static void
init_global_tls_stuff (void)
{
int ret;
/* X509 stuff */
if (gnutls_certificate_allocate_credentials (&xcred) < 0)
{
fprintf (stderr, "Certificate allocation memory error\n");
exit (1);
}
if (x509_cafile != NULL)
{
ret = gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 trust file\n");
}
else
{
printf ("Processed %d CA certificate(s).\n", ret);
}
}
#ifdef ENABLE_PKI
if (x509_crlfile != NULL)
{
ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,
x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 CRL file\n");
}
else
{
printf ("Processed %d CRL(s).\n", ret);
}
}
#endif
load_keys ();
#ifdef ENABLE_OPENPGP
if (pgp_keyring != NULL)
{
ret =
gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring,
GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
{
fprintf (stderr, "Error setting the OpenPGP keyring file\n");
}
}
#endif
#ifdef ENABLE_SRP
if (srp_username && srp_passwd)
{
/* SRP stuff */
if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0)
{
fprintf (stderr, "SRP authentication error\n");
}
gnutls_srp_set_client_credentials_function (srp_cred,
srp_username_callback);
}
#endif
#ifdef ENABLE_PSK
/* PSK stuff */
if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0)
{
fprintf (stderr, "PSK authentication error\n");
}
if (psk_username && psk_key.data)
{
ret = gnutls_psk_set_client_credentials (psk_cred,
psk_username, &psk_key,
GNUTLS_PSK_KEY_HEX);
if (ret < 0)
{
fprintf (stderr, "Error setting the PSK credentials: %s\n",
gnutls_strerror (ret));
}
}
gnutls_psk_set_client_credentials_function (psk_cred, psk_callback);
#endif
#ifdef ENABLE_ANON
/* ANON stuff */
if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0)
{
fprintf (stderr, "Anonymous authentication error\n");
}
#endif
}
int
main (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_psk_client_credentials_t pskcred;
const gnutls_datum_t key = { (char *) "DEADBEEF", 8 };
gnutls_global_init ();
gnutls_psk_allocate_client_credentials (&pskcred);
gnutls_psk_set_client_credentials (pskcred, "test", &key,
GNUTLS_PSK_KEY_HEX);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err);
if (ret < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST)
{
fprintf (stderr, "Syntax error at: %s\n", err);
}
exit (1);
}
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_psk_free_client_credentials (pskcred);
gnutls_global_deinit ();
return 0;
}
/**
* Establish a DTLS connection using gnutls library
* @see #dtls_connec
*/
int dtls_gnutls_connect(struct conn *conn)
{
int rc;
char sock_buf[SOCK_ADDR_BUFSIZE];
struct dtls_gnutls_data *d;
gnutls_datum_t key;
d = dtls_gnutls_data_create(conn,
GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK);
if (!d)
return 0;
/*// gnutls_dh_set_prime_bits(d->session, 512);*/
/*#if GNUTLS_VERSION_NUMBER >= 0x030100
gnutls_handshake_set_timeout(d->session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
gnutls_dtls_set_data_mtu(d->session, 1500);
#endif
gnutls_dtls_set_mtu(d->session, 1500);
*/
/*
if (conn->dtls_psk != NULL){
key.data=(unsigned char*)conn->dtls_psk;
key.size=strlen(conn->dtls_psk);
rc = gnutls_credentials_set(d->session, GNUTLS_CRD_PSK, &key);
if (rc<0) {
cw_log(LOG_ERR, "DTLS - Can't set x.509 credentials: %s", gnutls_strerror(rc));
dtls_gnutls_data_destroy(d);
return 0;
}
}
*/
if (conn->dtls_psk_enable){
gnutls_psk_client_credentials_t cred;
rc = gnutls_psk_allocate_client_credentials(&cred);
if (rc != 0) {
cw_dbg(DBG_DTLS,"gnutls_psk_allocate_client_credentials() failed.\n");
return 0;
}
key.size = bstr16_len(conn->dtls_psk);
key.data = bstr16_data(conn->dtls_psk);
/* Put the username and key into the structure we use to tell GnuTLs what
// the credentials are. The example server doesn't care about usernames, so
// we use "Alice" here.*/
rc = gnutls_psk_set_client_credentials(cred, "Alice", &key, GNUTLS_PSK_KEY_RAW);
rc = gnutls_credentials_set(d->session, GNUTLS_CRD_PSK, cred);
if (rc != 0) {
cw_log(LOG_ERR,"gnutls_credentials_set() failed.");
}
}
cw_dbg(DBG_DTLS,"Starting handshake");
do {
rc = gnutls_handshake(d->session);
} while (rc == GNUTLS_E_AGAIN);
if (rc < 0) {
cw_log(LOG_ERR, "DTLS (gnutls) Can't connect to %s: %s",
sock_addr2str(&conn->addr,sock_buf), gnutls_strerror(rc));
return 0;
}
cw_dbg(DBG_DTLS, "Handshake with %s successful", sock_addr2str(&conn->addr,sock_buf));
conn->dtls_data = d;
conn->read = dtls_gnutls_read;
conn->write = dtls_gnutls_write;
return 1;
}
static void
client (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_psk_client_credentials_t pskcred;
const gnutls_datum_t key = { (char *) "DEADBEEF", 8 };
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
// if (debug)
// gnutls_global_set_log_level (99);
gnutls_psk_allocate_client_credentials (&pskcred);
gnutls_psk_set_client_credentials (pskcred, "test", &key,
GNUTLS_PSK_KEY_HEX);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_set_default_priority (session);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
if (debug)
success ("client: Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
goto end;
}
if (debug)
{
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
fputc (buffer[ii], stdout);
fputs ("\n", stdout);
}
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_psk_free_client_credentials (pskcred);
gnutls_global_deinit ();
}
int main(void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
gnutls_psk_client_credentials_t pskcred;
const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
CHECK(gnutls_global_init());
CHECK(gnutls_psk_allocate_client_credentials(&pskcred));
CHECK(gnutls_psk_set_client_credentials(pskcred, "test", &key,
GNUTLS_PSK_KEY_HEX));
/* Initialize TLS session
*/
CHECK(gnutls_init(&session, GNUTLS_CLIENT));
/* Use default priorities */
ret =
gnutls_priority_set_direct(session,
"PERFORMANCE:+ECDHE-PSK:+DHE-PSK:+PSK",
&err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST) {
fprintf(stderr, "Syntax error at: %s\n", err);
}
exit(1);
}
/* put the x509 credentials to the current session
*/
CHECK(gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred));
/* connect to the peer
*/
sd = tcp_connect();
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fprintf(stderr, "*** Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(session);
printf("- Session info: %s\n", desc);
gnutls_free(desc);
}
CHECK(gnutls_record_send(session, MSG, strlen(MSG)));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR));
end:
tcp_close(sd);
gnutls_deinit(session);
gnutls_psk_free_client_credentials(pskcred);
gnutls_global_deinit();
return 0;
}
static void
init_global_tls_stuff (void)
{
int ret;
if ((ret = gnutls_global_init ()) < 0)
{
fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
exit (1);
}
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug);
if ((ret = gnutls_global_init_extra ()) < 0)
{
fprintf (stderr, "global_init_extra: %s\n", gnutls_strerror (ret));
// exit (1);
}
/* X509 stuff */
if (gnutls_certificate_allocate_credentials (&xcred) < 0)
{
fprintf (stderr, "Certificate allocation memory error\n");
exit (1);
}
/* there are some CAs that have a v1 certificate *%&@#*%&
*/
gnutls_certificate_set_verify_flags (xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
if (x509_cafile != NULL)
{
ret =
gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 trust file\n");
}
else
{
printf ("Processed %d CA certificate(s).\n", ret);
}
}
#ifdef ENABLE_PKI
if (x509_crlfile != NULL)
{
ret =
gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile, x509ctype);
if (ret < 0)
{
fprintf (stderr, "Error setting the x509 CRL file\n");
}
else
{
printf ("Processed %d CRL(s).\n", ret);
}
}
#endif
load_keys ();
#ifdef ENABLE_OPENPGP
if (pgp_keyring != NULL)
{
ret = gnutls_certificate_set_openpgp_keyring_file (xcred, pgp_keyring);
if (ret < 0)
{
fprintf (stderr, "Error setting the OpenPGP keyring file\n");
}
}
if (pgp_trustdb != NULL)
{
ret = gnutls_certificate_set_openpgp_trustdb (xcred, pgp_trustdb);
if (ret < 0)
{
fprintf (stderr, "Error setting the OpenPGP trustdb file\n");
}
}
#endif
#ifdef ENABLE_SRP
/* SRP stuff */
if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0)
{
fprintf (stderr, "SRP authentication error\n");
}
gnutls_srp_set_client_credentials_function (srp_cred,
srp_username_callback);
#endif
#ifdef ENABLE_PSK
/* SRP stuff */
if (gnutls_psk_allocate_client_credentials (&psk_cred) < 0)
{
fprintf (stderr, "PSK authentication error\n");
}
gnutls_psk_set_client_credentials (psk_cred,
psk_username, &psk_key,
GNUTLS_PSK_KEY_HEX);
#endif
#ifdef ENABLE_ANON
/* ANON stuff */
if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0)
{
fprintf (stderr, "Anonymous authentication error\n");
}
#endif
}
static void client(int sd, const char *prio)
{
int ret, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_psk_client_credentials_t pskcred;
/* Need to enable anonymous KX specifically. */
const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
const char *hint;
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
side = "client";
gnutls_psk_allocate_client_credentials(&pskcred);
gnutls_psk_set_client_credentials(pskcred, "test", &key,
GNUTLS_PSK_KEY_HEX);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, prio, NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred);
gnutls_transport_set_int(session, sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake(session);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
if (debug)
success("client: Handshake was completed\n");
}
/* check the hint */
hint = gnutls_psk_client_get_hint(session);
if (hint == NULL || strcmp(hint, "hint") != 0) {
fail("client: hint is not the expected: %s\n", gnutls_psk_client_get_hint(session));
goto end;
}
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (debug) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
close(sd);
gnutls_deinit(session);
gnutls_psk_free_client_credentials(pskcred);
gnutls_global_deinit();
}
static void SetupNewSession(int index, NetworkAddress * networkAddress, bool client)
{
DTLS_Session * session = &sessions[index];
session->NetworkAddress = networkAddress;
unsigned int flags;
#if GNUTLS_VERSION_MAJOR >= 3
if (client)
flags = GNUTLS_CLIENT | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK;
else
flags = GNUTLS_SERVER | GNUTLS_DATAGRAM | GNUTLS_NONBLOCK;
#else
if (client)
flags = GNUTLS_CLIENT;
else
flags = GNUTLS_SERVER;
#endif
if (gnutls_init(&session->Session, flags) == GNUTLS_E_SUCCESS)
{
gnutls_transport_set_pull_function(session->Session, DecryptCallBack);
gnutls_transport_set_push_function(session->Session, SSLSendCallBack);
#if GNUTLS_VERSION_MAJOR >= 3
gnutls_transport_set_pull_timeout_function(session->Session, ReceiveTimeout);
#endif
gnutls_transport_set_ptr(session->Session, session);
if (certificate || !pskIdentity)
{
if (_CertCredentials)
{
gnutls_credentials_set(session->Session, GNUTLS_CRD_CERTIFICATE, _CertCredentials);
}
else if (gnutls_certificate_allocate_credentials(&_CertCredentials) == GNUTLS_E_SUCCESS)
{
if (certificate)
{
gnutls_datum_t certificateData;
certificateData.data = certificate;
certificateData.size = certificateLength;
int format = GNUTLS_X509_FMT_PEM;
if (certificateFormat == AwaCertificateFormat_ASN1)
format = GNUTLS_X509_FMT_DER;
// if (client)
// gnutls_certificate_set_x509_trust_mem(session->Credentials, &certificateData, format);
// else
gnutls_certificate_set_x509_key_mem(_CertCredentials, &certificateData, &certificateData, format);
}
#if GNUTLS_VERSION_MAJOR >= 3
gnutls_certificate_set_verify_function(_CertCredentials, CertificateVerify);
//gnutls_certificate_set_retrieve_function(xcred, cert_callback);
//gnutls_session_set_verify_cert(session->Session, NULL, GNUTLS_VERIFY_DISABLE_CA_SIGN);
#else
gnutls_certificate_set_verify_flags(_CertCredentials, GNUTLS_VERIFY_DISABLE_CA_SIGN);
#endif
gnutls_credentials_set(session->Session, GNUTLS_CRD_CERTIFICATE, _CertCredentials);
}
}
else if (pskIdentity)
{
if (client)
{
gnutls_psk_client_credentials_t credentials;
if (gnutls_psk_allocate_client_credentials(&credentials) == GNUTLS_E_SUCCESS)
{
if (gnutls_psk_set_client_credentials(credentials, pskIdentity, &pskKey, GNUTLS_PSK_KEY_RAW) == GNUTLS_E_SUCCESS)
{
gnutls_credentials_set(session->Session, GNUTLS_CRD_PSK, credentials);
session->Credentials = credentials;
session->CredentialType = CredentialType_ClientPSK;
}
else
{
gnutls_psk_set_client_credentials_function(credentials, PSKClientCallBack);
session->Credentials = credentials;
session->CredentialType = CredentialType_ClientPSK;
}
}
}
else
{
gnutls_psk_server_credentials_t credentials;
if (gnutls_psk_allocate_server_credentials(&credentials) == GNUTLS_E_SUCCESS)
{
gnutls_psk_set_server_credentials_function(credentials, PSKCallBack);
gnutls_credentials_set(session->Session, GNUTLS_CRD_PSK, credentials);
session->Credentials = credentials;
session->CredentialType = CredentialType_ServerPSK;
}
}
}
gnutls_priority_set(session->Session, _PriorityCache);
if (!client)
{
gnutls_certificate_server_set_request(session->Session, GNUTLS_CERT_REQUEST); // GNUTLS_CERT_IGNORE Don't require Client Cert
}
#if GNUTLS_VERSION_MAJOR >= 3
gnutls_handshake_set_timeout(session->Session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
#endif
}
}
psk_client_credentials::psk_client_credentials ():credentials
(GNUTLS_CRD_PSK)
{
RETWRAP (gnutls_psk_allocate_client_credentials (&cred));
set_ptr (cred);
}
