int manos_tls_regenerate_dhparams (int bits) { gnutls_dh_params_t params, oldparams; int err; err = gnutls_dh_params_init (¶ms); if (err != 0) { return err; } err = gnutls_dh_params_generate2 (params, bits); if (err != 0) { gnutls_dh_params_deinit (params); return err; } oldparams = dh_params; dh_params = params; if (oldparams != NULL) { gnutls_dh_params_deinit (oldparams); } return 0; }
static int vnc_tls_initialize(void) { static int tlsinitialized = 0; if (tlsinitialized) return 1; if (gnutls_global_init () < 0) return 0; /* XXX ought to re-generate diffie-hellman params periodically */ if (gnutls_dh_params_init (&dh_params) < 0) return 0; if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0) return 0; #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 gnutls_global_set_log_level(10); gnutls_global_set_log_function(vnc_debug_gnutls_log); #endif tlsinitialized = 1; return 1; }
bool generate_dh_params(gnutls_dh_params_t *const dh_params) { /* int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW); */ int bits = 1248; /* Equivalent, gnutls_sec_param_to_pk_bits is available since 2.12 */ int ret; assert(dh_params != NULL); /* Generate Diffie-Hellman parameters - for use with DHE * kx algorithms. When short bit length is used, it might * be wise to regenerate parameters often. */ ret = gnutls_dh_params_init(dh_params); if(ret != GNUTLS_E_SUCCESS) { trace(LOG_ERR, "failed to initialize Diffie-Hellman parameters"); goto error; } ret = gnutls_dh_params_generate2(*dh_params, bits); if(ret != GNUTLS_E_SUCCESS) { trace(LOG_ERR, "failed to generate Diffie-Hellman parameters"); goto free_dh; } return true; free_dh: gnutls_dh_params_deinit(*dh_params); error: return false; }
static int generate_dh_params(struct rfbssl_ctx *ctx) { int ret; if (GNUTLS_E_SUCCESS == (ret = gnutls_dh_params_init(&ctx->dh_params))) ret = gnutls_dh_params_generate2(ctx->dh_params, 1024); return ret; }
void TLSSocket::init(const std::string& caPath, const std::string& crlPath, const std::string& certPath, const std::string& keyPath) { gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); gnutls_global_init(); gnutls_certificate_allocate_credentials(&xcred); if (!caPath.empty()) { gnutls_certificate_set_x509_trust_file(xcred, caPath.c_str(), GNUTLS_X509_FMT_PEM); gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); } if (!crlPath.empty()) { gnutls_certificate_set_x509_crl_file(xcred, crlPath.c_str(), GNUTLS_X509_FMT_PEM); } gnutls_certificate_set_x509_key_file(xcred, certPath.c_str(), keyPath.c_str(), GNUTLS_X509_FMT_PEM); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, 1024); gnutls_priority_init(&priority_cache, "NORMAL", NULL); gnutls_certificate_set_dh_params(xcred, dh_params); }
static int generate_dh_params (void) { gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); return 0; }
void TLSServer::init ( const std::string& ca, const std::string& crl, const std::string& cert, const std::string& key) { _ca = ca; _crl = crl; _cert = cert; _key = key; int ret = gnutls_global_init (); if (ret < 0) throw format ("TLS init error. {1}", gnutls_strerror (ret)); ret = gnutls_certificate_allocate_credentials (&_credentials); if (ret < 0) throw format ("TLS allocation error. {1}", gnutls_strerror (ret)); if (_ca != "" && (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CA file. {1}", gnutls_strerror (ret)); if ( _crl != "" && (ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CRL file. {1}", gnutls_strerror (ret)); if (_cert != "" && _key != "" && (ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CERT file. {1}", gnutls_strerror (ret)); #if GNUTLS_VERSION_NUMBER >= 0x020b00 #if GNUTLS_VERSION_NUMBER >= 0x03000d unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); #else unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); #endif #else unsigned int bits = DH_BITS; #endif gnutls_dh_params_init (&_params); gnutls_dh_params_generate2 (_params, bits); if (_ciphers == "") _ciphers = "NORMAL"; gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL); gnutls_certificate_set_dh_params (_credentials, _params); #if GNUTLS_VERSION_NUMBER >= 0x02090a // The automatic verification for the client certificate with // gnutls_certificate_set_verify_function only works with gnutls // >=2.9.10. So with older versions we should call the verify function // manually after the gnutls handshake. gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif }
static Ecore_Con_Ssl_Error _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr, int ssl_type) { int ret; if (ssl_type & ECORE_CON_USE_SSL2) return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED; switch (ssl_type) { case ECORE_CON_USE_SSL3: case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_TLS: case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_MIXED: case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT: break; default: return ECORE_CON_SSL_ERROR_NONE; } SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert)); if ((!svr->use_cert) && svr->created) { SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params)); INF("Generating DH params"); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s)); /* TODO: implement PSK */ // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s)); gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params); gnutls_certificate_set_dh_params(svr->cert, svr->dh_params); //gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params); INF("DH params successfully generated and applied!"); } else if (!svr->use_cert) { //SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c)); } return ECORE_CON_SSL_ERROR_NONE; error: _gnutls_print_errors(ret); _ecore_con_ssl_server_shutdown_gnutls(svr); return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED; }
/* Server mode: Set DH parameters */ int ufwissl_ssl_context_set_dh_bits(ufwissl_ssl_context * ctx, unsigned int dh_bits) { ctx->dh_bits = dh_bits; if (gnutls_dh_params_init(&ctx->dh) < 0) return UFWISSL_ERROR; if (gnutls_dh_params_generate2(ctx->dh, ctx->dh_bits) < 0) return UFWISSL_ERROR; return UFWISSL_OK; }
void gtlsGlobalServerData::generate_dh_params() { int ret = 0; ret = gnutls_dh_params_init(&dh_params); // printerror("gnutls_dh_params_init", ret); if (ret < 0) { initialized_ = false; } ret = gnutls_dh_params_generate2(dh_params, gtlsGeneric::GNUTLSIF_DH_BITS); // printerror("gnutls_dh_params_generate2", ret); if (ret < 0) { initialized_ = false; } }
static int generate_dh_params (void) { /* Generate Diffie-Hellman parameters - for use with DHE * kx algorithms. These should be discarded and regenerated * once a day, once a week or once a month. Depending on the * security requirements. */ gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); return 0; }
static int generate_dh_params (void) { int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW); /* Generate Diffie-Hellman parameters - for use with DHE * kx algorithms. When short bit length is used, it might * be wise to regenerate parameters often. */ gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, bits); return 0; }
static int generate_dh_params(void) { /* Generate Diffie-Hellman parameters - for use with DHE * kx algorithms. When short bit length is used, it might * be wise to regenerate parameters. * * Check the ex-serv-export.c example for using static * parameters. */ gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, DH_BITS); return 0; }
void initialize_tls_global(void) { gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CACERT, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CACRL, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (x509_cred, SERVERCERT, SERVERKEY, GNUTLS_X509_FMT_PEM); gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); gnutls_certificate_set_dh_params (x509_cred, dh_params); }
void TLSServer::init ( const std::string& ca, const std::string& crl, const std::string& cert, const std::string& key) { _ca = ca; _crl = crl; _cert = cert; _key = key; gnutls_global_init (); gnutls_certificate_allocate_credentials (&_credentials); if (_ca != "" && gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CA file."); if ( _crl != "" && gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CRL file."); if (_cert != "" && _key != "" && gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CERT file."); #if GNUTLS_VERSION_NUMBER >= 0x020b00 #if GNUTLS_VERSION_NUMBER >= 0x03000d unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); #else unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); #endif #else unsigned int bits = DH_BITS; #endif gnutls_dh_params_init (&_params); gnutls_dh_params_generate2 (_params, bits); if (_ciphers == "") _ciphers = "NORMAL"; gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL); gnutls_certificate_set_dh_params (_credentials, _params); #if GNUTLS_VERSION_NUMBER >= 0x02090a gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif }
/// Enables TLS on the given server. static void onion_enable_tls(onion *o){ #ifdef HAVE_PTHREADS gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); #endif if (!(o->flags&O_USE_DEV_RANDOM)){ gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); } gnutls_global_init (); gnutls_certificate_allocate_credentials (&o->x509_cred); gnutls_dh_params_init (&o->dh_params); gnutls_dh_params_generate2 (o->dh_params, 1024); gnutls_certificate_set_dh_params (o->x509_cred, o->dh_params); gnutls_priority_init (&o->priority_cache, "NORMAL", NULL); o->flags|=O_SSL_ENABLED; }
static rfbBool InitializeTLS(void) { int ret; if (rfbTLSInitialized) return TRUE; if ((ret = gnutls_global_init()) < 0 || (ret = gnutls_dh_params_init(&rfbDHParams)) < 0 || (ret = gnutls_dh_params_generate2(rfbDHParams, DH_BITS)) < 0) { rfbClientLog("Failed to initialized GnuTLS: %s.\n", gnutls_strerror(ret)); return FALSE; } rfbClientLog("GnuTLS initialized.\n"); rfbTLSInitialized = TRUE; return TRUE; }
int server_create(prelude_client_profile_t *cp, const char *addr, unsigned int port, prelude_bool_t keepalive, const char *pass, gnutls_x509_privkey_t key, gnutls_x509_crt_t cacrt, gnutls_x509_crt_t crt) { int sock; size_t size; struct pollfd pfd[128]; gnutls_dh_params_t dh_params; #ifdef GNUTLS_SRP_ENABLED int ret; ret = gnutls_srp_allocate_server_credentials(&srpcred); if ( ret < 0 ) { fprintf(stderr, "error creating SRP credentials: %s.\n", gnutls_strerror(ret)); return -1; } gnutls_srp_set_server_credentials_function(srpcred, srp_callback); #endif one_shot_passwd = pass; gnutls_anon_allocate_server_credentials(&anoncred); fprintf(stderr, "Generating %d bits Diffie-Hellman key for anonymous authentication...", ANON_DH_BITS); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, ANON_DH_BITS); gnutls_anon_set_server_dh_params(anoncred, dh_params); fprintf(stderr, "\n"); size = sizeof(pfd) / sizeof(*pfd); sock = setup_server(addr, port, pfd, &size); if ( sock < 0 ) return -1; wait_connection(cp, sock, pfd, size, keepalive, key, cacrt, crt); #ifdef GNUTLS_SRP_ENABLED gnutls_srp_free_server_credentials(srpcred); #endif gnutls_anon_free_server_credentials(anoncred); return 0; }
static gnutls_dh_params get_dh_params(void) { static gnutls_dh_params dh_params; static bool initialized = FALSE; if (!initialized) { if (gnutls_dh_params_init(&dh_params)) { g_warning("%s(): gnutls_dh_params_init() failed", G_STRFUNC); return NULL; } if (gnutls_dh_params_generate2(dh_params, TLS_DH_BITS)) { g_warning("%s(): gnutls_dh_params_generate2() failed", G_STRFUNC); return NULL; } initialized = TRUE; } return dh_params; }
SslContext::SslContext() : enabled(true), certFile(this), keyFile(this), crlFile(this), trustFile(this), error_(), logger_(0), numX509Certs_(0), clientVerifyMode_(GNUTLS_CERT_IGNORE), caList_(0) { TRACE("SslContext()"); gnutls_dh_params_init(&dhParams_); gnutls_dh_params_generate2(dhParams_, 1024); gnutls_certificate_allocate_credentials(&certs_); gnutls_anon_allocate_server_credentials(&anonCreds_); }
void doit(void) { gnutls_dh_params_t dh_params = NULL; int rc; rc = global_init(); if (rc) fail("global_init\n"); if (gnutls_dh_params_init(&dh_params) < 0) fail("Error in dh parameter initialization\n"); if (gnutls_dh_params_generate2(dh_params, 1024) < 0) fail("Error in prime generation\n"); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); if (debug) success("generated DH params OK\n"); }
GnuTlsInit::GnuTlsInit() { int ret; cxxtools::MutexLock lock(mutex); if (_initCount++ == 0) { log_debug("gnutls_global_init()"); ret = gnutls_global_init(); if (ret != 0) throw GnuTlsException("gnutls_global_init", ret); log_debug("gnutls_dh_params_init(dhParams)"); ret = gnutls_dh_params_init(&_dhParams); if (ret != 0) throw GnuTlsException("gnutls_dh_params_init", ret); log_debug("gnutls_dh_params_generate2(dh_params, 1024)"); ret = gnutls_dh_params_generate2(_dhParams, 1024); if (ret != 0) throw GnuTlsException("gnutls_dh_params_generate2", ret); } }
void SSLi_init() { unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM); gnutls_priority_init(&cipherCache, ciphers, NULL); initializeCertificate(); gnutls_dh_params_init(&dhParameters); Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount); int error = gnutls_dh_params_generate2(dhParameters, bitCount); if(!error) { Log_info("Successfully generated Diffie-Hellman parameters"); } else { Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error)); } gnutls_certificate_set_dh_params(certificate, dhParameters); Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL)); }
void Plugin::_loadDHParams() { QByteArray data; QFile file(this->dhParamsFile); int bits; gnutls_datum_t datum; int error; if (!file.open(QIODevice::ReadWrite)) throw Properties("error", "Unable to open the Diffie-Hellman parameters file").add("file", this->dhParamsFile); bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, this->secParam); ASSERT_INIT(gnutls_dh_params_init(&this->dhParams), "dh_params"); // The Diffie-Hellman parameters expired if (QFileInfo(file).lastModified() < this->dhParamsExpiration) file.resize(0); // Import the DH parameters from the PEM file if (file.size() > 0) { data = file.readAll(); datum.data = (unsigned char *)data.data(); datum.size = data.size(); if (gnutls_dh_params_import_pkcs3(this->dhParams, &datum, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS) file.resize(0); } // Generates the DH parameters and store them in a PEM file if (file.size() == 0) { LOG_INFO("Generating new Diffie-Hellman parameters. This might take some time.", Properties("secParam", gnutls_sec_param_get_name(this->secParam)).add("bits", bits).toMap(), "Plugin", "_generateDHParams"); data.resize(bits); datum.data = (unsigned char *)data.data(); datum.size = bits; ASSERT(gnutls_dh_params_generate2(this->dhParams, bits)); size_t size = datum.size; ASSERT(gnutls_dh_params_export_pkcs3(this->dhParams, GNUTLS_X509_FMT_PEM, datum.data, &size)); file.write(data.data(), size); } }
static bool Load_DH_params(void) { #ifdef HAVE_LIBSSL FILE *fp; bool ret = true; if (!Conf_SSLOptions.DHFile) { Log(LOG_NOTICE, "Configuration option \"DHFile\" not set!"); return false; } fp = fopen(Conf_SSLOptions.DHFile, "r"); if (!fp) { Log(LOG_ERR, "%s: %s", Conf_SSLOptions.DHFile, strerror(errno)); return false; } dh_params = PEM_read_DHparams(fp, NULL, NULL, NULL); if (!dh_params) { Log(LOG_ERR, "%s: Failed to read SSL DH parameters!", Conf_SSLOptions.DHFile); ret = false; } fclose(fp); return ret; #endif #ifdef HAVE_LIBGNUTLS bool need_dhgenerate = true; int err; gnutls_dh_params_t tmp_dh_params; err = gnutls_dh_params_init(&tmp_dh_params); if (err < 0) { Log(LOG_ERR, "Failed to initialize SSL DH parameters: %s", gnutls_strerror(err)); return false; } if (Conf_SSLOptions.DHFile) { gnutls_datum_t dhparms; size_t size; dhparms.data = (unsigned char *) openreadclose(Conf_SSLOptions.DHFile, &size); if (dhparms.data) { dhparms.size = size; err = gnutls_dh_params_import_pkcs3(tmp_dh_params, &dhparms, GNUTLS_X509_FMT_PEM); if (err == 0) need_dhgenerate = false; else Log(LOG_ERR, "Failed to initialize SSL DH parameters: %s", gnutls_strerror(err)); memset(dhparms.data, 0, size); free(dhparms.data); } } if (need_dhgenerate) { Log(LOG_WARNING, "DHFile not set, generating %u bit DH parameters. This may take a while ...", DH_BITS); err = gnutls_dh_params_generate2(tmp_dh_params, DH_BITS); if (err < 0) { Log(LOG_ERR, "Failed to generate SSL DH parameters: %s", gnutls_strerror(err)); return false; } } dh_params = tmp_dh_params; return true; #endif }
/* * initialize a new TLS context */ static int tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) { tlsg_ctx *ctx = lo->ldo_tls_ctx; int rc; if ( lo->ldo_tls_ciphersuite && tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) { Debug( LDAP_DEBUG_ANY, "TLS: could not set cipher list %s.\n", lo->ldo_tls_ciphersuite, 0, 0 ); return -1; } if (lo->ldo_tls_cacertdir != NULL) { Debug( LDAP_DEBUG_ANY, "TLS: warning: cacertdir not implemented for gnutls\n", NULL, NULL, NULL ); } if (lo->ldo_tls_cacertfile != NULL) { rc = gnutls_certificate_set_x509_trust_file( ctx->cred, lt->lt_cacertfile, GNUTLS_X509_FMT_PEM ); if ( rc < 0 ) return -1; } if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) { gnutls_x509_privkey_t key; gnutls_datum_t buf; gnutls_x509_crt_t certs[VERIFY_DEPTH]; unsigned int max = VERIFY_DEPTH; rc = gnutls_x509_privkey_init( &key ); if ( rc ) return -1; /* OpenSSL builds the cert chain for us, but GnuTLS * expects it to be present in the certfile. If it's * not, we have to build it ourselves. So we have to * do some special checks here... */ rc = tlsg_getfile( lt->lt_keyfile, &buf ); if ( rc ) return -1; rc = gnutls_x509_privkey_import( key, &buf, GNUTLS_X509_FMT_PEM ); LDAP_FREE( buf.data ); if ( rc < 0 ) return rc; rc = tlsg_getfile( lt->lt_certfile, &buf ); if ( rc ) return -1; rc = gnutls_x509_crt_list_import( certs, &max, &buf, GNUTLS_X509_FMT_PEM, 0 ); LDAP_FREE( buf.data ); if ( rc < 0 ) return rc; /* If there's only one cert and it's not self-signed, * then we have to build the cert chain. */ if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) { gnutls_x509_crt_t *cas; unsigned int i, j, ncas; gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas ); for ( i = 1; i<VERIFY_DEPTH; i++ ) { for ( j = 0; j<ncas; j++ ) { if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) { certs[i] = cas[j]; max++; /* If this CA is self-signed, we're done */ if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] )) j = ncas; break; } } /* only continue if we found a CA and it was not self-signed */ if ( j == ncas ) break; } } rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key ); if ( rc ) return -1; } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) { Debug( LDAP_DEBUG_ANY, "TLS: only one of certfile and keyfile specified\n", NULL, NULL, NULL ); return -1; } if ( lo->ldo_tls_dhfile ) { Debug( LDAP_DEBUG_ANY, "TLS: warning: ignoring dhfile\n", NULL, NULL, NULL ); } if ( lo->ldo_tls_crlfile ) { rc = gnutls_certificate_set_x509_crl_file( ctx->cred, lt->lt_crlfile, GNUTLS_X509_FMT_PEM ); if ( rc < 0 ) return -1; rc = 0; } /* FIXME: ITS#5992 - this should go be configurable, * and V1 CA certs should be phased out ASAP. */ gnutls_certificate_set_verify_flags( ctx->cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); if ( is_server ) { gnutls_dh_params_init(&ctx->dh_params); gnutls_dh_params_generate2(ctx->dh_params, DH_BITS); } return 0; }
/* If how is zero then the included parameters are used. */ int generate_prime (int bits, int how) { unsigned int i; int ret; gnutls_dh_params dh_params; gnutls_datum p, g; gnutls_dh_params_init (&dh_params); fprintf (stderr, "Generating DH parameters..."); if (how != 0) { ret = gnutls_dh_params_generate2 (dh_params, bits); if (ret < 0) { fprintf (stderr, "Error generating parameters: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_dh_params_export_raw (dh_params, &p, &g, NULL); if (ret < 0) { fprintf (stderr, "Error exporting parameters: %s\n", gnutls_strerror (ret)); exit (1); } } else { #ifdef ENABLE_SRP if (bits <= 1024) { p = gnutls_srp_1024_group_prime; g = gnutls_srp_1024_group_generator; } else if (bits <= 1536) { p = gnutls_srp_1536_group_prime; g = gnutls_srp_1536_group_generator; } else { p = gnutls_srp_2048_group_prime; g = gnutls_srp_2048_group_generator; } ret = gnutls_dh_params_import_raw (dh_params, &p, &g); if (ret < 0) { fprintf (stderr, "Error exporting parameters: %s\n", gnutls_strerror (ret)); exit (1); } #else fprintf (stderr, "Parameters unavailable as SRP disabled.\n"); #endif } if (cparams) { fprintf (outfile, "/* generator */\n"); fprintf (outfile, "\nconst uint8 g[%d] = { ", g.size); for (i = 0; i < g.size; i++) { if (i % 7 == 0) fprintf (outfile, "\n\t"); fprintf (outfile, "0x%.2x", g.data[i]); if (i != g.size - 1) fprintf (outfile, ", "); } fprintf (outfile, "\n};\n\n"); } else { fprintf (outfile, "\nGenerator: "); for (i = 0; i < g.size; i++) { if (i != 0 && i % 12 == 0) fprintf (outfile, "\n\t"); else if (i != 0 && i != g.size) fprintf (outfile, ":"); fprintf (outfile, "%.2x", g.data[i]); } fprintf (outfile, "\n\n"); } /* print prime */ if (cparams) { fprintf (outfile, "/* prime - %d bits */\n", p.size * 8); fprintf (outfile, "\nconst uint8 prime[%d] = { ", p.size); for (i = 0; i < p.size; i++) { if (i % 7 == 0) fprintf (outfile, "\n\t"); fprintf (outfile, "0x%.2x", p.data[i]); if (i != p.size - 1) fprintf (outfile, ", "); } fprintf (outfile, "\n};\n"); } else { fprintf (outfile, "Prime: "); for (i = 0; i < p.size; i++) { if (i != 0 && i % 12 == 0) fprintf (outfile, "\n\t"); else if (i != 0 && i != p.size) fprintf (outfile, ":"); fprintf (outfile, "%.2x", p.data[i]); } fprintf (outfile, "\n\n"); } if (!cparams) { /* generate a PKCS#3 structure */ int ret; size_t len = buffer_size; ret = gnutls_dh_params_export_pkcs3 (dh_params, GNUTLS_X509_FMT_PEM, buffer, &len); if (ret == 0) { fprintf (outfile, "\n%s", buffer); } else { fprintf (stderr, "Error: %s\n", gnutls_strerror (ret)); } } return 0; }
int init_remote_listener(int port, gboolean encrypted) { int ssock; struct sockaddr_in saddr; int optval; if (port <= 0) { /* dont start it */ return 0; } if (encrypted) { #ifndef HAVE_GNUTLS_GNUTLS_H crm_warn("TLS support is not available"); return 0; #else crm_notice("Starting a tls listener on port %d.", port); gnutls_global_init(); /* gnutls_global_set_log_level (10); */ gnutls_global_set_log_function(debug_log); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, DH_BITS); gnutls_anon_allocate_server_credentials(&anon_cred_s); gnutls_anon_set_server_dh_params(anon_cred_s, dh_params); #endif } else { crm_warn("Starting a plain_text listener on port %d.", port); } #ifndef HAVE_PAM crm_warn("PAM is _not_ enabled!"); #endif /* create server socket */ ssock = socket(AF_INET, SOCK_STREAM, 0); if (ssock == -1) { crm_perror(LOG_ERR, "Can not create server socket." ERROR_SUFFIX); return -1; } /* reuse address */ optval = 1; setsockopt(ssock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)); /* bind server socket */ memset(&saddr, '\0', sizeof(saddr)); saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = INADDR_ANY; saddr.sin_port = htons(port); if (bind(ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) { crm_perror(LOG_ERR, "Can not bind server socket." ERROR_SUFFIX); return -2; } if (listen(ssock, 10) == -1) { crm_perror(LOG_ERR, "Can not start listen." ERROR_SUFFIX); return -3; } G_main_add_fd(G_PRIORITY_HIGH, ssock, FALSE, cib_remote_listen, NULL, default_ipc_connection_destroy); return ssock; }
/* If how is zero then the included parameters are used. */ int generate_prime(FILE * outfile, int how, common_info_st * info) { int ret; gnutls_dh_params_t dh_params; gnutls_datum_t p, g; int bits = get_bits(GNUTLS_PK_DH, info->bits, info->sec_param, 1); unsigned int q_bits = 0; gnutls_dh_params_init(&dh_params); if (how != 0) { fprintf(stderr, "Generating DH parameters (%d bits)...\n", bits); fprintf(stderr, "(might take long time)\n"); } else fprintf(stderr, "Retrieving DH parameters...\n"); if (how != 0) { ret = gnutls_dh_params_generate2(dh_params, bits); if (ret < 0) { fprintf(stderr, "Error generating parameters: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_dh_params_export_raw(dh_params, &p, &g, &q_bits); if (ret < 0) { fprintf(stderr, "Error exporting parameters: %s\n", gnutls_strerror(ret)); exit(1); } } else { #ifdef ENABLE_SRP if (bits <= 1024) { p = gnutls_srp_1024_group_prime; g = gnutls_srp_1024_group_generator; bits = 1024; } else if (bits <= 1536) { p = gnutls_srp_1536_group_prime; g = gnutls_srp_1536_group_generator; bits = 1536; } else if (bits <= 2048) { p = gnutls_srp_2048_group_prime; g = gnutls_srp_2048_group_generator; bits = 2048; } else if (bits <= 3072) { p = gnutls_srp_3072_group_prime; g = gnutls_srp_3072_group_generator; bits = 3072; } else { p = gnutls_srp_4096_group_prime; g = gnutls_srp_4096_group_generator; bits = 4096; } ret = gnutls_dh_params_import_raw(dh_params, &p, &g); if (ret < 0) { fprintf(stderr, "Error exporting parameters: %s\n", gnutls_strerror(ret)); exit(1); } #else fprintf(stderr, "Parameters unavailable as SRP is disabled.\n"); exit(1); #endif } print_dh_info(outfile, &p, &g, q_bits, info->cprint); if (!info->cprint) { /* generate a PKCS#3 structure */ size_t len = buffer_size; ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, buffer, &len); if (ret == 0) { fprintf(outfile, "\n%s", buffer); } else { fprintf(stderr, "Error: %s\n", gnutls_strerror(ret)); } } gnutls_dh_params_deinit(dh_params); return 0; }
void GnuTLSServerAnon::generateDH() { gnutls_dh_params_init( &m_dhParams ); gnutls_dh_params_generate2( m_dhParams, m_dhBits ); }