", PORT); }
static gnutls_certificate_credentials_t CreateX509CertCredential(rfbCredential *cred) { gnutls_certificate_credentials_t x509_cred; int ret; if (!cred->x509Credential.x509CACertFile) { rfbClientLog("No CA certificate provided.\n"); return NULL; } if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { rfbClientLog("Cannot allocate credentials: %s.\n", gnutls_strerror(ret)); return NULL; } if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, cred->x509Credential.x509CACertFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load CA credentials: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } if (cred->x509Credential.x509ClientCertFile && cred->x509Credential.x509ClientKeyFile) { if ((ret = gnutls_certificate_set_x509_key_file(x509_cred, cred->x509Credential.x509ClientCertFile, cred->x509Credential.x509ClientKeyFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load client certificate or key: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } } else { rfbClientLog("No client certificate or key provided.\n"); } if (cred->x509Credential.x509CACrlFile) { if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, cred->x509Credential.x509CACrlFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load CRL: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } } else { rfbClientLog("No CRL provided.\n"); } gnutls_certificate_set_dh_params (x509_cred, rfbDHParams); return x509_cred; }
static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd) { gnutls_certificate_credentials_t x509_cred; int ret; if (!vd->tls.x509cacert) { VNC_DEBUG("No CA x509 certificate specified\n"); return NULL; } if (!vd->tls.x509cert) { VNC_DEBUG("No server x509 certificate specified\n"); return NULL; } if (!vd->tls.x509key) { VNC_DEBUG("No server private key specified\n"); return NULL; } if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret)); return NULL; } if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, vd->tls.x509cacert, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } if ((ret = gnutls_certificate_set_x509_key_file (x509_cred, vd->tls.x509cert, vd->tls.x509key, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } if (vd->tls.x509cacrl) { if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, vd->tls.x509cacrl, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } } gnutls_certificate_set_dh_params (x509_cred, dh_params); return x509_cred; }
struct cert* loadCert(const char* ca, const char* cert, const char* key) { struct cert* oc = xmalloc(sizeof(struct cert)); gnutls_certificate_allocate_credentials(&oc->cert); if (ca != NULL) gnutls_certificate_set_x509_trust_file(oc->cert, ca, GNUTLS_X509_FMT_PEM); int e1 = gnutls_certificate_set_x509_key_file(oc->cert, cert, key, GNUTLS_X509_FMT_PEM); if (e1 < 0) { return NULL; } gnutls_priority_init(&oc->priority, "PERFORMANCE:%SERVER_PRECEDENCE", NULL); gnutls_certificate_set_dh_params(oc->cert, dh_params); return oc; }
int ufwissl_ssl_context_keypair_from_data(ufwissl_ssl_context * ctx, ufwissl_ssl_client_cert * cert) { int ret; ret = gnutls_certificate_set_x509_key(ctx->cred, &cert->cert.subject, 1, cert->pkey); if (ret != 0) return UFWISSL_ERROR; gnutls_certificate_set_dh_params(ctx->cred, ctx->dh); return (ret == 0) ? UFWISSL_OK : UFWISSL_ERROR; }
static Ecore_Con_Ssl_Error _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr, int ssl_type) { int ret; if (ssl_type & ECORE_CON_USE_SSL2) return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED; switch (ssl_type) { case ECORE_CON_USE_SSL3: case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_TLS: case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_MIXED: case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT: break; default: return ECORE_CON_SSL_ERROR_NONE; } SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert)); if ((!svr->use_cert) && svr->created) { SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params)); INF("Generating DH params"); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s)); /* TODO: implement PSK */ // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s)); gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params); gnutls_certificate_set_dh_params(svr->cert, svr->dh_params); //gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params); INF("DH params successfully generated and applied!"); } else if (!svr->use_cert) { //SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c)); } return ECORE_CON_SSL_ERROR_NONE; error: _gnutls_print_errors(ret); _ecore_con_ssl_server_shutdown_gnutls(svr); return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED; }
static gpointer server_thread (gpointer user_data) { int listener = GPOINTER_TO_INT (user_data), client; gnutls_certificate_credentials creds; gnutls_session_t session; struct sockaddr_in sin; int len; char buf[BUFSIZE]; int status; gnutls_certificate_allocate_credentials (&creds); if (gnutls_certificate_set_x509_key_file (creds, ssl_cert_file, ssl_key_file, GNUTLS_X509_FMT_PEM) != 0) { g_error ("Failed to set SSL certificate and key files " "(%s, %s).", ssl_cert_file, ssl_key_file); } gnutls_certificate_set_dh_params (creds, dh_params); /* Create a new session */ gnutls_init (&session, GNUTLS_SERVER); gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, creds); gnutls_dh_set_prime_bits (session, DH_BITS); /* Wait for client thread to connect */ len = sizeof (sin); client = accept (listener, (struct sockaddr *) &sin, (void *)&len); gnutls_transport_set_ptr (session, GINT_TO_POINTER (client)); /* Initial handshake */ status = gnutls_handshake (session); if (status < 0) g_error ("initial handshake failed: %d", status); /* Synchronous client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* Async client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* That's all, folks. */ gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit (session); close (client); gnutls_certificate_free_credentials (creds); return NULL; }
G_GNUC_COLD void tls_global_init(void) { static const struct { const char * const name; const int major; const int minor; } f = { "tls", 1, 0 }; char *cert_file, *key_file; #if !defined(REMAP_ZALLOC) && !defined(TRACK_MALLOC) && !defined(TRACK_ZALLOC) gnutls_global_set_mem_functions(halloc, halloc, NULL, hrealloc, hfree); #endif if (gnutls_global_init()) { g_error("gnutls_global_init() failed"); } #ifdef USE_TLS_CUSTOM_IO gnutls_global_set_log_level(9); gnutls_global_set_log_function(tls_log_function); #endif /* USE_TLS_CUSTOM_IO */ get_dh_params(); gnutls_certificate_allocate_credentials(&cert_cred); key_file = make_pathname(settings_config_dir(), "key.pem"); cert_file = make_pathname(settings_config_dir(), "cert.pem"); if (file_exists(key_file) && file_exists(cert_file)) { int ret; ret = gnutls_certificate_set_x509_key_file(cert_cred, cert_file, key_file, GNUTLS_X509_FMT_PEM); if (ret < 0) { g_warning("gnutls_certificate_set_x509_key_file() failed: %s", gnutls_strerror(ret)); } else { gnutls_certificate_set_dh_params(cert_cred, get_dh_params()); } } HFREE_NULL(key_file); HFREE_NULL(cert_file); header_features_add(FEATURES_CONNECTIONS, f.name, f.major, f.minor); header_features_add(FEATURES_G2_CONNECTIONS, f.name, f.major, f.minor); header_features_add(FEATURES_DOWNLOADS, f.name, f.major, f.minor); header_features_add(FEATURES_UPLOADS, f.name, f.major, f.minor); }
void Gobby::CertificateManager::make_credentials() { InfCertificateCredentials* creds = inf_certificate_credentials_new(); gnutls_certificate_credentials_t gnutls_creds = inf_certificate_credentials_get(creds); if(m_preferences.security.authentication_enabled && m_key != NULL && m_certificates != NULL) { gnutls_certificate_set_x509_key( gnutls_creds, inf_certificate_chain_get_raw(m_certificates), inf_certificate_chain_get_n_certificates(m_certificates), m_key ); } if(m_preferences.security.use_system_trust) { const int n_cas = gnutls_certificate_set_x509_system_trust( gnutls_creds); if(n_cas < 0) { g_warning("Failed to add system CAs: %s\n", gnutls_strerror(n_cas)); } } if(!m_trust.empty()) { gnutls_certificate_set_x509_trust( gnutls_creds, &m_trust[0], m_trust.size() ); } if(m_dh_params != NULL) gnutls_certificate_set_dh_params(gnutls_creds, m_dh_params); gnutls_certificate_set_verify_flags( gnutls_creds, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); InfCertificateCredentials* old_creds = m_credentials; m_credentials = creds; m_signal_credentials_changed.emit(); if(old_creds != NULL) inf_certificate_credentials_unref(old_creds); }
void initialize_tls_global(void) { gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CACERT, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CACRL, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (x509_cred, SERVERCERT, SERVERKEY, GNUTLS_X509_FMT_PEM); gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); gnutls_certificate_set_dh_params (x509_cred, dh_params); }
void TLSServer::init ( const std::string& ca, const std::string& crl, const std::string& cert, const std::string& key) { _ca = ca; _crl = crl; _cert = cert; _key = key; gnutls_global_init (); gnutls_certificate_allocate_credentials (&_credentials); if (_ca != "" && gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CA file."); if ( _crl != "" && gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CRL file."); if (_cert != "" && _key != "" && gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CERT file."); #if GNUTLS_VERSION_NUMBER >= 0x020b00 #if GNUTLS_VERSION_NUMBER >= 0x03000d unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); #else unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); #endif #else unsigned int bits = DH_BITS; #endif gnutls_dh_params_init (&_params); gnutls_dh_params_generate2 (_params, bits); if (_ciphers == "") _ciphers = "NORMAL"; gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL); gnutls_certificate_set_dh_params (_credentials, _params); #if GNUTLS_VERSION_NUMBER >= 0x02090a gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif }
void ssl_init(struct sockifo* ifo, const char* key, const char* cert, const char* ca, int server) { int rv; rv = gnutls_certificate_allocate_credentials(&ifo->xcred); if (rv < 0) goto out_err; if (cert && *cert) { rv = gnutls_certificate_set_x509_key_file(ifo->xcred, cert, key, GNUTLS_X509_FMT_PEM); if (rv < 0) goto out_err_cred; } if (ca && *ca) { if (!access(ca, R_OK)) { ifo->state.ssl_verify_type = VERIFY_CA; rv = gnutls_certificate_set_x509_trust_file(ifo->xcred, ca, GNUTLS_X509_FMT_PEM); if (rv < 0) goto out_err_cred; } else { ifo->state.ssl_verify_type = VERIFY_FP; ifo->fingerprint = strdup(ca); } } gnutls_certificate_set_dh_params(ifo->xcred, dh_params); rv = gnutls_init(&ifo->ssl, server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (rv < 0) goto out_err_cred; rv = gnutls_set_default_priority(ifo->ssl); if (rv < 0) goto out_err_all; rv = gnutls_credentials_set(ifo->ssl, GNUTLS_CRD_CERTIFICATE, ifo->xcred); if (rv < 0) goto out_err_all; if (server) { gnutls_dh_set_prime_bits(ifo->ssl, 1024); gnutls_certificate_server_set_request(ifo->ssl, GNUTLS_CERT_REQUEST); } gnutls_transport_set_ptr(ifo->ssl, (gnutls_transport_ptr_t)(long) ifo->fd); ifo->state.ssl = SSL_HSHK; if (!ifo->state.connpend) ssl_handshake(ifo); return; out_err_all: gnutls_deinit(ifo->ssl); out_err_cred: gnutls_certificate_free_credentials(ifo->xcred); if (ifo->fingerprint) free(ifo->fingerprint); out_err: esock(ifo, gnutls_strerror(rv)); }
/// Enables TLS on the given server. static void onion_enable_tls(onion *o){ #ifdef HAVE_PTHREADS gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); #endif if (!(o->flags&O_USE_DEV_RANDOM)){ gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); } gnutls_global_init (); gnutls_certificate_allocate_credentials (&o->x509_cred); gnutls_dh_params_init (&o->dh_params); gnutls_dh_params_generate2 (o->dh_params, 1024); gnutls_certificate_set_dh_params (o->x509_cred, o->dh_params); gnutls_priority_init (&o->priority_cache, "NORMAL", NULL); o->flags|=O_SSL_ENABLED; }
gtlsGlobalServerData::gtlsGlobalServerData(std::string const& _CAfile, /*std::string const& _CRLFile,*/ std::string const& _CertFile, std::string const& _keyFile) : cert_cred(0), initialized_(true) { int ret = 0; // Logging. gnutls_global_set_log_level(loglevel); gnutls_global_set_log_function(gtlsGeneric::logCallback); // Allocate the structures used to keep certificates in. ret = gnutls_certificate_allocate_credentials(&cert_cred); // printerror("gnutls_certificate_allocate_credentials", ret); if (ret < 0) { initialized_ = false; } // Set the CA certificate. // GNUTLS_NOTICE("Setting CA, file='" << _CAfile << "'"); ret = gnutls_certificate_set_x509_trust_file(cert_cred, _CAfile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_trust_file", ret); if (ret < 0) { initialized_ = false; } // GNUTLS_NOTICE("Processed " << ret << " certificates."); // Set the certificate and priate key pair. //GNUTLS_NOTICE("Setting certificate, file='" << _CertFile << "'"); //GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'"); ret = gnutls_certificate_set_x509_key_file(cert_cred, _CertFile.c_str(), _keyFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_key_file", ret); if (ret < 0) { initialized_ = false; } // GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s)."); // Generate and set DH params. generate_dh_params(); gnutls_certificate_set_dh_params(cert_cred, dh_params); }
static sni_cert_data* creds_from_gstring(mod_context *ctx, GString *str) { sni_cert_data* data = NULL; gnutls_certificate_credentials_t creds = NULL; liGnuTLSOCSP* ocsp = NULL; gnutls_datum_t pemfile; int r; if (NULL == str) return NULL; if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&creds))) return NULL; pemfile.data = (unsigned char*) str->str; pemfile.size = str->len; #if defined(HAVE_PIN) gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin); #endif if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) { goto error; } gnutls_certificate_set_dh_params(creds, ctx->dh_params); ocsp = li_gnutls_ocsp_new(); if (!li_gnutls_ocsp_search_datum(ctx->srv, ocsp, &pemfile)) { goto error; } li_gnutls_ocsp_use(ocsp, creds); data = g_slice_new0(sni_cert_data); data->creds = creds; data->ocsp = ocsp; return data; error: if (NULL != creds) gnutls_certificate_free_credentials(creds); if (NULL != ocsp) li_gnutls_ocsp_free(ocsp); return NULL; }
bool SslContext::post_config() { TRACE("SslContext.postConfig()"); if (error_) return false; if (!enabled) return false; // if (rsaParams_) // gnutls_certificate_set_rsa_export_params(certs_, rsaParams_); if (dhParams_) { TRACE("setting DH params"); gnutls_certificate_set_dh_params(certs_, dhParams_); gnutls_anon_set_server_dh_params(anonCreds_, dhParams_); } gnutls_certificate_server_set_retrieve_function(certs_, &SslContext::onRetrieveCert); // SRP... return true; }
void SSLi_init() { unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM); gnutls_priority_init(&cipherCache, ciphers, NULL); initializeCertificate(); gnutls_dh_params_init(&dhParameters); Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount); int error = gnutls_dh_params_generate2(dhParameters, bitCount); if(!error) { Log_info("Successfully generated Diffie-Hellman parameters"); } else { Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error)); } gnutls_certificate_set_dh_params(certificate, dhParameters); Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL)); }
void server (void) { /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); success ("Launched, generating DH parameters...\n"); generate_dh_params (); gnutls_certificate_set_dh_params (x509_cred, dh_params); client_len = sizeof (sa_cli); session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); success ("server: connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); return; } success ("server: Handshake was completed\n"); success ("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ print_info (session); i = 0; for (;;) { bzero (buffer, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("server: Peer has closed the GNUTLS connection\n"); break; } else if (ret < 0) { fail ("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); close (listen_sd); gnutls_certificate_free_credentials (x509_cred); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); success ("server: finished\n"); }
static void server(int sd) { gnutls_certificate_credentials_t x509_cred; int ret; gnutls_session_t session; char buffer[MAX_BUF + 1]; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); gnutls_certificate_allocate_credentials(&x509_cred); ret = gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret == 0) { fail("server: no CAs loaded\n"); } gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (debug) success("Launched, generating DH parameters...\n"); generate_dh_params(); gnutls_certificate_set_dh_params(x509_cred, dh_params); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits(session, DH_BITS); gnutls_transport_set_int(session, sd); gnutls_handshake_set_timeout(session, 20 * 1000); ret = gnutls_handshake(session); if (ret < 0) { close(sd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); return; } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); /* see the Getting peer's information example */ if (debug) print_info(session); for (;;) { memset(buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send(session, buffer, strlen(buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
static void server(int sd) { /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_x509_trust_mem(x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); if (debug) success("Launched, generating DH parameters...\n"); generate_dh_params(); gnutls_certificate_set_dh_params(x509_cred, dh_params); session = initialize_tls_session(); gnutls_transport_set_int(session, sd); ret = gnutls_handshake(session); if (ret < 0) { close(sd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); return; } if (debug) { success("server: Handshake was completed\n"); success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); } /* see the Getting peer's information example */ if (debug) print_info(session); for (;;) { memset(buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); if (debug) success ("server: got data, forcing rehandshake.\n"); ret = gnutls_rehandshake(session); if (ret < 0) { fail("server: rehandshake failed\n"); gnutls_perror(ret); break; } ret = gnutls_handshake(session); if (ret < 0) { fail("server: (re)handshake failed\n"); gnutls_perror(ret); break; } if (debug) success("server: rehandshake complete.\n"); /* echo data back to the client */ gnutls_record_send(session, buffer, strlen(buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
int main (void) { int err, listen_sd; int sd, ret; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; int client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; char name[256]; strcpy (name, "Echo Server"); /* this must be called once in the program */ gnutls_global_init (); gnutls_certificate_allocate_credentials (&cred); gnutls_certificate_set_openpgp_keyring_file (cred, RINGFILE, GNUTLS_OPENPGP_FMT_BASE64); gnutls_certificate_set_openpgp_key_file (cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64); generate_dh_params (); gnutls_certificate_set_dh_params (cred, dh_params); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); SOCKET_ERR (listen_sd, "socket"); memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); SOCKET_ERR (err, "bind"); err = listen (listen_sd, 1024); SOCKET_ERR (err, "listen"); printf ("%s ready. Listening to port '%d'.\n\n", name, PORT); client_len = sizeof (sa_cli); for (;;) { session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); printf ("- connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fprintf (stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror (ret)); continue; } printf ("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("\n- Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fprintf (stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } printf ("\n"); /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); } close (listen_sd); gnutls_certificate_free_credentials (cred); gnutls_global_deinit (); return 0; }
int main (void) { int listen_sd; int sock, ret; struct sockaddr_in sa_serv; struct sockaddr_in cli_addr; socklen_t cli_addr_size; gnutls_session_t session; char buffer[MAX_BUFFER]; priv_data_st priv; gnutls_datum_t cookie_key; gnutls_dtls_prestate_st prestate; int mtu = 1400; unsigned char sequence[8]; /* this must be called once in the program */ gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM); ret = gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM); if (ret < 0) { printf("No certificate or key were found\n"); exit(1); } generate_dh_params (); gnutls_certificate_set_dh_params (x509_cred, dh_params); gnutls_priority_init (&priority_cache, "PERFORMANCE:-VERS-TLS-ALL:+VERS-DTLS1.0:%SERVER_PRECEDENCE", NULL); gnutls_key_generate (&cookie_key, GNUTLS_COOKIE_KEY_SIZE); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_DGRAM, 0); memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); { /* DTLS requires the IP don't fragment (DF) bit to be set */ #if defined(IP_DONTFRAG) int optval = 1; setsockopt (listen_sd, IPPROTO_IP, IP_DONTFRAG, (const void *) &optval, sizeof (optval)); #elif defined(IP_MTU_DISCOVER) int optval = IP_PMTUDISC_DO; setsockopt(listen_sd, IPPROTO_IP, IP_MTU_DISCOVER, (const void*) &optval, sizeof (optval)); #endif } bind (listen_sd, (struct sockaddr *) &sa_serv, sizeof (sa_serv)); printf ("UDP server ready. Listening to port '%d'.\n\n", PORT); for (;;) { printf ("Waiting for connection...\n"); sock = wait_for_connection (listen_sd); if (sock < 0) continue; cli_addr_size = sizeof (cli_addr); ret = recvfrom (sock, buffer, sizeof (buffer), MSG_PEEK, (struct sockaddr *) &cli_addr, &cli_addr_size); if (ret > 0) { memset (&prestate, 0, sizeof (prestate)); ret = gnutls_dtls_cookie_verify (&cookie_key, &cli_addr, sizeof (cli_addr), buffer, ret, &prestate); if (ret < 0) /* cookie not valid */ { priv_data_st s; memset (&s, 0, sizeof (s)); s.fd = sock; s.cli_addr = (void *) &cli_addr; s.cli_addr_size = sizeof (cli_addr); printf ("Sending hello verify request to %s\n", human_addr ((struct sockaddr *) &cli_addr, sizeof (cli_addr), buffer, sizeof (buffer))); gnutls_dtls_cookie_send (&cookie_key, &cli_addr, sizeof (cli_addr), &prestate, (gnutls_transport_ptr_t) & s, push_func); /* discard peeked data */ recvfrom (sock, buffer, sizeof (buffer), 0, (struct sockaddr *) &cli_addr, &cli_addr_size); usleep (100); continue; } printf ("Accepted connection from %s\n", human_addr ((struct sockaddr *) &cli_addr, sizeof (cli_addr), buffer, sizeof (buffer))); } else continue; session = initialize_tls_session (); gnutls_dtls_prestate_set (session, &prestate); gnutls_dtls_set_mtu (session, mtu); priv.session = session; priv.fd = sock; priv.cli_addr = (struct sockaddr *) &cli_addr; priv.cli_addr_size = sizeof (cli_addr); gnutls_transport_set_ptr (session, &priv); gnutls_transport_set_push_function (session, push_func); gnutls_transport_set_pull_function (session, pull_func); gnutls_transport_set_pull_timeout_function (session, pull_timeout_func); do { ret = gnutls_handshake (session); } while (ret < 0 && gnutls_error_is_fatal (ret) == 0); if (ret < 0) { fprintf (stderr, "Error in handshake(): %s\n", gnutls_strerror (ret)); gnutls_deinit (session); continue; } printf ("- Handshake was completed\n"); for (;;) { do { ret = gnutls_record_recv_seq (session, buffer, MAX_BUFFER, sequence); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { fprintf (stderr, "Error in recv(): %s\n", gnutls_strerror (ret)); break; } if (ret == 0) { printf ("EOF\n\n"); break; } buffer[ret] = 0; printf ("received[%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x]: %s\n", sequence[0], sequence[1], sequence[2], sequence[3], sequence[4], sequence[5], sequence[6], sequence[7], buffer); /* reply back */ ret = gnutls_record_send (session, buffer, ret); if (ret < 0) { fprintf (stderr, "Error in send(): %s\n", gnutls_strerror (ret)); break; } } gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit (session); } close (listen_sd); gnutls_certificate_free_credentials (x509_cred); gnutls_priority_deinit (priority_cache); gnutls_global_deinit (); return 0; }