static void init_global_tls_stuff (void) { int ret; /* X509 stuff */ if (gnutls_certificate_allocate_credentials (&xcred) < 0) { fprintf (stderr, "Certificate allocation memory error\n"); exit (1); } if (x509_cafile != NULL) { ret = gnutls_certificate_set_x509_trust_file (xcred, x509_cafile, x509ctype); if (ret < 0) { fprintf (stderr, "Error setting the x509 trust file\n"); } else { printf ("Processed %d CA certificate(s).\n", ret); } } #ifdef ENABLE_PKI if (x509_crlfile != NULL) { ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile, x509ctype); if (ret < 0) { fprintf (stderr, "Error setting the x509 CRL file\n"); } else { printf ("Processed %d CRL(s).\n", ret); } } #endif load_keys (); #ifdef ENABLE_OPENPGP if (pgp_keyring != NULL) { ret = gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) { fprintf (stderr, "Error setting the OpenPGP keyring file\n"); } } #endif #ifdef ENABLE_SRP if (srp_username && srp_passwd) { /* SRP stuff */ if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0) { fprintf (stderr, "SRP authentication error\n"); } gnutls_srp_set_client_credentials_function (srp_cred, srp_username_callback); } #endif #ifdef ENABLE_PSK /* PSK stuff */ if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0) { fprintf (stderr, "PSK authentication error\n"); } if (psk_username && psk_key.data) { ret = gnutls_psk_set_client_credentials (psk_cred, psk_username, &psk_key, GNUTLS_PSK_KEY_HEX); if (ret < 0) { fprintf (stderr, "Error setting the PSK credentials: %s\n", gnutls_strerror (ret)); } } gnutls_psk_set_client_credentials_function (psk_cred, psk_callback); #endif #ifdef ENABLE_ANON /* ANON stuff */ if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0) { fprintf (stderr, "Anonymous authentication error\n"); } #endif }
int main (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; const char *err; gnutls_psk_client_credentials_t pskcred; const gnutls_datum_t key = { (char *) "DEADBEEF", 8 }; gnutls_global_init (); gnutls_psk_allocate_client_credentials (&pskcred); gnutls_psk_set_client_credentials (pskcred, "test", &key, GNUTLS_PSK_KEY_HEX); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf (stderr, "Syntax error at: %s\n", err); } exit (1); } /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_psk_free_client_credentials (pskcred); gnutls_global_deinit (); return 0; }
/** * Establish a DTLS connection using gnutls library * @see #dtls_connec */ int dtls_gnutls_connect(struct conn *conn) { int rc; char sock_buf[SOCK_ADDR_BUFSIZE]; struct dtls_gnutls_data *d; gnutls_datum_t key; d = dtls_gnutls_data_create(conn, GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK); if (!d) return 0; /*// gnutls_dh_set_prime_bits(d->session, 512);*/ /*#if GNUTLS_VERSION_NUMBER >= 0x030100 gnutls_handshake_set_timeout(d->session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); gnutls_dtls_set_data_mtu(d->session, 1500); #endif gnutls_dtls_set_mtu(d->session, 1500); */ /* if (conn->dtls_psk != NULL){ key.data=(unsigned char*)conn->dtls_psk; key.size=strlen(conn->dtls_psk); rc = gnutls_credentials_set(d->session, GNUTLS_CRD_PSK, &key); if (rc<0) { cw_log(LOG_ERR, "DTLS - Can't set x.509 credentials: %s", gnutls_strerror(rc)); dtls_gnutls_data_destroy(d); return 0; } } */ if (conn->dtls_psk_enable){ gnutls_psk_client_credentials_t cred; rc = gnutls_psk_allocate_client_credentials(&cred); if (rc != 0) { cw_dbg(DBG_DTLS,"gnutls_psk_allocate_client_credentials() failed.\n"); return 0; } key.size = bstr16_len(conn->dtls_psk); key.data = bstr16_data(conn->dtls_psk); /* Put the username and key into the structure we use to tell GnuTLs what // the credentials are. The example server doesn't care about usernames, so // we use "Alice" here.*/ rc = gnutls_psk_set_client_credentials(cred, "Alice", &key, GNUTLS_PSK_KEY_RAW); rc = gnutls_credentials_set(d->session, GNUTLS_CRD_PSK, cred); if (rc != 0) { cw_log(LOG_ERR,"gnutls_credentials_set() failed."); } } cw_dbg(DBG_DTLS,"Starting handshake"); do { rc = gnutls_handshake(d->session); } while (rc == GNUTLS_E_AGAIN); if (rc < 0) { cw_log(LOG_ERR, "DTLS (gnutls) Can't connect to %s: %s", sock_addr2str(&conn->addr,sock_buf), gnutls_strerror(rc)); return 0; } cw_dbg(DBG_DTLS, "Handshake with %s successful", sock_addr2str(&conn->addr,sock_buf)); conn->dtls_data = d; conn->read = dtls_gnutls_read; conn->write = dtls_gnutls_write; return 1; }
static void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_psk_client_credentials_t pskcred; const gnutls_datum_t key = { (char *) "DEADBEEF", 8 }; gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); // if (debug) // gnutls_global_set_log_level (99); gnutls_psk_allocate_client_credentials (&pskcred); gnutls_psk_set_client_credentials (pskcred, "test", &key, GNUTLS_PSK_KEY_HEX); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); /* put the anonymous credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { if (debug) success ("client: Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } if (debug) { printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) fputc (buffer[ii], stdout); fputs ("\n", stdout); } gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_psk_free_client_credentials (pskcred); gnutls_global_deinit (); }
int main(void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; const char *err; gnutls_psk_client_credentials_t pskcred; const gnutls_datum_t key = { (void *) "DEADBEEF", 8 }; CHECK(gnutls_global_init()); CHECK(gnutls_psk_allocate_client_credentials(&pskcred)); CHECK(gnutls_psk_set_client_credentials(pskcred, "test", &key, GNUTLS_PSK_KEY_HEX)); /* Initialize TLS session */ CHECK(gnutls_init(&session, GNUTLS_CLIENT)); /* Use default priorities */ ret = gnutls_priority_set_direct(session, "PERFORMANCE:+ECDHE-PSK:+DHE-PSK:+PSK", &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf(stderr, "Syntax error at: %s\n", err); } exit(1); } /* put the x509 credentials to the current session */ CHECK(gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred)); /* connect to the peer */ sd = tcp_connect(); gnutls_transport_set_int(session, sd); gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fprintf(stderr, "*** Handshake failed\n"); gnutls_perror(ret); goto end; } else { char *desc; desc = gnutls_session_get_desc(session); printf("- Session info: %s\n", desc); gnutls_free(desc); } CHECK(gnutls_record_send(session, MSG, strlen(MSG))); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { printf("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)); goto end; } if (ret > 0) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR)); end: tcp_close(sd); gnutls_deinit(session); gnutls_psk_free_client_credentials(pskcred); gnutls_global_deinit(); return 0; }
static void init_global_tls_stuff (void) { int ret; if ((ret = gnutls_global_init ()) < 0) { fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (debug); if ((ret = gnutls_global_init_extra ()) < 0) { fprintf (stderr, "global_init_extra: %s\n", gnutls_strerror (ret)); // exit (1); } /* X509 stuff */ if (gnutls_certificate_allocate_credentials (&xcred) < 0) { fprintf (stderr, "Certificate allocation memory error\n"); exit (1); } /* there are some CAs that have a v1 certificate *%&@#*%& */ gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); if (x509_cafile != NULL) { ret = gnutls_certificate_set_x509_trust_file (xcred, x509_cafile, x509ctype); if (ret < 0) { fprintf (stderr, "Error setting the x509 trust file\n"); } else { printf ("Processed %d CA certificate(s).\n", ret); } } #ifdef ENABLE_PKI if (x509_crlfile != NULL) { ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile, x509ctype); if (ret < 0) { fprintf (stderr, "Error setting the x509 CRL file\n"); } else { printf ("Processed %d CRL(s).\n", ret); } } #endif load_keys (); #ifdef ENABLE_OPENPGP if (pgp_keyring != NULL) { ret = gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring); if (ret < 0) { fprintf (stderr, "Error setting the OpenPGP keyring file\n"); } } if (pgp_trustdb != NULL) { ret = gnutls_certificate_set_openpgp_trustdb (xcred, pgp_trustdb); if (ret < 0) { fprintf (stderr, "Error setting the OpenPGP trustdb file\n"); } } #endif #ifdef ENABLE_SRP /* SRP stuff */ if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0) { fprintf (stderr, "SRP authentication error\n"); } gnutls_srp_set_client_credentials_function (srp_cred, srp_username_callback); #endif #ifdef ENABLE_PSK /* SRP stuff */ if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0) { fprintf (stderr, "PSK authentication error\n"); } gnutls_psk_set_client_credentials (psk_cred, psk_username, &psk_key, GNUTLS_PSK_KEY_HEX); #endif #ifdef ENABLE_ANON /* ANON stuff */ if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0) { fprintf (stderr, "Anonymous authentication error\n"); } #endif }
static void client(int sd, const char *prio) { int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_psk_client_credentials_t pskcred; /* Need to enable anonymous KX specifically. */ const gnutls_datum_t key = { (void *) "DEADBEEF", 8 }; const char *hint; global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); side = "client"; gnutls_psk_allocate_client_credentials(&pskcred); gnutls_psk_set_client_credentials(pskcred, "test", &key, GNUTLS_PSK_KEY_HEX); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_priority_set_direct(session, prio, NULL); /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred); gnutls_transport_set_int(session, sd); /* Perform the TLS handshake */ ret = gnutls_handshake(session); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); goto end; } else { if (debug) success("client: Handshake was completed\n"); } /* check the hint */ hint = gnutls_psk_client_get_hint(session); if (hint == NULL || strcmp(hint, "hint") != 0) { fail("client: hint is not the expected: %s\n", gnutls_psk_client_get_hint(session)); goto end; } gnutls_record_send(session, MSG, strlen(MSG)); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail("client: Error: %s\n", gnutls_strerror(ret)); goto end; } if (debug) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } gnutls_bye(session, GNUTLS_SHUT_RDWR); end: close(sd); gnutls_deinit(session); gnutls_psk_free_client_credentials(pskcred); gnutls_global_deinit(); }
static void SetupNewSession(int index, NetworkAddress * networkAddress, bool client) { DTLS_Session * session = &sessions[index]; session->NetworkAddress = networkAddress; unsigned int flags; #if GNUTLS_VERSION_MAJOR >= 3 if (client) flags = GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK; else flags = GNUTLS_SERVER | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK; #else if (client) flags = GNUTLS_CLIENT; else flags = GNUTLS_SERVER; #endif if (gnutls_init(&session->Session, flags) == GNUTLS_E_SUCCESS) { gnutls_transport_set_pull_function(session->Session, DecryptCallBack); gnutls_transport_set_push_function(session->Session, SSLSendCallBack); #if GNUTLS_VERSION_MAJOR >= 3 gnutls_transport_set_pull_timeout_function(session->Session, ReceiveTimeout); #endif gnutls_transport_set_ptr(session->Session, session); if (certificate || !pskIdentity) { if (_CertCredentials) { gnutls_credentials_set(session->Session, GNUTLS_CRD_CERTIFICATE, _CertCredentials); } else if (gnutls_certificate_allocate_credentials(&_CertCredentials) == GNUTLS_E_SUCCESS) { if (certificate) { gnutls_datum_t certificateData; certificateData.data = certificate; certificateData.size = certificateLength; int format = GNUTLS_X509_FMT_PEM; if (certificateFormat == AwaCertificateFormat_ASN1) format = GNUTLS_X509_FMT_DER; // if (client) // gnutls_certificate_set_x509_trust_mem(session->Credentials, &certificateData, format); // else gnutls_certificate_set_x509_key_mem(_CertCredentials, &certificateData, &certificateData, format); } #if GNUTLS_VERSION_MAJOR >= 3 gnutls_certificate_set_verify_function(_CertCredentials, CertificateVerify); //gnutls_certificate_set_retrieve_function(xcred, cert_callback); //gnutls_session_set_verify_cert(session->Session, NULL, GNUTLS_VERIFY_DISABLE_CA_SIGN); #else gnutls_certificate_set_verify_flags(_CertCredentials, GNUTLS_VERIFY_DISABLE_CA_SIGN); #endif gnutls_credentials_set(session->Session, GNUTLS_CRD_CERTIFICATE, _CertCredentials); } } else if (pskIdentity) { if (client) { gnutls_psk_client_credentials_t credentials; if (gnutls_psk_allocate_client_credentials(&credentials) == GNUTLS_E_SUCCESS) { if (gnutls_psk_set_client_credentials(credentials, pskIdentity, &pskKey, GNUTLS_PSK_KEY_RAW) == GNUTLS_E_SUCCESS) { gnutls_credentials_set(session->Session, GNUTLS_CRD_PSK, credentials); session->Credentials = credentials; session->CredentialType = CredentialType_ClientPSK; } else { gnutls_psk_set_client_credentials_function(credentials, PSKClientCallBack); session->Credentials = credentials; session->CredentialType = CredentialType_ClientPSK; } } } else { gnutls_psk_server_credentials_t credentials; if (gnutls_psk_allocate_server_credentials(&credentials) == GNUTLS_E_SUCCESS) { gnutls_psk_set_server_credentials_function(credentials, PSKCallBack); gnutls_credentials_set(session->Session, GNUTLS_CRD_PSK, credentials); session->Credentials = credentials; session->CredentialType = CredentialType_ServerPSK; } } } gnutls_priority_set(session->Session, _PriorityCache); if (!client) { gnutls_certificate_server_set_request(session->Session, GNUTLS_CERT_REQUEST); // GNUTLS_CERT_IGNORE Don't require Client Cert } #if GNUTLS_VERSION_MAJOR >= 3 gnutls_handshake_set_timeout(session->Session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); #endif } }
psk_client_credentials::psk_client_credentials ():credentials (GNUTLS_CRD_PSK) { RETWRAP (gnutls_psk_allocate_client_credentials (&cred)); set_ptr (cred); }