bool CTlsSocket::InitSession() { int res = gnutls_init(&m_session, GNUTLS_CLIENT); if (res) { LogError(res, _T("gnutls_init")); Uninit(); return false; } // Even though the name gnutls_db_set_cache_expiration // implies expiration of some cache, it also governs // the actual session lifetime, independend whether the // session is cached or not. gnutls_db_set_cache_expiration(m_session, 100000000); res = gnutls_priority_set_direct(m_session, ciphers, 0); if (res) { LogError(res, _T("gnutls_priority_set_direct")); Uninit(); return false; } gnutls_dh_set_prime_bits(m_session, 512); gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials); // Setup transport functions gnutls_transport_set_push_function(m_session, PushFunction); gnutls_transport_set_pull_function(m_session, PullFunction); gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this); return true; }
/* Returns true if resumed */ static unsigned handshake(const char *prio, unsigned t, const gnutls_datum_t *sdata, gnutls_datum_t *ndata, gnutls_datum_t *skey, struct hsk_st *h) { int ret; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; char buf[128]; gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0); assert(gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM)>=0); assert(gnutls_init(&server, GNUTLS_SERVER)>=0); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); assert(gnutls_priority_set_direct(server, prio, NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_session_set_ptr(server, h); gnutls_db_set_cache_expiration(server, t); assert(gnutls_session_ticket_enable_server(server, skey) >= 0); gnutls_handshake_set_hook_function(server, -1, GNUTLS_HOOK_POST, handshake_callback); assert(gnutls_certificate_allocate_credentials(&clientx509cred)>=0); assert(gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM)>=0); assert(gnutls_init(&client, GNUTLS_CLIENT)>=0); assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred)>=0); assert(gnutls_priority_set_direct(client, prio, NULL)>=0); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); if (sdata) { assert(gnutls_session_set_data(client, sdata->data, sdata->size)>=0); } memset(buf, 0, sizeof(buf)); ret = gnutls_session_set_data(client, buf, sizeof(buf)); if (ret != GNUTLS_E_DB_ERROR) { fail("unexpected error: %s\n", gnutls_strerror(ret)); } HANDSHAKE(client, server); gnutls_record_recv(client, buf, sizeof(buf)); if (ndata) { ret = gnutls_session_get_data2(client, ndata); if (ret < 0) { fail("unexpected error: %s\n", gnutls_strerror(ret)); } } ret = gnutls_session_is_resumed(client); gnutls_deinit(server); gnutls_deinit(client); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); reset_buffers(); return ret; }
static gnutls_session tls_session_init(int side, uschar *expciphers, uschar *expmac, uschar *expkx, uschar *expproto) { gnutls_session session; gnutls_init(&session, side); /* Initialize the lists of permitted protocols, key-exchange methods, ciphers, and MACs. */ memcpy(cipher_priority, default_cipher_priority, sizeof(cipher_priority)); memcpy(mac_priority, default_mac_priority, sizeof(mac_priority)); memcpy(kx_priority, default_kx_priority, sizeof(kx_priority)); memcpy(proto_priority, default_proto_priority, sizeof(proto_priority)); /* The names OpenSSL uses in tls_require_ciphers are of the form DES-CBC3-SHA, using hyphen separators. GnuTLS uses underscore separators. So that I can use either form for tls_require_ciphers in my tests, and also for general convenience, we turn hyphens into underscores before scanning the list. */ if (expciphers != NULL) { uschar *s = expciphers; while (*s != 0) { if (*s == '-') *s = '_'; s++; } } if ((expciphers != NULL && !set_priority(cipher_priority, sizeof(cipher_priority)/sizeof(int), expciphers, cipher_index, sizeof(cipher_index)/sizeof(pri_item), US"cipher")) || (expmac != NULL && !set_priority(mac_priority, sizeof(mac_priority)/sizeof(int), expmac, mac_index, sizeof(mac_index)/sizeof(pri_item), US"MAC")) || (expkx != NULL && !set_priority(kx_priority, sizeof(kx_priority)/sizeof(int), expkx, kx_index, sizeof(kx_index)/sizeof(pri_item), US"key-exchange")) || (expproto != NULL && !set_priority(proto_priority, sizeof(proto_priority)/sizeof(int), expproto, proto_index, sizeof(proto_index)/sizeof(pri_item), US"protocol"))) { gnutls_deinit(session); return NULL; } /* Define the various priorities */ gnutls_cipher_set_priority(session, cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); gnutls_protocol_set_priority(session, proto_priority); gnutls_mac_set_priority(session, mac_priority); gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_dh_set_prime_bits(session, DH_BITS); /* Request or demand a certificate of the peer, as configured. This will happen only in a server. */ if (verify_requirement != VERIFY_NONE) gnutls_certificate_server_set_request(session, (verify_requirement == VERIFY_OPTIONAL)? GNUTLS_CERT_REQUEST : GNUTLS_CERT_REQUIRE); gnutls_db_set_cache_expiration(session, ssl_session_timeout); /* Reduce security in favour of increased compatibility, if the admin decides to make that trade-off. */ if (gnutls_compat_mode) { #if LIBGNUTLS_VERSION_NUMBER >= 0x020104 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n"); gnutls_session_enable_compatibility_mode(session); #else DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n"); #endif } DEBUG(D_tls) debug_printf("initialized GnuTLS session\n"); return session; }
void server_session::set_db_cache_expiration (unsigned int seconds) { gnutls_db_set_cache_expiration (s, seconds); }