int SSL_accept (SSL * ssl) { X509_STORE_CTX *store; int cert_list_size = 0; int err; char x_priority[256]; /* take options into account before connecting */ memset (x_priority, 0, sizeof (x_priority)); if (ssl->options & SSL_OP_NO_TLSv1) { snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string); err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL); if (err < 0) { last_error = err; return 0; } } /* FIXME: dh params, do we want client cert? */ err = gnutls_handshake (ssl->gnutls_state); ssl->last_error = err; if (err < 0) { last_error = err; return 0; } store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX)); store->ssl = ssl; store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state, &cert_list_size); if (ssl->verify_callback) { ssl->verify_callback (1 /*FIXME*/, store); } ssl->state = SSL_ST_OK; err = store->error; free (store); /* FIXME: deal with error from callback */ return 1; }
static void client(int fd) { int ret; gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; gnutls_certificate_allocate_credentials(&x509_cred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL)>=0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); }
gboolean xfce_mailwatch_net_conn_make_secure(XfceMailwatchNetConn *net_conn, GError **error) { g_return_val_if_fail(net_conn && (!error || !*error), FALSE); g_return_val_if_fail(net_conn->fd != -1, FALSE); g_return_val_if_fail(!net_conn->is_secure, TRUE); #ifdef HAVE_SSL_SUPPORT /* init the x509 cert */ gnutls_certificate_allocate_credentials(&net_conn->gt_creds); gnutls_certificate_set_x509_trust_file(net_conn->gt_creds, GNUTLS_CA_FILE, GNUTLS_X509_FMT_PEM); /* init the session and set it up */ gnutls_init(&net_conn->gt_session, GNUTLS_CLIENT); gnutls_priority_set_direct (net_conn->gt_session, "NORMAL", NULL); gnutls_credentials_set(net_conn->gt_session, GNUTLS_CRD_CERTIFICATE, net_conn->gt_creds); gnutls_transport_set_ptr(net_conn->gt_session, (gnutls_transport_ptr_t)net_conn->fd); #if GNUTLS_VERSION_NUMBER < 0x020c00 if(fcntl(net_conn->fd, F_GETFL) & O_NONBLOCK) gnutls_transport_set_lowat(net_conn->gt_session, 0); #endif if(!xfce_mailwatch_net_conn_tls_handshake(net_conn, error)) { #if 0 gnutls_bye(net_conn->gt_session, GNUTLS_SHUT_RDWR); #endif gnutls_deinit(net_conn->gt_session); gnutls_certificate_free_credentials(net_conn->gt_creds); return FALSE; } net_conn->is_secure = TRUE; return TRUE; #else if(error) { g_set_error(error, XFCE_MAILWATCH_ERROR, 0, _("Not compiled with SSL/TLS support")); } g_critical("XfceMailwatch: TLS handshake failed: not compiled with SSL support."); return FALSE; #endif }
static void client(int fd) { int ret; gnutls_certificate_credentials_t xcred; gnutls_session_t session; global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&xcred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); gnutls_handshake_set_timeout(session, 20 * 1000); /* Use default priorities */ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA:%COMPAT", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_transport_set_int(session, fd); gnutls_transport_set_push_function(session, odd_push); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret >= 0) { fail("client: Handshake succeeded!\n"); exit(1); } close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); }
int main (void) { /* credentials */ gnutls_anon_client_credentials_t c_anoncred; gnutls_certificate_credentials_t c_certcred; gnutls_session_t client; int sd; /* General init. */ gnutls_global_init (); ecore_init(); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (6); /* Init client */ gnutls_anon_allocate_client_credentials (&c_anoncred); gnutls_certificate_allocate_credentials (&c_certcred); gnutls_init (&client, GNUTLS_CLIENT); /* set very specific priorities */ gnutls_priority_set_direct(client, "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0", NULL); gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, c_certcred); gnutls_server_name_set(client, GNUTLS_NAME_DNS, "www.verisign.com", strlen("www.verisign.com")); /* connect to the peer */ sd = tcp_connect (); /* associate gnutls with socket */ gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t) sd); /* add a callback for data being available for send/receive on socket */ if (!ecore_main_fd_handler_add(sd, ECORE_FD_READ | ECORE_FD_WRITE, (Ecore_Fd_Cb)_process_data, client, NULL, NULL)) { print("could not create fd handler!"); exit(1); } /* begin main loop */ ecore_main_loop_begin(); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_deinit (client); tcp_close (sd); return 0; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set_direct (session, "NORMAL:+ANON-DH", NULL); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); return session; }
static gnutls_session_t initialize_tls_session(const char *prio) { gnutls_session_t session; gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, prio, NULL); gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); return session; }
SSL * SSL_new (SSL_CTX * ctx) { SSL *ssl; int err; ssl = (SSL *) calloc (1, sizeof (SSL)); if (!ssl) return NULL; err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred); if (err < 0) { last_error = err; free (ssl); return NULL; } gnutls_init (&ssl->gnutls_state, ctx->method->connend); gnutls_priority_set_direct (ssl->gnutls_state, ctx->method->priority_string, NULL); gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, ssl->gnutls_cred); if (ctx->certfile) gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred, ctx->certfile, ctx->certfile_type); if (ctx->keyfile) gnutls_certificate_set_x509_key_file (ssl->gnutls_cred, ctx->certfile, ctx->keyfile, ctx->keyfile_type); ssl->ctx = ctx; ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback; ssl->options = ctx->options; ssl->rfd = (gnutls_transport_ptr_t) - 1; ssl->wfd = (gnutls_transport_ptr_t) - 1; ssl->ssl_peek_buffer = NULL; ssl->ssl_peek_buffer_size = ssl->ssl_peek_avail = 0; return ssl; }
static gnutls_session_t initialize_tls_session(void) { gnutls_session_t session; gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); gnutls_dtls_set_mtu(session, 1500); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); return session; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER|GNUTLS_DATAGRAM); gnutls_dtls_set_mtu( session, 1500); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct (session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); return session; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set_direct (session, "NORMAL", NULL); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits (session, DH_BITS); return session; }
static gnutls_session_t new_tls_session(int sock) { int ret; gnutls_session_t session; const char *err; #if defined LIBGNUTLS_VERSION_MAJOR && LIBGNUTLS_VERSION_MAJOR >= 3 # define TLS_DH_STR "+ANON-ECDH:+ANON-DH" #else # define TLS_DH_STR "+ANON-DH" #endif #ifdef GNUTLS_SRP_ENABLED const char *pstring = "NORMAL:+SRP:+SRP-DSS:+SRP-RSA:" TLS_DH_STR; #else const char *pstring = "NORMAL:" TLS_DH_STR; #endif gnutls_init(&session, GNUTLS_SERVER); gnutls_set_default_priority(session); ret = gnutls_priority_set_direct(session, pstring, &err); if (ret < 0) { fprintf(stderr, "TLS priority syntax error at: %s\n", err); return NULL; } #ifdef GNUTLS_SRP_ENABLED gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred); gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); #endif gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_ptr(session, fd_to_ptr(sock)); gnutls_transport_set_pull_function(session, tls_pull); gnutls_transport_set_push_function(session, tls_push); ret = gnutls_handshake(session); if ( ret < 0 ) { fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret)); gnutls_alert_send_appropriate(session, ret); return NULL; } return session; }
bool GnuTLSClientAnon::init( const std::string&, const std::string&, const StringList& ) { if( m_initLib && gnutls_global_init() != 0 ) return false; if( gnutls_anon_allocate_client_credentials( &m_anoncred ) < 0 ) return false; if( gnutls_init( m_session, GNUTLS_CLIENT ) != 0 ) return false; #if GNUTLS_VERSION_NUMBER >= 0x020600 int ret = gnutls_priority_set_direct( *m_session, "SECURE128:+PFS:+COMP-ALL:+VERS-TLS-ALL:-VERS-SSL3.0:+SIGN-ALL:+CURVE-ALL", 0 ); if( ret != GNUTLS_E_SUCCESS ) return false; #else const int protocolPriority[] = { #ifdef GNUTLS_TLS1_2 GNUTLS_TLS1_2, #endif GNUTLS_TLS1_1, GNUTLS_TLS1, 0 }; const int protocolPriority[] = { GNUTLS_TLS1, 0 }; const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 }; const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 }; const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; gnutls_protocol_set_priority( *m_session, protocolPriority ); gnutls_cipher_set_priority( *m_session, cipherPriority ); gnutls_compression_set_priority( *m_session, compPriority ); gnutls_kx_set_priority( *m_session, kxPriority ); gnutls_mac_set_priority( *m_session, macPriority ); #endif gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred ); gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this ); gnutls_transport_set_push_function( *m_session, pushFunc ); gnutls_transport_set_pull_function( *m_session, pullFunc ); m_valid = true; return true; }
static int rfbssl_init_session(struct rfbssl_ctx *ctx, int fd) { gnutls_session_t session; int ret; if (!GNUTLS_E_SUCCESS == (ret = gnutls_init(&session, GNUTLS_SERVER))) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_priority_set_direct(session, "EXPORT", NULL))) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred))) { /* */ } else { gnutls_session_enable_compatibility_mode(session); gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)fd); ctx->session = session; } return ret; }
int setup_session (gnutls_session_t * session, gnutls_datum_t * key, gnutls_datum_t * cert, gnutls_certificate_credentials_t * xcred) { int ret; const char *err_pos; gnutls_certificate_allocate_credentials (xcred); key->size = strlen (srv_key_pem) + 1; key->data = malloc (key->size); if (NULL == key->data) { gnutls_certificate_free_credentials (*xcred); return -1; } memcpy (key->data, srv_key_pem, key->size); cert->size = strlen (srv_self_signed_cert_pem) + 1; cert->data = malloc (cert->size); if (NULL == cert->data) { gnutls_certificate_free_credentials (*xcred); free (key->data); return -1; } memcpy (cert->data, srv_self_signed_cert_pem, cert->size); gnutls_certificate_set_x509_key_mem (*xcred, cert, key, GNUTLS_X509_FMT_PEM); gnutls_init (session, GNUTLS_CLIENT); ret = gnutls_priority_set_direct (*session, "NORMAL", &err_pos); if (ret < 0) { gnutls_deinit (*session); gnutls_certificate_free_credentials (*xcred); free (key->data); return -1; } gnutls_credentials_set (*session, GNUTLS_CRD_CERTIFICATE, *xcred); return 0; }
void TLSClient::init ( const std::string& ca, const std::string& cert, const std::string& key) { _ca = ca; _cert = cert; _key = key; gnutls_global_init (); gnutls_certificate_allocate_credentials (&_credentials); if (_ca != "" && gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CA file."); if (_cert != "" && _key != "" && gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CERT file."); #if GNUTLS_VERSION_NUMBER >= 0x02090a gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif gnutls_init (&_session, GNUTLS_CLIENT); // Use default priorities unless overridden. if (_ciphers == "") _ciphers = "NORMAL"; const char *err; int ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err); if (ret < 0) { if (_debug && ret == GNUTLS_E_INVALID_REQUEST) std::cout << "c: ERROR Priority error at: " << err << "\n"; throw std::string ("Error initializing TLS."); } // Apply the x509 credentials to the current session. gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials); }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set_direct (session, "NORMAL:+SRP:+SRP-DSS:+SRP-RSA", NULL); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); /* for the certificate authenticated ciphersuites. */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE); return session; }
gnutls_session_t context::session(context *ctx) { SSL ssl = NULL; if(ctx && ctx->xcred && ctx->err() == secure::OK) { gnutls_init(&ssl, ctx->connect); switch(ctx->connect) { case GNUTLS_CLIENT: gnutls_priority_set_direct(ssl, "PERFORMANCE", NULL); break; case GNUTLS_SERVER: gnutls_priority_set(ssl, context::priority_cache); gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST); gnutls_session_enable_compatibility_mode(ssl); default: break; } gnutls_credentials_set(ssl, ctx->xtype, ctx->xcred); } return ssl; }
/* Refuse to negotiate TLS 1.0 and later protocols on @socket->ssl. * Without this, connecting to <https://www-s.uiuc.edu/> with GnuTLS * 1.3.5 would result in an SSL error. The bug may be in the server * (Netscape-Enterprise/3.6 SP3), in GnuTLS, or in ELinks; please log * your findings to ELinks bug 712. */ static void ssl_set_no_tls(struct socket *socket) { #ifdef CONFIG_OPENSSL ((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1; #elif defined(CONFIG_GNUTLS) /* There is another gnutls_priority_set_direct call elsewhere * in ELinks. If you change the priorities here, please check * whether that one needs to be changed as well. * * GnuTLS 2.12.x is said to support "-VERS-TLS-ALL" too, but * that version hasn't yet been released as of May 2011. */ gnutls_priority_set_direct(*(ssl_t *) socket->ssl, "SECURE:-CTYPE-OPENPGP" ":+VERS-SSL3.0:-VERS-TLS1.0" ":-VERS-TLS1.1:-VERS-TLS1.2" ":%SSL3_RECORD_VERSION", NULL); #endif }
bool CTlsSocket::InitSession() { if (!m_certCredentials) { Uninit(); return false; } int res = gnutls_init(&m_session, GNUTLS_CLIENT); if (res) { LogError(res, _T("gnutls_init")); Uninit(); return false; } // For use in callbacks gnutls_session_set_ptr(m_session, this); // Even though the name gnutls_db_set_cache_expiration // implies expiration of some cache, it also governs // the actual session lifetime, independend whether the // session is cached or not. gnutls_db_set_cache_expiration(m_session, 100000000); res = gnutls_priority_set_direct(m_session, ciphers, 0); if (res) { LogError(res, _T("gnutls_priority_set_direct")); Uninit(); return false; } gnutls_dh_set_prime_bits(m_session, 1024); gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials); // Setup transport functions gnutls_transport_set_push_function(m_session, PushFunction); gnutls_transport_set_pull_function(m_session, PullFunction); gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this); return true; }
static gnutls_session_t initialize_tls_session(void) { gnutls_session_t session; gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. Moved to later on to be able to test re-handshakes. gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); */ gnutls_dh_set_prime_bits(session, DH_BITS); return session; }
static gnutls_session_t initialize_tls_session(void) { gnutls_session_t session; gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, pgp_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits(session, DH_BITS); return session; }
static int tls_gnutls_init_session(struct tls_global *global, struct tls_connection *conn) { const char *err; int ret; ret = gnutls_init(&conn->session, global->server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (ret < 0) { wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS " "connection: %s", gnutls_strerror(ret)); return -1; } ret = gnutls_set_default_priority(conn->session); if (ret < 0) goto fail; ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0", &err); if (ret < 0) { wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at " "'%s'", err); goto fail; } gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr_t) conn); gnutls_session_set_ptr(conn->session, conn); return 0; fail: wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s", gnutls_strerror(ret)); gnutls_deinit(conn->session); return -1; }
static void ekg_gnutls_new_session( GSocketClient *sockclient, GSocketConnection *sock, struct ekg_connection_starter *cs) { gnutls_session_t s; gnutls_certificate_credentials_t cred; struct ekg_gnutls_connection *conn = g_slice_new(struct ekg_gnutls_connection); struct ekg_gnutls_connection_starter *gcs = g_slice_new(struct ekg_gnutls_connection_starter); g_assert(!gnutls_certificate_allocate_credentials(&cred)); g_assert(!gnutls_init(&s, GNUTLS_CLIENT)); g_assert(!gnutls_priority_set_direct(s, "PERFORMANCE", NULL)); /* XXX */ g_assert(!gnutls_credentials_set(s, GNUTLS_CRD_CERTIFICATE, cred)); gnutls_transport_set_pull_function(s, ekg_gnutls_pull); gnutls_transport_set_push_function(s, ekg_gnutls_push); gnutls_transport_set_ptr(s, conn); gcs->parent = cs; gcs->conn = conn; gcs->sockclient = sockclient; conn->session = s; conn->cred = cred; conn->connection_error = NULL; conn->connection = get_connection_by_outstream( ekg_connection_add( sock, g_io_stream_get_input_stream(G_IO_STREAM(sock)), g_io_stream_get_output_stream(G_IO_STREAM(sock)), ekg_gnutls_handle_handshake_input, ekg_gnutls_handle_handshake_failure, gcs) ); g_assert(conn->connection); ekg_gnutls_async_handshake(gcs); }
int main(int argc, char *argv[]) { gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; global_init(); gnutls_anon_allocate_client_credentials(&c_anoncred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_priority_set_direct(client, "NORMAL", NULL); /* Test setting the same credential type twice. Earlier GnuTLS had a bug that crashed when this happened. */ gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); gnutls_deinit(client); gnutls_anon_free_client_credentials(c_anoncred); gnutls_global_deinit(); return 0; }
static void client(int fd, unsigned tickets) { int ret; gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; char buf[64]; unsigned try = 0; gnutls_datum_t session_data = {NULL, 0}; global_init(); tickets_seen = 0; if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(7); } assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); retry: /* Initialize TLS session */ assert(gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_POST_HANDSHAKE_AUTH)>=0); gnutls_handshake_set_timeout(session, 20 * 1000); ret = gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.0", NULL); if (ret < 0) fail("cannot set TLS 1.3 priorities\n"); if (try == 0) { gnutls_session_set_ptr(session, &session_data); gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_BOTH, ticket_callback); } else {
/** * gnutls_set_default_export_priority: * @session: is a #gnutls_session_t structure. * * Sets some default priority on the ciphers, key exchange methods, macs * and compression methods. This function also includes weak algorithms. * * This is the same as calling: * * gnutls_priority_set_direct (session, "EXPORT", NULL); * * This function is kept around for backwards compatibility, but * because of its wide use it is still fully supported. If you wish * to allow users to provide a string that specify which ciphers to * use (which is recommended), you should use * gnutls_priority_set_direct() or gnutls_priority_set() instead. * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_set_default_export_priority(gnutls_session_t session) { return gnutls_priority_set_direct(session, "EXPORT", NULL); }
int main (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; const char *err; gnutls_certificate_credentials_t xcred; gnutls_global_init (); /* X509 stuff */ gnutls_certificate_allocate_credentials (&xcred); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM); /* Use default priorities */ ret = gnutls_priority_set_direct (session, "NORMAL", &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf (stderr, "Syntax error at: %s\n", err); } exit (1); } /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ sd = udp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* set the connection MTU */ gnutls_dtls_set_mtu (session, 1000); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); /* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS * connections because the peer's closure message might * be lost */ gnutls_bye (session, GNUTLS_SHUT_WR); end: udp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_global_deinit (); return 0; }
/** * gnutls_set_default_priority: * @session: is a #gnutls_session_t structure. * * Sets some default priority on the ciphers, key exchange methods, * macs and compression methods. * * This is the same as calling: * * gnutls_priority_set_direct (session, "NORMAL", NULL); * * This function is kept around for backwards compatibility, but * because of its wide use it is still fully supported. If you wish * to allow users to provide a string that specify which ciphers to * use (which is recommended), you should use * gnutls_priority_set_direct() or gnutls_priority_set() instead. * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_set_default_priority(gnutls_session_t session) { return gnutls_priority_set_direct(session, "NORMAL", NULL); }
static void test_success2(const char *name, const char *prio) { int ret; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; gnutls_x509_crt_t *crts; unsigned int crts_size; unsigned i; gnutls_x509_privkey_t pkey; unsigned status; success("testing cert verification success2 for %s\n", name); to_server_len = 0; to_client_len = 0; ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_privkey_init(&pkey); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_privkey_import(pkey, &server_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key(serverx509cred, crts, crts_size, pkey); gnutls_x509_privkey_deinit(pkey); for (i=0;i<crts_size;i++) gnutls_x509_crt_deinit(crts[i]); gnutls_free(crts); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); assert(gnutls_priority_set_direct(server, prio, NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); /* Init client */ /* Init client */ ret = gnutls_certificate_allocate_credentials(&clientx509cred); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_key_mem(clientx509cred, &cli_cert, &cli_key, GNUTLS_X509_FMT_PEM); ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) exit(1); assert(gnutls_priority_set_direct(client, prio, NULL)>=0); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); gnutls_session_set_verify_cert(client, "localhost", 0); HANDSHAKE(client, server); status = gnutls_session_get_verify_cert_status(client); if (status != 0) { fail("%s: should have accepted: %u!\n", __func__, status); exit(1); } gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); }