void doit(void) { gnutls_certificate_credentials_t serv_cred; gnutls_certificate_credentials_t cli_cred; int ret; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); assert(gnutls_certificate_allocate_credentials(&cli_cred) >= 0); ret = gnutls_certificate_set_x509_trust_mem(cli_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_key_mem(cli_cred, &clidsa_ca3_cert, &clidsa_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in error code: %s\n", gnutls_strerror(ret)); exit(1); } /* test gnutls_certificate_flags() */ gnutls_certificate_allocate_credentials(&serv_cred); gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH); ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_key_mem(serv_cred, &server_ca3_localhost_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in error code\n"); exit(1); } test_cli_serv_cert(serv_cred, cli_cred, "NORMAL:+DHE-DSS:+SIGN-DSA-SHA1", "NORMAL:-DHE-DSS:-SIGN-DSA-SHA1", "localhost"); gnutls_certificate_free_credentials(serv_cred); gnutls_certificate_free_credentials(cli_cred); gnutls_global_deinit(); if (debug) success("success"); }
static void run(const char *env, const char *filename) { gnutls_certificate_credentials_t x509_cred; gnutls_certificate_credentials_t clicred; int ret; remove(filename); #ifdef _WIN32 { char buf[512]; snprintf(buf, sizeof(buf), "%s=%s", env, filename); _putenv(buf); } #else setenv(env, filename, 1); #endif global_init(); if (debug) { gnutls_global_set_log_level(6); gnutls_global_set_log_function(tls_log_func); } /* test gnutls_certificate_flags() */ assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in error code\n"); exit(1); } ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); if (access(filename, R_OK) != 0) { fail("keylog file was not created\n"); exit(1); } search_for_str(filename); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); remove(filename); if (debug) success("success"); }
void doit(void) { int exit_code = EXIT_SUCCESS; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (2); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); HANDSHAKE(client, server); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); gnutls_certificate_free_credentials (serverx509cred); gnutls_certificate_free_credentials (clientx509cred); gnutls_global_deinit (); if (debug > 0) { if (exit_code == 0) puts ("Self-test successful"); else puts ("Self-test failed"); } }
static void test_failure_server(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ to_server_len = 0; to_client_len = 0; client_ret_val = 0; server_ret_val = GNUTLS_E_CERTIFICATE_ERROR; server_ok = 0; client_ok = 0; /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_session_set_verify_function(server, server_callback); gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); gnutls_session_set_verify_function(client, client_callback); HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_CERTIFICATE_ERROR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); if (server_ok == 0) fail("%s: certificate verify callback wasn't called\n", __func__); }
int rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile) { int ret; gnutls_datum_t *d_cert, *d_key; if(cert == NULL) { rb_lib_log("rb_setup_ssl_server: No certificate file"); return 0; } if((d_cert = rb_load_file_into_datum_t(cert)) == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno)); return 0; } if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno)); return 0; } if((ret = gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) { rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s", gnutls_strerror(ret)); return 0; } rb_free_datum_t(d_cert); rb_free_datum_t(d_key); if(dhfile != NULL) { if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS) { gnutls_datum_t *data; int xret; data = rb_load_file_into_datum_t(dhfile); if(data != NULL) { xret = gnutls_dh_params_import_pkcs3(dh_params, data, GNUTLS_X509_FMT_PEM); if(xret < 0) rb_lib_log ("rb_setup_ssl_server: Error parsing DH file: %s\n", gnutls_strerror(xret)); rb_free_datum_t(data); } gnutls_certificate_set_dh_params(x509, dh_params); } else rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters"); } return 1; }
static void server (int fd, const char* prio) { int ret; char buffer[MAX_BUF + 1]; gnutls_session_t session; /* this must be called once in the program */ gnutls_global_init (); memset(buffer, 0, sizeof(buffer)); if (debug) { gnutls_global_set_log_function (server_log_func); gnutls_global_set_log_level (4711); } gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_anon_allocate_server_credentials (&anoncred); session = initialize_tls_session (prio); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd); do { ret = gnutls_handshake (session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close (fd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); terminate(); } if (debug) success ("server: Handshake was completed\n"); if (debug) success ("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); close(fd); gnutls_deinit (session); gnutls_anon_free_server_credentials (anoncred); gnutls_certificate_free_credentials (x509_cred); gnutls_global_deinit (); if (debug) success ("server: finished\n"); }
static void server(int sd) { gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; int ret; unsigned loops; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (debug) success("Launched, generating DH parameters...\n"); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, sd); loops = 0; do { ret = gnutls_handshake(session); loops++; if (loops > 64) fail("Too many loops in the handshake!\n"); } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_WARNING_ALERT_RECEIVED); if (ret >= 0) { fail("server: Handshake succeeded unexpectedly\n"); } close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
void server_start (void) { /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); success ("Launched, generating DH parameters...\n"); generate_dh_params (); gnutls_certificate_set_dh_params (x509_cred, dh_params); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); if (err == -1) { perror ("socket"); fail ("server: socket failed\n"); return; } memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); if (err == -1) { perror ("bind"); fail ("server: bind failed\n"); return; } err = listen (listen_sd, 1024); if (err == -1) { perror ("listen"); fail ("server: listen failed\n"); return; } success ("server: ready. Listening to port '%d'.\n", PORT); }
void doit (void) { gnutls_certificate_credentials_t x509_cred; int ret; unsigned int i; gnutls_x509_crt_t issuer; gnutls_x509_crt_t list[LIST_SIZE]; char dn[128]; size_t dn_size; unsigned int list_size; /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (6); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); /* test for gnutls_certificate_get_issuer() */ list_size = LIST_SIZE; ret = gnutls_x509_crt_list_import(list, &list_size, &cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import"); ret = gnutls_certificate_get_issuer(x509_cred, list[0], &issuer, 0); if (ret < 0) fail("gnutls_certificate_get_isser"); dn_size = sizeof(dn); ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); if (ret < 0) fail("gnutls_certificate_get_isser"); if (debug) fprintf(stderr, "Issuer's DN: %s\n", dn); for (i=0;i<list_size;i++) gnutls_x509_crt_deinit(list[i]); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("success"); }
int setup_session (gnutls_session_t * session, gnutls_datum_t * key, gnutls_datum_t * cert, gnutls_certificate_credentials_t * xcred) { int ret; const char *err_pos; gnutls_certificate_allocate_credentials (xcred); key->size = strlen (srv_key_pem) + 1; key->data = malloc (key->size); if (NULL == key->data) { gnutls_certificate_free_credentials (*xcred); return -1; } memcpy (key->data, srv_key_pem, key->size); cert->size = strlen (srv_self_signed_cert_pem) + 1; cert->data = malloc (cert->size); if (NULL == cert->data) { gnutls_certificate_free_credentials (*xcred); free (key->data); return -1; } memcpy (cert->data, srv_self_signed_cert_pem, cert->size); gnutls_certificate_set_x509_key_mem (*xcred, cert, key, GNUTLS_X509_FMT_PEM); gnutls_init (session, GNUTLS_CLIENT); ret = gnutls_priority_set_direct (*session, "NORMAL", &err_pos); if (ret < 0) { gnutls_deinit (*session); gnutls_certificate_free_credentials (*xcred); free (key->data); return -1; } gnutls_credentials_set (*session, GNUTLS_CRD_CERTIFICATE, *xcred); return 0; }
static sni_cert_data* creds_from_gstring(mod_context *ctx, GString *str) { sni_cert_data* data = NULL; gnutls_certificate_credentials_t creds = NULL; liGnuTLSOCSP* ocsp = NULL; gnutls_datum_t pemfile; int r; if (NULL == str) return NULL; if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&creds))) return NULL; pemfile.data = (unsigned char*) str->str; pemfile.size = str->len; #if defined(HAVE_PIN) gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin); #endif if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) { goto error; } gnutls_certificate_set_dh_params(creds, ctx->dh_params); ocsp = li_gnutls_ocsp_new(); if (!li_gnutls_ocsp_search_datum(ctx->srv, ocsp, &pemfile)) { goto error; } li_gnutls_ocsp_use(ocsp, creds); data = g_slice_new0(sni_cert_data); data->creds = creds; data->ocsp = ocsp; return data; error: if (NULL != creds) gnutls_certificate_free_credentials(creds); if (NULL != ocsp) li_gnutls_ocsp_free(ocsp); return NULL; }
static void server(int fd) { int ret; gnutls_certificate_credentials_t xcred; char buffer[MAX_BUF + 1]; gnutls_session_t session; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&xcred); ret = gnutls_certificate_set_x509_key_mem(xcred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); gnutls_init(&session, GNUTLS_SERVER); gnutls_handshake_set_timeout(session, 20 * 1000); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); /* see the Getting peer's information example */ /* print_info(session); */ memset(buffer, 1, sizeof(buffer)); do { ret = gnutls_record_send(session, buffer, sizeof(buffer)-1); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: data sending has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); if (ret < 0) { fail("server: error in closing session: %s\n", gnutls_strerror(ret)); } close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
static void server(int fd) { int ret; gnutls_session_t session; gnutls_certificate_credentials_t x509_cred; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&session, GNUTLS_SERVER|GNUTLS_DATAGRAM); gnutls_handshake_set_timeout(session, 20 * 1000); gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO, GNUTLS_HOOK_POST, handshake_callback); assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-DTLS1.2", NULL)>= 0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { /* failure is expected here */ goto end; } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); assert(found_server_name != 0); assert(found_status_req != 0); gnutls_bye(session, GNUTLS_SHUT_WR); end: close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
static void server_initiated_handshake(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; unsigned char buffer[64]; int cret = GNUTLS_E_AGAIN; size_t transferred = 0; success("testing server initiated re-handshake\n"); /* General init. */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(2); /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL:+VERS-TLS1.3", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); HANDSHAKE(client, server); if (gnutls_protocol_get_version(client) != GNUTLS_TLS1_3) fail("TLS1.3 was not negotiated\n"); sret = gnutls_rehandshake(server); if (debug) { tls_log_func(0, "gnutls_rehandshake (server)...\n"); tls_log_func(0, gnutls_strerror(sret)); tls_log_func(0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv(client, b, 1); /* in TLS1.2 we get REHANDSHAKE error, here nothing */ if (n != GNUTLS_E_AGAIN) { fail("error msg: %s\n", gnutls_strerror(n)); } } TRANSFER(client, server, "xxxx", 4, buffer, sizeof(buffer)); gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); reset_buffers(); }
static void server(int sd) { gnutls_certificate_credentials_t serverx509cred; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); side = "server"; gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "PERFORMANCE:+ANON-ECDH:+ANON-DH", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_supplemental_recv(session, 1); gnutls_supplemental_send(session, 1); gnutls_session_supplemental_register(session, "supplemental_server", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_server_recv_func, supp_server_send_func, 0); gnutls_transport_set_int(session, sd); ret = gnutls_handshake(session); if (ret < 0) { close(sd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); return; } if (debug) success("server: Handshake was completed\n"); if (TLS_SUPPLEMENTALDATA_server_sent != 1 || TLS_SUPPLEMENTALDATA_server_received != 1) fail("server: extension not properly sent/received\n"); /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(serverx509cred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&xcred); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (xcred, &cert, &key, GNUTLS_X509_FMT_PEM); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { success ("client: Handshake was completed\n"); } success ("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ print_info(session); gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_global_deinit (); }
static void test_failure(const char *name, const char *prio) { int ret; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; gnutls_x509_crt_t *crts; unsigned int crts_size; unsigned i; gnutls_typed_vdata_st vdata[2]; gnutls_x509_privkey_t pkey; unsigned status; success("testing cert verification failure for %s\n", name); to_server_len = 0; to_client_len = 0; ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_privkey_init(&pkey); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_privkey_import(pkey, &server_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key(serverx509cred, crts, crts_size, pkey); gnutls_x509_privkey_deinit(pkey); for (i=0;i<crts_size;i++) gnutls_x509_crt_deinit(crts[i]); gnutls_free(crts); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); assert(gnutls_priority_set_direct(server, prio, NULL) >= 0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); /* Init client */ /* Init client */ ret = gnutls_certificate_allocate_credentials(&clientx509cred); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_key_mem(clientx509cred, &cli_cert, &cli_key, GNUTLS_X509_FMT_PEM); ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) exit(1); assert(gnutls_priority_set_direct(client, prio, NULL) >= 0); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); memset(vdata, 0, sizeof(vdata)); /* check with wrong hostname */ vdata[0].type = GNUTLS_DT_DNS_HOSTNAME; vdata[0].data = (void*)"localhost1"; vdata[1].type = GNUTLS_DT_KEY_PURPOSE_OID; vdata[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER; gnutls_session_set_verify_cert2(client, vdata, 2, 0); HANDSHAKE_EXPECT(client, server, GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR, GNUTLS_E_AGAIN); status = gnutls_session_get_verify_cert_status(client); if (status == 0) { fail("should not have accepted!\n"); exit(1); } gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); }
void doit(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (2); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); /* Check that initially no session use the extension. */ if (gnutls_safe_renegotiation_status (server) || gnutls_safe_renegotiation_status (client)) { puts ("Client or server using extension before handshake?"); abort (); } HANDSHAKE(client, server); /* Check that both sessions use the extension. */ if (!gnutls_safe_renegotiation_status (server) || !gnutls_safe_renegotiation_status (client)) { puts ("Client or server not using safe renegotiation extension?"); abort (); } sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); /* Check that session still use the extension. */ if (!gnutls_safe_renegotiation_status (server) || !gnutls_safe_renegotiation_status (client)) { puts ("Client or server not using safe renegotiation extension?"); abort (); } /* Check that this API does not affect anything after first handshake. gnutls_safe_negotiation_set_initial (server, 0); */ sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); /* Check that disabling the extension will break rehandshakes. gnutls_safe_renegotiation_set (client, 0); */ sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); gnutls_certificate_free_credentials (serverx509cred); gnutls_certificate_free_credentials (clientx509cred); gnutls_global_deinit (); if (debug) { puts ("Self-test successful"); } return; }
void doit(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(2); /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_certificate_set_verify_function(serverx509cred, server_callback); gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); gnutls_handshake_set_post_client_hello_function(server, post_client_hello_callback); gnutls_handshake_set_hook_function(server, GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, handshake_callback); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); gnutls_certificate_set_verify_function(clientx509cred, client_callback); HANDSHAKE(client, server); gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); if (pch_ok == 0) fail("Post client hello callback wasn't called\n"); if (server_ok == 0) fail("Server certificate verify callback wasn't called\n"); if (client_ok == 0) fail("Client certificate verify callback wasn't called\n"); }
void doit (void) { int exit_code = EXIT_SUCCESS; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (2); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); HANDSHAKE(client, server); sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); gnutls_certificate_free_credentials (serverx509cred); gnutls_certificate_free_credentials (clientx509cred); gnutls_global_deinit (); if (debug) { if (exit_code == 0) puts ("Self-test successful"); else puts ("Self-test failed"); } }
void doit(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(2); /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); HANDSHAKE(client, server); if (!gnutls_safe_renegotiation_status(client) || !gnutls_safe_renegotiation_status(server)) { tls_log_func(0, "Session not using safe renegotiation!\n"); exit(1); } if (!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION) || !(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION)) { tls_log_func(0, "Session not using safe renegotiation!\n"); exit(1); } sret = gnutls_rehandshake(server); if (debug) { tls_log_func(0, "gnutls_rehandshake (server)...\n"); tls_log_func(0, gnutls_strerror(sret)); tls_log_func(0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv(client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort(); } HANDSHAKE(client, server); if (!gnutls_safe_renegotiation_status(client) || !gnutls_safe_renegotiation_status(server)) { tls_log_func(0, "Rehandshaked session not using safe renegotiation!\n"); exit(1); } if (!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION) || !(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION)) { tls_log_func(0, "Rehandshaked session not using safe renegotiation!\n"); exit(1); } gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); if (debug) { puts("Self-test successful"); } return; }
void doit(void) { gnutls_certificate_credentials_t x509_cred; int ret; unsigned int i; gnutls_x509_crt_t issuer; gnutls_x509_crt_t list[LIST_SIZE]; char dn[128]; size_t dn_size; unsigned int list_size; size_t buf_size; gnutls_x509_privkey_t get_key; gnutls_x509_crt_t *get_crts; unsigned n_get_crts; gnutls_datum_t get_datum, chain_datum[2] = {server_ca3_cert, subca3_cert}; gnutls_x509_trust_list_t trust_list; gnutls_x509_trust_list_iter_t trust_iter; gnutls_x509_crt_t get_ca_crt; unsigned n_get_ca_crts; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); /* test for gnutls_certificate_get_issuer() */ /* check whether gnutls_x509_crt_list_import will fail if given a single * certificate */ list_size = LIST_SIZE; ret = gnutls_x509_crt_list_import(list, &list_size, &ca3_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import (failed with a single cert)"); gnutls_x509_crt_deinit(list[0]); list_size = LIST_SIZE; ret = gnutls_x509_crt_list_import(list, &list_size, &cli_ca3_cert_chain, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import"); ret = gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, 0); if (ret < 0) fail("gnutls_certificate_get_isser"); ret = gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) fail("gnutls_certificate_get_isser"); dn_size = sizeof(dn); ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); if (ret < 0) fail("gnutls_certificate_get_dn"); gnutls_x509_crt_deinit(issuer); if (dn_size != strlen(dn)) { fail("gnutls_x509_crt_get_dn: lengths don't match\n"); exit(1); } if (debug) fprintf(stderr, "Issuer's DN: %s\n", dn); /* test the getter functions of gnutls_certificate_credentials_t */ ret = gnutls_certificate_get_x509_key(x509_cred, 0, &get_key); if (ret < 0) fail("gnutls_certificate_get_x509_key"); ret = gnutls_x509_privkey_export2(get_key, GNUTLS_X509_FMT_PEM, &get_datum); if (ret < 0) fail("gnutls_x509_privkey_export2"); if (get_datum.size != server_ca3_key.size || memcmp(get_datum.data, server_ca3_key.data, get_datum.size) != 0) { fail( "exported key %u vs. %u\n\n%s\n\nvs.\n\n%s", get_datum.size, server_ca3_key.size, get_datum.data, server_ca3_key.data); } if (strlen((char*)get_datum.data) != get_datum.size) { fail("exported key %u vs. %u\n\n%s\n", get_datum.size, (unsigned)strlen((char*)get_datum.data), get_datum.data); } gnutls_free(get_datum.data); buf_size = sizeof(buf); ret = gnutls_x509_privkey_export(get_key, GNUTLS_X509_FMT_PEM, buf, &buf_size); if (ret < 0) fail("gnutls_x509_privkey_export"); if (buf_size != get_datum.size || buf_size != strlen(buf) || memcmp(buf, server_ca3_key.data, buf_size) != 0) { fail( "exported key %u vs. %u\n\n%s\n\nvs.\n\n%s", (int)buf_size, server_ca3_key.size, buf, server_ca3_key.data); } ret = gnutls_certificate_get_x509_crt(x509_cred, 0, &get_crts, &n_get_crts); if (ret < 0) fail("gnutls_certificate_get_x509_crt"); if (n_get_crts != 2) fail("gnutls_certificate_get_x509_crt: n_crts != 2"); for (i = 0; i < n_get_crts; i++) { ret = gnutls_x509_crt_export2(get_crts[i], GNUTLS_X509_FMT_PEM, &get_datum); if (ret < 0) fail("gnutls_x509_crt_export2"); if (get_datum.size != chain_datum[i].size || memcmp(get_datum.data, chain_datum[i].data, get_datum.size) != 0) { fail( "exported certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", get_datum.size, chain_datum[i].size, get_datum.data, chain_datum[i].data); } gnutls_free(get_datum.data); } gnutls_certificate_get_trust_list(x509_cred, &trust_list); n_get_ca_crts = 0; trust_iter = NULL; while (gnutls_x509_trust_list_iter_get_ca(trust_list, &trust_iter, &get_ca_crt) != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ret = gnutls_x509_crt_export2(get_ca_crt, GNUTLS_X509_FMT_PEM, &get_datum); if (ret < 0) fail("gnutls_x509_crt_export2"); if (get_datum.size != ca3_cert.size || memcmp(get_datum.data, ca3_cert.data, get_datum.size) != 0) { fail( "exported CA certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", get_datum.size, ca3_cert.size, get_datum.data, ca3_cert.data); } gnutls_x509_crt_deinit(get_ca_crt); gnutls_free(get_datum.data); ++n_get_ca_crts; } if (n_get_ca_crts != 1) fail("gnutls_x509_trust_list_iter_get_ca: n_cas != 1"); if (trust_iter != NULL) fail("gnutls_x509_trust_list_iter_get_ca: iterator not NULL after iteration"); gnutls_x509_privkey_deinit(get_key); for (i = 0; i < n_get_crts; i++) gnutls_x509_crt_deinit(get_crts[i]); gnutls_free(get_crts); for (i = 0; i < list_size; i++) gnutls_x509_crt_deinit(list[i]); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("success"); }
int main (int argc, char *argv[]) { int debug_level = argc - 1; int exit_code = EXIT_SUCCESS; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (debug_level); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); /* Check that initially no session use the extension. */ if (gnutls_safe_renegotiation_status (server) || gnutls_safe_renegotiation_status (client)) { puts ("Client or server using extension before handshake?"); abort (); } do { static int max_iter = 0; if (max_iter++ > 10) abort (); if (cret == GNUTLS_E_AGAIN) { cret = gnutls_handshake (client); if (debug_level > 0) { tls_log_func (0, "gnutls_handshake (client)...\n"); tls_log_func (0, gnutls_strerror (cret)); tls_log_func (0, "\n"); } } if (sret == GNUTLS_E_AGAIN) { sret = gnutls_handshake (server); if (debug_level > 0) { tls_log_func (0, "gnutls_handshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } } } while ( /* Not done: */ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) /* No error: */ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) exit_code = EXIT_FAILURE; if (gnutls_safe_renegotiation_status (client) || gnutls_safe_renegotiation_status (server)) { tls_log_func (0, "Session using safe renegotiation but shouldn't?!\n"); exit_code = EXIT_FAILURE; } sret = gnutls_rehandshake (server); if (debug_level > 0) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } cret = GNUTLS_E_AGAIN; sret = GNUTLS_E_AGAIN; do { static int max_iter = 0; if (max_iter++ > 10) abort (); if (cret == GNUTLS_E_AGAIN) { cret = gnutls_handshake (client); if (debug_level > 0) { tls_log_func (0, "second gnutls_handshake (client)...\n"); tls_log_func (0, gnutls_strerror (cret)); tls_log_func (0, "\n"); } } if (sret == GNUTLS_E_AGAIN) { sret = gnutls_handshake (server); if (debug_level > 0) { tls_log_func (0, "second gnutls_handshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } } if (cret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED) break; } while ( /* Not done: */ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) /* No error: */ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); if (cret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED && sret != GNUTLS_E_SUCCESS) exit_code = 1; if (gnutls_safe_renegotiation_status (client) || gnutls_safe_renegotiation_status (server)) { tls_log_func (0, "Rehandshaked worked and uses safe reneg?!\n"); exit_code = EXIT_FAILURE; } gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); free (to_server); free (to_client); gnutls_certificate_free_credentials (serverx509cred); gnutls_global_deinit (); if (debug_level > 0) { if (exit_code == 0) puts ("Self-test successful"); else puts ("Self-test failed"); } return exit_code; }
void server (void) { /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); success ("Launched, generating DH parameters...\n"); generate_dh_params (); gnutls_certificate_set_dh_params (x509_cred, dh_params); client_len = sizeof (sa_cli); session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); success ("server: connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); return; } success ("server: Handshake was completed\n"); success ("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ print_info (session); i = 0; for (;;) { bzero (buffer, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("server: Peer has closed the GNUTLS connection\n"); break; } else if (ret < 0) { fail ("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); close (listen_sd); gnutls_certificate_free_credentials (x509_cred); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); success ("server: finished\n"); }
static void client(int sd) { int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&xcred); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_mem(xcred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem(xcred, &cert, &key, GNUTLS_X509_FMT_PEM); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_priority_set_direct(session, "NORMAL", NULL); /* put the x509 credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_transport_set_int(session, sd); /* Perform the TLS handshake */ ret = gnutls_handshake(session); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); goto end; } else if (debug) { success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); /* see the Getting peer's information example */ if (debug) print_info(session); ret = gnutls_record_send(session, MSG, strlen(MSG)); if (ret == strlen(MSG)) { if (debug) success("client: sent record.\n"); } else { fail("client: failed to send record.\n"); gnutls_perror(ret); goto end; } ret = gnutls_record_recv(session, buffer, MAX_BUF); if (debug) success("client: recv returned %d.\n", ret); if (ret == GNUTLS_E_REHANDSHAKE) { if (debug) success("client: doing handshake!\n"); ret = gnutls_handshake(session); if (ret == 0) { if (debug) success ("client: handshake complete, reading again.\n"); ret = gnutls_record_recv(session, buffer, MAX_BUF); } else { fail("client: handshake failed.\n"); } } if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail("client: Error: %s\n", gnutls_strerror(ret)); goto end; } if (debug) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } gnutls_bye(session, GNUTLS_SHUT_RDWR); end: close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); }
static void server(int sd) { /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_x509_trust_mem(x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); if (debug) success("Launched, generating DH parameters...\n"); generate_dh_params(); gnutls_certificate_set_dh_params(x509_cred, dh_params); session = initialize_tls_session(); gnutls_transport_set_int(session, sd); ret = gnutls_handshake(session); if (ret < 0) { close(sd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); return; } if (debug) { success("server: Handshake was completed\n"); success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); } /* see the Getting peer's information example */ if (debug) print_info(session); for (;;) { memset(buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); if (debug) success ("server: got data, forcing rehandshake.\n"); ret = gnutls_rehandshake(session); if (ret < 0) { fail("server: rehandshake failed\n"); gnutls_perror(ret); break; } ret = gnutls_handshake(session); if (ret < 0) { fail("server: (re)handshake failed\n"); gnutls_perror(ret); break; } if (debug) success("server: rehandshake complete.\n"); /* echo data back to the client */ gnutls_record_send(session, buffer, strlen(buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
static void test_success2(const char *name, const char *prio) { int ret; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; gnutls_x509_crt_t *crts; unsigned int crts_size; unsigned i; gnutls_x509_privkey_t pkey; unsigned status; success("testing cert verification success2 for %s\n", name); to_server_len = 0; to_client_len = 0; ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_privkey_init(&pkey); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_privkey_import(pkey, &server_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); exit(1); } /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key(serverx509cred, crts, crts_size, pkey); gnutls_x509_privkey_deinit(pkey); for (i=0;i<crts_size;i++) gnutls_x509_crt_deinit(crts[i]); gnutls_free(crts); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); assert(gnutls_priority_set_direct(server, prio, NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); /* Init client */ /* Init client */ ret = gnutls_certificate_allocate_credentials(&clientx509cred); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_key_mem(clientx509cred, &cli_cert, &cli_key, GNUTLS_X509_FMT_PEM); ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) exit(1); assert(gnutls_priority_set_direct(client, prio, NULL)>=0); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); gnutls_session_set_verify_cert(client, "localhost", 0); HANDSHAKE(client, server); status = gnutls_session_get_verify_cert_status(client); if (status != 0) { fail("%s: should have accepted: %u!\n", __func__, status); exit(1); } gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); }
static void server(int sd) { gnutls_certificate_credentials_t x509_cred; int ret; gnutls_session_t session; char buffer[MAX_BUF + 1]; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); gnutls_certificate_allocate_credentials(&x509_cred); ret = gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret == 0) { fail("server: no CAs loaded\n"); } gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (debug) success("Launched, generating DH parameters...\n"); generate_dh_params(); gnutls_certificate_set_dh_params(x509_cred, dh_params); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits(session, DH_BITS); gnutls_transport_set_int(session, sd); gnutls_handshake_set_timeout(session, 20 * 1000); ret = gnutls_handshake(session); if (ret < 0) { close(sd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); return; } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); /* see the Getting peer's information example */ if (debug) print_info(session); for (;;) { memset(buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send(session, buffer, strlen(buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
static void server_check(void) { int exit_code = EXIT_SUCCESS; int ret; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL:-KX-ALL:+RSA", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); /* Init client */ ret = gnutls_certificate_allocate_credentials(&clientx509cred); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) exit(1); gnutls_priority_set_direct(client, "NORMAL:+RSA", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_NO_CIPHER_SUITES); if (debug) success("server returned the expected code\n"); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); if (debug > 0) { if (exit_code == 0) puts("Self-test successful"); else puts("Self-test failed"); } }
/* Returns true if resumed */ static unsigned handshake(const char *prio, unsigned t, const gnutls_datum_t *sdata, gnutls_datum_t *ndata, gnutls_datum_t *skey, struct hsk_st *h) { int ret; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; char buf[128]; gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0); assert(gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM)>=0); assert(gnutls_init(&server, GNUTLS_SERVER)>=0); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); assert(gnutls_priority_set_direct(server, prio, NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_session_set_ptr(server, h); gnutls_db_set_cache_expiration(server, t); assert(gnutls_session_ticket_enable_server(server, skey) >= 0); gnutls_handshake_set_hook_function(server, -1, GNUTLS_HOOK_POST, handshake_callback); assert(gnutls_certificate_allocate_credentials(&clientx509cred)>=0); assert(gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM)>=0); assert(gnutls_init(&client, GNUTLS_CLIENT)>=0); assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred)>=0); assert(gnutls_priority_set_direct(client, prio, NULL)>=0); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); if (sdata) { assert(gnutls_session_set_data(client, sdata->data, sdata->size)>=0); } memset(buf, 0, sizeof(buf)); ret = gnutls_session_set_data(client, buf, sizeof(buf)); if (ret != GNUTLS_E_DB_ERROR) { fail("unexpected error: %s\n", gnutls_strerror(ret)); } HANDSHAKE(client, server); gnutls_record_recv(client, buf, sizeof(buf)); if (ndata) { ret = gnutls_session_get_data2(client, ndata); if (ret < 0) { fail("unexpected error: %s\n", gnutls_strerror(ret)); } } ret = gnutls_session_is_resumed(client); gnutls_deinit(server); gnutls_deinit(client); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); reset_buffers(); return ret; }