예제 #1
0
파일: resume.c 프로젝트: intgr/gnutls
static gnutls_session_t
initialize_tls_session (struct params_res *params)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_priority_set_direct (session, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  if (params->enable_db)
    {
      gnutls_db_set_retrieve_function (session, wrap_db_fetch);
      gnutls_db_set_remove_function (session, wrap_db_delete);
      gnutls_db_set_store_function (session, wrap_db_store);
      gnutls_db_set_ptr (session, NULL);
    }

  if (params->enable_session_ticket_server)
    gnutls_session_ticket_enable_server (session, &session_ticket_key);

  return session;
}
void server_session::set_db (const DB & db)
{
    gnutls_db_set_ptr (s, const_cast < DB * >(&db));
    gnutls_db_set_store_function (s, store_function);
    gnutls_db_set_retrieve_function (s, retrieve_function);
    gnutls_db_set_remove_function (s, remove_function);
}
예제 #3
0
파일: resume.c 프로젝트: uvbs/SupportCenter
gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;
  const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_set_default_priority (session);
  gnutls_kx_set_priority (session, kx_prio);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  if (TLS_SESSION_CACHE != 0)
    {
      gnutls_db_set_retrieve_function (session, wrap_db_fetch);
      gnutls_db_set_remove_function (session, wrap_db_delete);
      gnutls_db_set_store_function (session, wrap_db_store);
      gnutls_db_set_ptr (session, NULL);
    }

  return session;
}
예제 #4
0
파일: resume.c 프로젝트: Chronic-Dev/gnutls
static gnutls_session_t
initialize_tls_session (struct params_res *params)
{
  gnutls_session_t session;
  const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_set_default_priority (session);
  gnutls_kx_set_priority (session, kx_prio);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  if (params->enable_db)
    {
      gnutls_db_set_retrieve_function (session, wrap_db_fetch);
      gnutls_db_set_remove_function (session, wrap_db_delete);
      gnutls_db_set_store_function (session, wrap_db_store);
      gnutls_db_set_ptr (session, NULL);
    }
#ifdef ENABLE_SESSION_TICKET
  if (params->enable_session_ticket_server)
    gnutls_session_ticket_enable_server (session, &session_ticket_key);
#endif

  return session;
}
예제 #5
0
파일: SslDriver.cpp 프로젝트: liveck/x0
// {{{ session cache
void SslDriver::cache(SslSocket *socket)
{
	gnutls_db_set_ptr(socket->session_, this);
	gnutls_db_set_store_function(socket->session_, &SslDriver::_store);
	gnutls_db_set_remove_function(socket->session_, &SslDriver::_remove);
	gnutls_db_set_retrieve_function(socket->session_, &SslDriver::_retrieve);
}
예제 #6
0
파일: SslDriver.cpp 프로젝트: hiwang123/x0
void SslDriver::initialize(SslSocket* socket)
{
	gnutls_priority_set(socket->session_, priorities_);

	// cache
	gnutls_db_set_ptr(socket->session_, this);
	gnutls_db_set_store_function(socket->session_, &SslDriver::_store);
	gnutls_db_set_remove_function(socket->session_, &SslDriver::_remove);
	gnutls_db_set_retrieve_function(socket->session_, &SslDriver::_retrieve);
}
static void
g_tls_server_connection_gnutls_init (GTlsServerConnectionGnutls *gnutls)
{
  gnutls_certificate_credentials_t creds;
  gnutls_session_t session;

  gnutls->priv = G_TYPE_INSTANCE_GET_PRIVATE (gnutls, G_TYPE_TLS_SERVER_CONNECTION_GNUTLS, GTlsServerConnectionGnutlsPrivate);

  creds = g_tls_connection_gnutls_get_credentials (G_TLS_CONNECTION_GNUTLS (gnutls));
  gnutls_certificate_set_retrieve_function (creds, g_tls_server_connection_gnutls_retrieve_function);

  session = g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (gnutls));
  gnutls_db_set_retrieve_function (session, g_tls_server_connection_gnutls_db_retrieve);
  gnutls_db_set_store_function (session, g_tls_server_connection_gnutls_db_store);
  gnutls_db_set_remove_function (session, g_tls_server_connection_gnutls_db_remove);
}
예제 #8
0
파일: ebb.c 프로젝트: bakins/libebb
void ebb_connection_start(ebb_connection *connection)
{
  ebb_server *server = connection->server;
  struct ev_loop *loop;

  if(!connection->loop) {
      connection->loop = server->loop;
  }
  loop  = connection->loop;
 
  /*Need thread safe session cache?*/
#ifdef HAVE_GNUTLS
  if(server->secure) {
    gnutls_init(&connection->session, GNUTLS_SERVER);
    gnutls_transport_set_lowat(connection->session, 0); 
    gnutls_set_default_priority(connection->session);
    gnutls_credentials_set(connection->session, GNUTLS_CRD_CERTIFICATE, connection->server->credentials);

    gnutls_transport_set_ptr(connection->session, (gnutls_transport_ptr) fd); 
    gnutls_transport_set_push_function(connection->session, nosigpipe_push);

    gnutls_db_set_ptr (connection->session, &server->session_cache);
    gnutls_db_set_store_function (connection->session, session_cache_store);
    gnutls_db_set_retrieve_function (connection->session, session_cache_retrieve);
    gnutls_db_set_remove_function (connection->session, session_cache_remove);
  }

  ev_io_set(&connection->handshake_watcher, connection->fd, EV_READ | EV_WRITE);
#endif /* HAVE_GNUTLS */

  /* Note: not starting the write watcher until there is data to be written */
  ev_io_set(&connection->write_watcher, connection->fd, EV_WRITE);
  ev_io_set(&connection->read_watcher, connection->fd, EV_READ);
  /* XXX: seperate error watcher? */

  ev_timer_again(loop, &connection->timeout_watcher);

#ifdef HAVE_GNUTLS
  if(server->secure) {
    ev_io_start(loop, &connection->handshake_watcher);
    return;
  }
#endif

  ev_io_start(loop, &connection->read_watcher);
}
예제 #9
0
int ne_sock_accept_ssl(ne_socket *sock, ne_ssl_context *ctx)
{
    int ret;
    ne_ssl_socket ssl;

#if defined(HAVE_OPENSSL)
    ssl = SSL_new(ctx->ctx);
    
    SSL_set_fd(ssl, sock->fd);

    sock->ssl = ssl;
    ret = SSL_accept(ssl);
    if (ret != 1) {
        return error_ossl(sock, ret);
    }
#elif defined(HAVE_GNUTLS)
    gnutls_init(&ssl, GNUTLS_SERVER);
    gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
    gnutls_set_default_priority(ssl);

    /* Set up dummy session cache. */
    gnutls_db_set_store_function(ssl, store_sess);
    gnutls_db_set_retrieve_function(ssl, retrieve_sess);    
    gnutls_db_set_remove_function(ssl, remove_sess);    
    gnutls_db_set_ptr(ssl, ctx);

    if (ctx->verify)
        gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);

    sock->ssl = ssl;
    gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr) sock->fd);
    ret = gnutls_handshake(ssl);
    if (ret < 0) {
        return error_gnutls(sock, ret);
    }
    if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
        set_error(sock, _("Client certificate verification failed"));
        return NE_SOCK_ERROR;
    }
#endif
    sock->ops = &iofns_ssl;
    return 0;
}
예제 #10
0
static void server(int sds[], struct params_res *params)
{
	gnutls_anon_server_credentials_t anoncred;
	static gnutls_datum_t session_ticket_key = { NULL, 0 };
	int ret;
	size_t t;
	gnutls_session_t session;

	/* this must be called once in the program, it is mostly for the server.
	 */
	if (debug) {
		gnutls_global_set_log_function(tls_log_func);
		gnutls_global_set_log_level(3);
	}

	global_init();
	gnutls_anon_allocate_server_credentials(&anoncred);

	if (debug)
		success("Launched, generating DH parameters...\n");

	gnutls_anon_set_server_dh_params(anoncred, dh_params);

	if (params->enable_db) {
		wrap_db_init();
	}

	if (params->enable_session_ticket_server)
		gnutls_session_ticket_key_generate(&session_ticket_key);

	for (t = 0; t < SESSIONS; t++) {
		int sd = sds[t];

		gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);

		gnutls_priority_set_direct(session,
				   "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
				   NULL);

		gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
		gnutls_dh_set_prime_bits(session, DH_BITS);

		if (params->enable_db) {
			gnutls_db_set_retrieve_function(session, wrap_db_fetch);
			gnutls_db_set_remove_function(session, wrap_db_delete);
			gnutls_db_set_store_function(session, wrap_db_store);
			gnutls_db_set_ptr(session, NULL);
		}

		if (params->enable_session_ticket_server)
			gnutls_session_ticket_enable_server(session,
						    &session_ticket_key);

		gnutls_transport_set_int(session, sd);
		gnutls_dtls_set_timeouts(session, 3*1000, 240 * 1000);
		
		do {
			ret = gnutls_handshake(session);
		} while (ret < 0 && (ret == GNUTLS_E_INTERRUPTED||ret == GNUTLS_E_AGAIN));
		if (ret < 0) {
			close(sd);
			gnutls_deinit(session);
			kill(child, SIGTERM);
			fail("server: Handshake has failed (%s)\n\n",
			     gnutls_strerror(ret));
			return;
		}
		if (debug)
			success("server: Handshake was completed\n");

		/* see the Getting peer's information example */
		/* print_info(session); */

		for (;;) {
			memset(buffer, 0, MAX_BUF + 1);
			ret = gnutls_record_recv(session, buffer, MAX_BUF);

			if (ret == 0) {
				if (debug)
					success
					    ("server: Peer has closed the GnuTLS connection\n");
				break;
			} else if (ret < 0) {
				kill(child, SIGTERM);
				fail("server: Received corrupted data(%d). Closing...\n", ret);
				break;
			} else if (ret > 0) {
				/* echo data back to the client
				 */
				gnutls_record_send(session, buffer,
						   strlen(buffer));
			}
		}
		/* do not wait for the peer to close the connection.
		 */
		gnutls_bye(session, GNUTLS_SHUT_WR);

		close(sd);

		gnutls_deinit(session);
	}

	if (params->enable_db) {
		wrap_db_deinit();
	}

	gnutls_free(session_ticket_key.data);
	session_ticket_key.data = NULL;
	gnutls_anon_free_server_credentials(anoncred);

	if (debug)
		success("server: finished\n");
}
예제 #11
0
static gboolean mod_gnutls_con_new(liConnection *con, int fd) {
	liEventLoop *loop = &con->wrk->loop;
	liServer *srv = con->srv;
	mod_context *ctx = con->srv_sock->data;
	mod_connection_ctx *conctx;
	gnutls_session_t session;
	int r;

	if (GNUTLS_E_SUCCESS > (r = gnutls_init(&session, GNUTLS_SERVER))) {
		ERROR(srv, "gnutls_init (%s): %s",
			gnutls_strerror_name(r), gnutls_strerror(r));
		return FALSE;
	}

	mod_gnutls_context_acquire(ctx);

	if (GNUTLS_E_SUCCESS > (r = gnutls_priority_set(session, ctx->server_priority))) {
		ERROR(srv, "gnutls_priority_set (%s): %s",
			gnutls_strerror_name(r), gnutls_strerror(r));
		goto fail;
	}
	if (GNUTLS_E_SUCCESS > (r = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->server_cert))) {
		ERROR(srv, "gnutls_credentials_set (%s): %s",
			gnutls_strerror_name(r), gnutls_strerror(r));
		goto fail;
	}

	if (NULL != ctx->session_db) {
		gnutls_db_set_ptr(session, ctx->session_db);
		gnutls_db_set_remove_function(session, session_db_remove_cb);
		gnutls_db_set_retrieve_function(session, session_db_retrieve_cb);
		gnutls_db_set_store_function(session, session_db_store_cb);
	}

#ifdef HAVE_SESSION_TICKET
	if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_enable_server(session, &ctx->ticket_key))) {
		ERROR(srv, "gnutls_session_ticket_enable_server (%s): %s",
			gnutls_strerror_name(r), gnutls_strerror(r));
		goto fail;
	}
#endif

#ifdef GNUTLS_ALPN_MAND
	{
		static const gnutls_datum_t proto_http1 = { (unsigned char*) CONST_STR_LEN("http/1.1") };
		gnutls_alpn_set_protocols(session, &proto_http1, 1, 0);
	}
#endif

	conctx = g_slice_new0(mod_connection_ctx);
	conctx->session = session;
	conctx->sock_stream = li_iostream_new(con->wrk, fd, tcp_io_cb, conctx);

	conctx->client_hello_stream = li_ssl_client_hello_stream(&con->wrk->loop, gnutls_client_hello_cb, conctx);
#ifdef USE_SNI
	li_job_init(&conctx->sni_job, sni_job_cb);
	conctx->sni_jobref = li_job_ref(&con->wrk->loop.jobqueue, &conctx->sni_job);
#endif

	li_stream_connect(&conctx->sock_stream->stream_in, conctx->client_hello_stream);

	conctx->tls_filter = li_gnutls_filter_new(srv, con->wrk, &filter_callbacks, conctx, conctx->session,
		conctx->client_hello_stream, &conctx->sock_stream->stream_out);

	conctx->con = con;
	conctx->ctx = ctx;

	con->con_sock.data = conctx;
	con->con_sock.callbacks = &gnutls_tcp_cbs;
	con->con_sock.raw_out = li_stream_plug_new(loop);
	con->con_sock.raw_in = li_stream_plug_new(loop);
	con->info.is_ssl = TRUE;

	return TRUE;

fail:
	gnutls_deinit(session);
	mod_gnutls_context_release(ctx);

	return FALSE;
}
예제 #12
0
파일: starttls.c 프로젝트: Jactry/shishi
/* Handle the high TCP length bit, currently only used for STARTTLS. */
int
kdc_extension (struct listenspec *ls)
{
  int rc;

  if (ls->usetls
      || ls->ai.ai_socktype != SOCK_STREAM
      || ls->bufpos < 4 || (ls->bufpos >= 4 && !(ls->buf[0] & 0x80)))
    return 0;

  if (x509cred == NULL || memcmp (ls->buf, STARTTLS_CLIENT_REQUEST,
				  STARTTLS_LEN) != 0)
    return kdc_extension_reject (ls);

  /* This message can arguably belong to LOG_AUTH,
   * but leave it at the default facility.  */
  syslog (LOG_INFO, "Trying STARTTLS");

  memcpy (ls->buf, STARTTLS_SERVER_ACCEPT, STARTTLS_LEN);
  ls->bufpos = STARTTLS_LEN;

  kdc_send1 (ls);

  rc = gnutls_init (&ls->session, GNUTLS_SERVER);
  if (rc != GNUTLS_E_SUCCESS)
    {
      syslog (LOG_ERR | LOG_DAEMON, "TLS initialization failed (%d): %s",
	      rc, gnutls_strerror (rc));
      return -1;
    }

  rc = gnutls_priority_set_direct (ls->session, "NORMAL:+ANON-DH", NULL);
  if (rc != GNUTLS_E_SUCCESS)
    {
      syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_psd %d: %s",
	      rc, gnutls_strerror (rc));
      return -1;
    }

  rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_ANON, anoncred);
  if (rc != GNUTLS_E_SUCCESS)
    {
      syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_cs %d: %s",
	      rc, gnutls_strerror (rc));
      return -1;
    }

  rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_CERTIFICATE, x509cred);
  if (rc != GNUTLS_E_SUCCESS)
    {
      syslog (LOG_ERR | LOG_DAEMON, "TLS failed, gnutls_cs X.509 %d: %s",
	      rc, gnutls_strerror (rc));
      return -1;
    }

  gnutls_certificate_server_set_request (ls->session, GNUTLS_CERT_REQUEST);

  gnutls_dh_set_prime_bits (ls->session, DH_BITS);
  gnutls_transport_set_ptr (ls->session, (gnutls_transport_ptr_t)
			    (unsigned long) ls->sockfd);

  gnutls_db_set_retrieve_function (ls->session, resume_db_fetch);
  gnutls_db_set_store_function (ls->session, resume_db_store);
  gnutls_db_set_remove_function (ls->session, resume_db_delete);

  rc = gnutls_handshake (ls->session);
  if (rc < 0)
    {
      syslog (LOG_ERR | LOG_DAEMON, "TLS handshake failed (%d): %s\n",
	      rc, gnutls_strerror (rc));
      return -1;
    }

  logtlsinfo (ls->session);

  ls->bufpos = 0;
  ls->usetls = 1;

  return 0;
}