static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) { static const int cert_types[] = { GNUTLS_CRT_X509, 0 }; static const int protocols[] = { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 }; static const int kx_x509[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 }; int rc; rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon); if (rc != GNUTLS_E_SUCCESS) { return -1; } rc = gnutls_certificate_type_set_priority(s, cert_types); if (rc != GNUTLS_E_SUCCESS) { return -1; } rc = gnutls_protocol_set_priority(s, protocols); if (rc != GNUTLS_E_SUCCESS) { return -1; } return 0; }
static gnutls_session new_tls_session(int sock) { int ret; gnutls_session session; const int kx_priority[] = { GNUTLS_KX_ANON_DH, #ifdef GNUTLS_SRP_ENABLED GNUTLS_KX_SRP, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA, #endif 0 }; gnutls_init(&session, GNUTLS_SERVER); gnutls_set_default_priority(session); gnutls_kx_set_priority(session, kx_priority); #ifdef GNUTLS_SRP_ENABLED gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred); gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); #endif gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_ptr(session, fd_to_ptr(sock)); gnutls_transport_set_pull_function(session, tls_pull); gnutls_transport_set_push_function(session, tls_push); ret = gnutls_handshake(session); if ( ret < 0 ) { fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret)); gnutls_alert_send_appropriate(session, ret); return NULL; } return session; }
void * crm_create_anon_tls_session(int csock, int type /* GNUTLS_SERVER, GNUTLS_CLIENT */ , void *credentials) { gnutls_session_t *session = gnutls_malloc(sizeof(gnutls_session_t)); gnutls_init(session, type); # ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT /* http://www.manpagez.com/info/gnutls/gnutls-2.10.4/gnutls_81.php#Echo-Server-with-anonymous-authentication */ gnutls_priority_set_direct(*session, "NORMAL:+ANON-DH", NULL); /* gnutls_priority_set_direct (*session, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); */ # else gnutls_set_default_priority(*session); gnutls_kx_set_priority(*session, anon_tls_kx_order); # endif gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t) GINT_TO_POINTER(csock)); switch (type) { case GNUTLS_SERVER: gnutls_credentials_set(*session, GNUTLS_CRD_ANON, (gnutls_anon_server_credentials_t) credentials); break; case GNUTLS_CLIENT: gnutls_credentials_set(*session, GNUTLS_CRD_ANON, (gnutls_anon_client_credentials_t) credentials); break; } return session; }
void * create_psk_tls_session(int csock, int type /* GNUTLS_SERVER, GNUTLS_CLIENT */ , void *credentials) { gnutls_session_t *session = gnutls_malloc(sizeof(gnutls_session_t)); gnutls_init(session, type); # ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT gnutls_priority_set_direct(*session, "NORMAL:+DHE-PSK:+PSK", NULL); # else gnutls_set_default_priority(*session); gnutls_kx_set_priority(*session, psk_tls_kx_order); # endif gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t) GINT_TO_POINTER(csock)); switch (type) { case GNUTLS_SERVER: gnutls_credentials_set(*session, GNUTLS_CRD_PSK, (gnutls_psk_server_credentials_t) credentials); break; case GNUTLS_CLIENT: gnutls_credentials_set(*session, GNUTLS_CRD_PSK, (gnutls_psk_client_credentials_t) credentials); break; } return session; }
void network_client_init(int security_policy) { security = malloc(sizeof(*security)); int kx_prio[2]; gnutls_global_init (); if (security_policy == CRED_ANON) { gnutls_anon_allocate_client_credentials(&(security->anoncred)); } /* Initialize TLS session */ gnutls_init(&(security->session), GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority(security->session); if (security_policy == CRED_ANON) { kx_prio[0] = GNUTLS_KX_ANON_DH; kx_prio[1] = 0; gnutls_kx_set_priority (security->session, kx_prio); /* Put the anonymous credentials to the current session */ gnutls_credentials_set(security->session, GNUTLS_CRD_ANON, security->anoncred); } else printf("Unknown credentials requested\n"); }
gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); if (TLS_SESSION_CACHE != 0) { gnutls_db_set_retrieve_function (session, wrap_db_fetch); gnutls_db_set_remove_function (session, wrap_db_delete); gnutls_db_set_store_function (session, wrap_db_store); gnutls_db_set_ptr (session, NULL); } return session; }
static gnutls_session_t initialize_tls_session (struct params_res *params) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); if (params->enable_db) { gnutls_db_set_retrieve_function (session, wrap_db_fetch); gnutls_db_set_remove_function (session, wrap_db_delete); gnutls_db_set_store_function (session, wrap_db_store); gnutls_db_set_ptr (session, NULL); } #ifdef ENABLE_SESSION_TICKET if (params->enable_session_ticket_server) gnutls_session_ticket_enable_server (session, &session_ticket_key); #endif return session; }
static void ADD_KX (gnutls_session session, int kx) { static int _kx_priority[] = { 0, 0 }; _kx_priority[0] = kx; gnutls_kx_set_priority (session, _kx_priority); }
static int tls_handshake (struct ikstls_data **datap, ikstransport *trans, void *sock) { const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; struct ikstls_data *data; int ret; *datap = NULL; data = iks_malloc (sizeof(*data)); if (!data) return IKS_NOMEM; memset (data, 0, sizeof(*data)); data->trans = trans; data->sock = sock; data->timeout = -1; if (gnutls_global_init () != 0) { iks_free (data); return IKS_NOMEM; } if (gnutls_certificate_allocate_credentials (&data->cred) < 0) { iks_free (data); return IKS_NOMEM; } if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); iks_free (data); return IKS_NOMEM; } gnutls_protocol_set_priority (data->sess, protocol_priority); gnutls_cipher_set_priority(data->sess, cipher_priority); gnutls_compression_set_priority(data->sess, comp_priority); gnutls_kx_set_priority(data->sess, kx_priority); gnutls_mac_set_priority(data->sess, mac_priority); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); gnutls_transport_set_ptr (data->sess, data); ret = gnutls_handshake (data->sess); if (ret != 0) { gnutls_deinit (data->sess); gnutls_certificate_free_credentials (data->cred); iks_free (data); return IKS_NET_TLSFAIL; } *datap = data; return IKS_OK; }
static void ADD_KX2 (gnutls_session session, int kx1, int kx2) { static int _kx_priority[] = { 0, 0, 0 }; _kx_priority[0] = kx1; _kx_priority[1] = kx2; gnutls_kx_set_priority (session, _kx_priority); }
/* initializes a gnutls_session with some defaults. */ static gnutls_session init_tls_session (const char *hostname) { gnutls_session session; gnutls_init (&session, GNUTLS_CLIENT); /* allow the use of private ciphersuites. */ if (disable_extensions == 0) { gnutls_handshake_set_private_extensions (session, 1); gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, strlen (hostname)); gnutls_certificate_type_set_priority (session, cert_type_priority); } gnutls_cipher_set_priority (session, cipher_priority); gnutls_compression_set_priority (session, comp_priority); gnutls_kx_set_priority (session, kx_priority); gnutls_protocol_set_priority (session, protocol_priority); gnutls_mac_set_priority (session, mac_priority); gnutls_dh_set_prime_bits (session, 512); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); /* send the fingerprint */ if (fingerprint != 0) gnutls_openpgp_send_key (session, GNUTLS_OPENPGP_KEY_FINGERPRINT); /* use the max record size extension */ if (record_max_size > 0 && disable_extensions == 0) { if (gnutls_record_set_max_size (session, record_max_size) < 0) { fprintf (stderr, "Cannot set the maximum record size to %d.\n", record_max_size); fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n"); exit (1); } } return session; }
static int handshake (struct stream_data *data) { const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; int ret; #ifndef WIN32 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); #endif if (gnutls_global_init () != 0) return IKS_NOMEM; if (gnutls_certificate_allocate_credentials (&data->cred) < 0) return IKS_NOMEM; if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); return IKS_NOMEM; } gnutls_protocol_set_priority (data->sess, protocol_priority); gnutls_cipher_set_priority(data->sess, cipher_priority); gnutls_compression_set_priority(data->sess, comp_priority); gnutls_kx_set_priority(data->sess, kx_priority); gnutls_mac_set_priority(data->sess, mac_priority); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); gnutls_transport_set_ptr (data->sess, data->prs); ret = gnutls_handshake (data->sess); if (ret != 0) { gnutls_deinit (data->sess); gnutls_certificate_free_credentials (data->cred); return IKS_NET_TLSFAIL; } data->flags &= (~SF_TRY_SECURE); data->flags |= SF_SECURE; iks_send_header (data->prs, data->server); return IKS_OK; } // HAVE_GNUTLS
SSL * SSL_new (SSL_CTX * ctx) { SSL *ssl; int err; ssl = (SSL *) calloc (1, sizeof (SSL)); if (!ssl) return NULL; err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred); if (err < 0) { last_error = err; free (ssl); return NULL; } gnutls_init (&ssl->gnutls_state, ctx->method->connend); gnutls_protocol_set_priority (ssl->gnutls_state, ctx->method->protocol_priority); gnutls_cipher_set_priority (ssl->gnutls_state, ctx->method->cipher_priority); gnutls_compression_set_priority (ssl->gnutls_state, ctx->method->comp_priority); gnutls_kx_set_priority (ssl->gnutls_state, ctx->method->kx_priority); gnutls_mac_set_priority (ssl->gnutls_state, ctx->method->mac_priority); gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, ssl->gnutls_cred); if (ctx->certfile) gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred, ctx->certfile, ctx->certfile_type); if (ctx->keyfile) gnutls_certificate_set_x509_key_file (ssl->gnutls_cred, ctx->certfile, ctx->keyfile, ctx->keyfile_type); ssl->ctx = ctx; ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback; ssl->options = ctx->options; ssl->rfd = (gnutls_transport_ptr_t) - 1; ssl->wfd = (gnutls_transport_ptr_t) - 1; return ssl; }
void anon_tls_server (evcom_stream *stream) { gnutls_session_t session; stream->data = session; int r = gnutls_init(&session, GNUTLS_SERVER); assert(r == 0); gnutls_set_default_priority(session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set(session, GNUTLS_CRD_ANON, server_credentials); gnutls_dh_set_prime_bits(session, DH_BITS); evcom_stream_set_secure_session(stream, session); }
void anon_tls_client (evcom_stream *stream) { gnutls_session_t client_session; gnutls_anon_client_credentials_t client_credentials; gnutls_anon_allocate_client_credentials (&client_credentials); gnutls_init(&client_session, GNUTLS_CLIENT); gnutls_set_default_priority(client_session); gnutls_kx_set_priority(client_session, kx_prio); /* Need to enable anonymous KX specifically. */ gnutls_credentials_set(client_session, GNUTLS_CRD_ANON, client_credentials); evcom_stream_set_secure_session(stream, client_session); assert(stream->flags & EVCOM_SECURE); }
static gnutls_session initialize_state(void) { gnutls_session session; gnutls_init(&session, GNUTLS_SERVER); gnutls_protocol_set_priority(session, protocol_priority); gnutls_cipher_set_priority(session, cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); gnutls_mac_set_priority(session, mac_priority); gnutls_certificate_type_set_priority(session, cert_type_priority); gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); return session; }
bool GnuTLSClientAnon::init( const std::string&, const std::string&, const StringList& ) { if( m_initLib && gnutls_global_init() != 0 ) return false; if( gnutls_anon_allocate_client_credentials( &m_anoncred ) < 0 ) return false; if( gnutls_init( m_session, GNUTLS_CLIENT ) != 0 ) return false; #if GNUTLS_VERSION_NUMBER >= 0x020600 int ret = gnutls_priority_set_direct( *m_session, "SECURE128:+PFS:+COMP-ALL:+VERS-TLS-ALL:-VERS-SSL3.0:+SIGN-ALL:+CURVE-ALL", 0 ); if( ret != GNUTLS_E_SUCCESS ) return false; #else const int protocolPriority[] = { #ifdef GNUTLS_TLS1_2 GNUTLS_TLS1_2, #endif GNUTLS_TLS1_1, GNUTLS_TLS1, 0 }; const int protocolPriority[] = { GNUTLS_TLS1, 0 }; const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 }; const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 }; const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; gnutls_protocol_set_priority( *m_session, protocolPriority ); gnutls_cipher_set_priority( *m_session, cipherPriority ); gnutls_compression_set_priority( *m_session, compPriority ); gnutls_kx_set_priority( *m_session, kxPriority ); gnutls_mac_set_priority( *m_session, macPriority ); #endif gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred ); gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this ); gnutls_transport_set_push_function( *m_session, pushFunc ); gnutls_transport_set_pull_function( *m_session, pullFunc ); m_valid = true; return true; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_PSK, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_PSK, server_pskcred); return session; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); return session; }
bool GnuTLSServerAnon::init( const std::string&, const std::string&, const StringList& ) { const int protocolPriority[] = { GNUTLS_TLS1, 0 }; const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 }; const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 }; const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; if( m_initLib && gnutls_global_init() != 0 ) return false; if( gnutls_anon_allocate_server_credentials( &m_anoncred ) < 0 ) return false; generateDH(); gnutls_anon_set_server_dh_params( m_anoncred, m_dhParams ); if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 ) return false; gnutls_protocol_set_priority( *m_session, protocolPriority ); gnutls_cipher_set_priority( *m_session, cipherPriority ); gnutls_compression_set_priority( *m_session, compPriority ); gnutls_kx_set_priority( *m_session, kxPriority ); gnutls_mac_set_priority( *m_session, macPriority ); gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred ); gnutls_dh_set_prime_bits( *m_session, m_dhBits ); gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this ); gnutls_transport_set_push_function( *m_session, pushFunc ); gnutls_transport_set_pull_function( *m_session, pullFunc ); m_valid = true; return true; }
static tls_session * tlsg_session_new ( tls_ctx * ctx, int is_server ) { tlsg_ctx *c = (tlsg_ctx *)ctx; tlsg_session *session; session = ber_memcalloc ( 1, sizeof (*session) ); if ( !session ) return NULL; session->ctx = c; gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT ); #ifdef HAVE_CIPHERSUITES gnutls_priority_set( session->session, c->prios ); #else gnutls_set_default_priority( session->session ); if ( c->kx_list ) { gnutls_kx_set_priority( session->session, c->kx_list ); gnutls_cipher_set_priority( session->session, c->cipher_list ); gnutls_mac_set_priority( session->session, c->mac_list ); } #endif if ( c->cred ) gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred ); if ( is_server ) { int flag = 0; if ( c->lo->ldo_tls_require_cert ) { flag = GNUTLS_CERT_REQUEST; if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND || c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD ) flag = GNUTLS_CERT_REQUIRE; gnutls_certificate_server_set_request( session->session, flag ); } } return (tls_session *)session; }
static gnutls_session tls_session_init(int side, uschar *expciphers, uschar *expmac, uschar *expkx, uschar *expproto) { gnutls_session session; gnutls_init(&session, side); /* Initialize the lists of permitted protocols, key-exchange methods, ciphers, and MACs. */ memcpy(cipher_priority, default_cipher_priority, sizeof(cipher_priority)); memcpy(mac_priority, default_mac_priority, sizeof(mac_priority)); memcpy(kx_priority, default_kx_priority, sizeof(kx_priority)); memcpy(proto_priority, default_proto_priority, sizeof(proto_priority)); /* The names OpenSSL uses in tls_require_ciphers are of the form DES-CBC3-SHA, using hyphen separators. GnuTLS uses underscore separators. So that I can use either form for tls_require_ciphers in my tests, and also for general convenience, we turn hyphens into underscores before scanning the list. */ if (expciphers != NULL) { uschar *s = expciphers; while (*s != 0) { if (*s == '-') *s = '_'; s++; } } if ((expciphers != NULL && !set_priority(cipher_priority, sizeof(cipher_priority)/sizeof(int), expciphers, cipher_index, sizeof(cipher_index)/sizeof(pri_item), US"cipher")) || (expmac != NULL && !set_priority(mac_priority, sizeof(mac_priority)/sizeof(int), expmac, mac_index, sizeof(mac_index)/sizeof(pri_item), US"MAC")) || (expkx != NULL && !set_priority(kx_priority, sizeof(kx_priority)/sizeof(int), expkx, kx_index, sizeof(kx_index)/sizeof(pri_item), US"key-exchange")) || (expproto != NULL && !set_priority(proto_priority, sizeof(proto_priority)/sizeof(int), expproto, proto_index, sizeof(proto_index)/sizeof(pri_item), US"protocol"))) { gnutls_deinit(session); return NULL; } /* Define the various priorities */ gnutls_cipher_set_priority(session, cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); gnutls_protocol_set_priority(session, proto_priority); gnutls_mac_set_priority(session, mac_priority); gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_dh_set_prime_bits(session, DH_BITS); /* Request or demand a certificate of the peer, as configured. This will happen only in a server. */ if (verify_requirement != VERIFY_NONE) gnutls_certificate_server_set_request(session, (verify_requirement == VERIFY_OPTIONAL)? GNUTLS_CERT_REQUEST : GNUTLS_CERT_REQUIRE); gnutls_db_set_cache_expiration(session, ssl_session_timeout); /* Reduce security in favour of increased compatibility, if the admin decides to make that trade-off. */ if (gnutls_compat_mode) { #if LIBGNUTLS_VERSION_NUMBER >= 0x020104 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n"); gnutls_session_enable_compatibility_mode(session); #else DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n"); #endif } DEBUG(D_tls) debug_printf("initialized GnuTLS session\n"); return session; }
int init_ssl_connection(struct socket *socket, const unsigned char *server_name) { #ifdef USE_OPENSSL socket->ssl = SSL_new(context); if (!socket->ssl) return S_SSL_ERROR; if (!SSL_set_ex_data(socket->ssl, socket_SSL_ex_data_idx, socket)) { SSL_free(socket->ssl); socket->ssl = NULL; return S_SSL_ERROR; } /* If the server name is known, pass it to OpenSSL. * * The return value of SSL_set_tlsext_host_name is not * documented. The source shows that it returns 1 if * successful; on error, it calls SSLerr and returns 0. */ if (server_name && !SSL_set_tlsext_host_name(socket->ssl, server_name)) { SSL_free(socket->ssl); socket->ssl = NULL; return S_SSL_ERROR; } #elif defined(CONFIG_GNUTLS) ssl_t *state = mem_alloc(sizeof(ssl_t)); if (!state) return S_SSL_ERROR; if (gnutls_init(state, GNUTLS_CLIENT) < 0) { /* DBG("sslinit %s", gnutls_strerror(ret)); */ mem_free(state); return S_SSL_ERROR; } if (gnutls_cred_set(*state, GNUTLS_CRD_ANON, anon_cred) < 0) { /* DBG("sslanoncred %s", gnutls_strerror(ret)); */ gnutls_deinit(*state); mem_free(state); return S_SSL_ERROR; } if (gnutls_cred_set(*state, GNUTLS_CRD_CERTIFICATE, xcred) < 0) { /* DBG("sslx509cred %s", gnutls_strerror(ret)); */ gnutls_deinit(*state); mem_free(state); return S_SSL_ERROR; } #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT /* Disable OpenPGP certificates because they are not widely * used and ELinks does not yet support verifying them. * Besides, in GnuTLS < 2.4.0, they require the gnutls-extra * library, whose GPLv3+ is not compatible with GPLv2 of * ELinks. * * Disable TLS1.1 because https://bugzilla.novell.com/ does * not reply to it and leaves the connection open so that * ELinks does not detect an SSL error but rather times out. * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528661#25 * * There is another gnutls_priority_set_direct call elsewhere * in ELinks. If you change the priorities here, please check * whether that one needs to be changed as well. */ if (gnutls_priority_set_direct(*state, "NORMAL:-CTYPE-OPENPGP:-VERS-TLS1.1", NULL)) { gnutls_deinit(*state); mem_free(state); return S_SSL_ERROR; } #else gnutls_set_default_priority(*state); #endif #if 0 /* Deprecated functions */ /* gnutls_handshake_set_private_extensions(*state, 1); */ gnutls_cipher_set_priority(*state, cipher_priority); gnutls_kx_set_priority(*state, kx_priority); /* gnutls_certificate_type_set_priority(*state, cert_type_priority); */ #endif if (server_name && gnutls_server_name_set(*state, GNUTLS_NAME_DNS, server_name, strlen(server_name))) { gnutls_deinit(*state); mem_free(state); return S_SSL_ERROR; } socket->ssl = state; #endif return S_OK; }
int main(void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; /* Need to enable anonymous KX specifically. */ const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_global_init(); gnutls_anon_allocate_client_credentials(&anoncred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority(session); gnutls_kx_set_priority(session, kx_prio); /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); /* connect to the peer */ sd = tcp_connect(); gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake(session); if(ret < 0) { fprintf(stderr, "*** Handshake failed\n"); gnutls_perror(ret); goto end; } else { printf("- Handshake was completed\n"); } gnutls_record_send(session, MSG, strlen(MSG)); ret = gnutls_record_recv(session, buffer, MAX_BUF); if(ret == 0) { printf("- Peer has closed the TLS connection\n"); goto end; } else if(ret < 0) { fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)); goto end; } printf("- Received %d bytes: ", ret); for(ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); gnutls_bye(session, GNUTLS_SHUT_RDWR); end: tcp_close(sd); gnutls_deinit(session); gnutls_anon_free_client_credentials(anoncred); gnutls_global_deinit(); return 0; }
void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; /* Need to enable anonymous KX specifically. */ const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; /* variables used in session resuming */ int t; gnutls_datum session_data; gnutls_global_init (); gnutls_anon_allocate_client_credentials (&anoncred); for (t = 0; t < 2; t++) { /* connect 2 times to the server */ /* connect to the peer */ sd = tcp_connect (); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); if (t > 0) { /* if this is not the first time we connect */ gnutls_session_set_data (session, session_data.data, session_data.size); gnutls_free (session_data.data); } gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { success ("client: Handshake was completed\n"); } if (t == 0) { /* the first time we connect */ /* get the session data size */ ret = gnutls_session_get_data2 (session, &session_data); if (ret < 0) fail ("Getting resume data failed\n"); } else { /* the second time we connect */ /* check if we actually resumed the previous session */ if (gnutls_session_is_resumed (session) != 0) { success ("- Previous session was resumed\n"); } else { success ("*** Previous session was NOT resumed\n"); } } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } if (debug) { printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); } gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); } gnutls_anon_free_client_credentials (anoncred); }
/* initializes a gnutls_session_t with some defaults. */ static gnutls_session_t init_tls_session (const char *hostname) { const char *err; gnutls_session_t session; gnutls_init (&session, GNUTLS_CLIENT); if (gnutls_priority_set_direct (session, info.priorities, &err) < 0) { fprintf (stderr, "Syntax error at: %s\n", err); exit (1); } /* allow the use of private ciphersuites. */ if (disable_extensions == 0) { gnutls_handshake_set_private_extensions (session, 1); gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, strlen (hostname)); if (cert_type_priority[0]) gnutls_certificate_type_set_priority (session, cert_type_priority); } if (cipher_priority[0]) gnutls_cipher_set_priority (session, cipher_priority); if (comp_priority[0]) gnutls_compression_set_priority (session, comp_priority); if (kx_priority[0]) gnutls_kx_set_priority (session, kx_priority); if (protocol_priority[0]) gnutls_protocol_set_priority (session, protocol_priority); if (mac_priority[0]) gnutls_mac_set_priority (session, mac_priority); gnutls_dh_set_prime_bits (session, 512); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); if (srp_cred) gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); if (psk_cred) gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); gnutls_certificate_set_verify_function (xcred, cert_verify_callback); gnutls_certificate_set_verify_flags (xcred, 0); /* send the fingerprint */ #ifdef ENABLE_OPENPGP if (fingerprint != 0) gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT); #endif /* use the max record size extension */ if (record_max_size > 0 && disable_extensions == 0) { if (gnutls_record_set_max_size (session, record_max_size) < 0) { fprintf (stderr, "Cannot set the maximum record size to %d.\n", record_max_size); fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n"); exit (1); } } #ifdef ENABLE_OPRFI if (info.opaque_prf_input) gnutls_oprfi_enable_client (session, strlen (info.opaque_prf_input), info.opaque_prf_input); #endif #ifdef ENABLE_SESSION_TICKET if (!info.noticket) gnutls_session_ticket_enable_client (session); #endif return session; }
int vnc_tls_client_setup(struct VncState *vs, int needX509Creds) { static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0}; static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; VNC_DEBUG("Do TLS setup\n"); if (vnc_tls_initialize() < 0) { VNC_DEBUG("Failed to init TLS\n"); vnc_client_error(vs); return -1; } if (vs->tls.session == NULL) { if (gnutls_init(&vs->tls.session, GNUTLS_SERVER) < 0) { vnc_client_error(vs); return -1; } if (gnutls_set_default_priority(vs->tls.session) < 0) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; vnc_client_error(vs); return -1; } if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; vnc_client_error(vs); return -1; } if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; vnc_client_error(vs); return -1; } if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; vnc_client_error(vs); return -1; } if (needX509Creds) { gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd); if (!x509_cred) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; vnc_client_error(vs); return -1; } if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; gnutls_certificate_free_credentials(x509_cred); vnc_client_error(vs); return -1; } if (vs->vd->tls.x509verify) { VNC_DEBUG("Requesting a client certificate\n"); gnutls_certificate_server_set_request (vs->tls.session, GNUTLS_CERT_REQUEST); } } else { gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred(); if (!anon_cred) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; vnc_client_error(vs); return -1; } if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_ANON, anon_cred) < 0) { gnutls_deinit(vs->tls.session); vs->tls.session = NULL; gnutls_anon_free_server_credentials(anon_cred); vnc_client_error(vs); return -1; } } gnutls_transport_set_ptr(vs->tls.session, (gnutls_transport_ptr_t)vs); gnutls_transport_set_push_function(vs->tls.session, vnc_tls_push); gnutls_transport_set_pull_function(vs->tls.session, vnc_tls_pull); } return 0; }
static void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_psk_client_credentials_t pskcred; /* Need to enable anonymous KX specifically. */ const int kx_prio[] = { GNUTLS_KX_PSK, 0 }; const gnutls_datum_t key = { (char *) "DEADBEEF", 8 }; gnutls_global_init (); gnutls_psk_allocate_client_credentials (&pskcred); gnutls_psk_set_client_credentials (pskcred, "test", &key, GNUTLS_PSK_KEY_HEX); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { if (debug) success ("client: Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } if (debug) { printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); } gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_psk_free_client_credentials (pskcred); gnutls_global_deinit (); }
TLSSession_GnuTLS::TLSSession_GnuTLS(shared_ptr <security::cert::certificateVerifier> cv, shared_ptr <TLSProperties> props) : m_certVerifier(cv), m_props(props) { int res; m_gnutlsSession = new gnutls_session; if (gnutls_init(m_gnutlsSession, GNUTLS_CLIENT) != 0) throw std::bad_alloc(); // Sets some default priority on the ciphers, key exchange methods, // macs and compression methods. #ifdef VMIME_HAVE_GNUTLS_PRIORITY_FUNCS gnutls_dh_set_prime_bits(*m_gnutlsSession, 128); if ((res = gnutls_priority_set_direct (*m_gnutlsSession, m_props->getCipherSuite().c_str(), NULL)) != 0) { throwTLSException("gnutls_priority_set_direct", res); } #else // !VMIME_HAVE_GNUTLS_PRIORITY_FUNCS gnutls_set_default_priority(*m_gnutlsSession); // Sets the priority on the certificate types supported by gnutls. // Priority is higher for types specified before others. After // specifying the types you want, you must append a 0. const int certTypePriority[] = { GNUTLS_CRT_X509, 0 }; res = gnutls_certificate_type_set_priority (*m_gnutlsSession, certTypePriority); if (res < 0) { throwTLSException ("gnutls_certificate_type_set_priority", res); } // Sets the priority on the protocol types const int protoPriority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; res = gnutls_protocol_set_priority(*m_gnutlsSession, protoPriority); if (res < 0) { throwTLSException ("gnutls_certificate_type_set_priority", res); } // Priority on the ciphers const int cipherPriority[] = { GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_40, GNUTLS_CIPHER_RC2_40_CBC, GNUTLS_CIPHER_DES_CBC, 0 }; gnutls_cipher_set_priority(*m_gnutlsSession, cipherPriority); // Priority on MACs const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0}; gnutls_mac_set_priority(*m_gnutlsSession, macPriority); // Priority on key exchange methods const int kxPriority[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_ANON_DH, GNUTLS_KX_SRP, GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS, 0 }; gnutls_kx_set_priority(*m_gnutlsSession, kxPriority); // Priority on compression methods const int compressionPriority[] = { GNUTLS_COMP_ZLIB, //GNUTLS_COMP_LZO, GNUTLS_COMP_NULL, 0 }; gnutls_compression_set_priority(*m_gnutlsSession, compressionPriority); #endif // !VMIME_HAVE_GNUTLS_PRIORITY_FUNCS // Initialize credentials gnutls_credentials_set(*m_gnutlsSession, GNUTLS_CRD_ANON, g_gnutlsGlobal.anonCred); gnutls_credentials_set(*m_gnutlsSession, GNUTLS_CRD_CERTIFICATE, g_gnutlsGlobal.certCred); }
void doit (void) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; const gnutls_datum_t p3 = { (char *) pkcs3, strlen (pkcs3) }; static gnutls_dh_params_t dh_params; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; int n, cret = GNUTLS_E_AGAIN; /* Need to enable anonymous KX specifically. */ const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; char buffer[MAX_BUF + 1]; ssize_t ns; int ret; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); /* Init server */ gnutls_anon_allocate_server_credentials (&s_anoncred); gnutls_dh_params_init (&dh_params); gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params (s_anoncred, dh_params); gnutls_init (&server, GNUTLS_SERVER); gnutls_set_default_priority (server); gnutls_kx_set_priority (server, kx_prio); gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred); gnutls_dh_set_prime_bits (server, 1024); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_session_set_finished_function (server, server_finished_callback); /* Init client */ gnutls_anon_allocate_client_credentials (&c_anoncred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_set_default_priority (client); gnutls_kx_set_priority (client, kx_prio); gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_session_set_finished_function (client, client_finished_callback); do { if (cret == GNUTLS_E_AGAIN) { if (debug) success ("loop invoking client:\n"); cret = gnutls_handshake (client); if (debug) success ("client %d: %s\n", cret, gnutls_strerror (cret)); } if (sret == GNUTLS_E_AGAIN) { if (debug) success ("loop invoking server:\n"); sret = gnutls_handshake (server); if (debug) success ("server %d: %s\n", sret, gnutls_strerror (sret)); } } while (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN); if (debug) success ("Handshake established\n"); ns = gnutls_record_send (client, MSG, strlen (MSG)); if (debug) success ("client: sent %d\n", (int) ns); ret = gnutls_record_recv (server, buffer, MAX_BUF); if (ret == 0) fail ("server: didn't receive any data\n"); else if (ret < 0) fail ("server: error: %s\n", gnutls_strerror (ret)); else if (debug) { printf ("server: received %d: ", ret); for (n = 0; n < ret; n++) fputc (buffer[n], stdout); fputs ("\n", stdout); } ns = gnutls_record_send (server, MSG, strlen (MSG)); if (debug) success ("server: sent %d\n", (int) ns); ret = gnutls_record_recv (client, buffer, MAX_BUF); if (ret == 0) { fail ("client: Peer has closed the TLS connection\n"); } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); } else if (debug) { printf ("client: received %d: ", ret); for (n = 0; n < ret; n++) fputc (buffer[n], stdout); fputs ("\n", stdout); } gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); free (to_server); free (to_client); gnutls_anon_free_client_credentials (c_anoncred); gnutls_anon_free_server_credentials (s_anoncred); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); }