int
manos_tls_regenerate_dhparams (int bits)
{
gnutls_dh_params_t params, oldparams;
int err;
err = gnutls_dh_params_init (¶ms);
if (err != 0) {
return err;
}
err = gnutls_dh_params_generate2 (params, bits);
if (err != 0) {
gnutls_dh_params_deinit (params);
return err;
}
oldparams = dh_params;
dh_params = params;
if (oldparams != NULL) {
gnutls_dh_params_deinit (oldparams);
}
return 0;
}
static int vnc_tls_initialize(void)
{
static int tlsinitialized = 0;
if (tlsinitialized)
return 1;
if (gnutls_global_init () < 0)
return 0;
/* XXX ought to re-generate diffie-hellman params periodically */
if (gnutls_dh_params_init (&dh_params) < 0)
return 0;
if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0)
return 0;
#if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
gnutls_global_set_log_level(10);
gnutls_global_set_log_function(vnc_debug_gnutls_log);
#endif
tlsinitialized = 1;
return 1;
}
bool generate_dh_params(gnutls_dh_params_t *const dh_params)
{
/* int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW); */
int bits = 1248; /* Equivalent, gnutls_sec_param_to_pk_bits is available since 2.12 */
int ret;
assert(dh_params != NULL);
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often. */
ret = gnutls_dh_params_init(dh_params);
if(ret != GNUTLS_E_SUCCESS)
{
trace(LOG_ERR, "failed to initialize Diffie-Hellman parameters");
goto error;
}
ret = gnutls_dh_params_generate2(*dh_params, bits);
if(ret != GNUTLS_E_SUCCESS)
{
trace(LOG_ERR, "failed to generate Diffie-Hellman parameters");
goto free_dh;
}
return true;
free_dh:
gnutls_dh_params_deinit(*dh_params);
error:
return false;
}
static int generate_dh_params(struct rfbssl_ctx *ctx)
{
int ret;
if (GNUTLS_E_SUCCESS == (ret = gnutls_dh_params_init(&ctx->dh_params)))
ret = gnutls_dh_params_generate2(ctx->dh_params, 1024);
return ret;
}
void TLSSocket::init(const std::string& caPath,
const std::string& crlPath,
const std::string& certPath,
const std::string& keyPath) {
gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
gnutls_global_init();
gnutls_certificate_allocate_credentials(&xcred);
if (!caPath.empty()) {
gnutls_certificate_set_x509_trust_file(xcred,
caPath.c_str(),
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_flags (xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
}
if (!crlPath.empty()) {
gnutls_certificate_set_x509_crl_file(xcred,
crlPath.c_str(),
GNUTLS_X509_FMT_PEM);
}
gnutls_certificate_set_x509_key_file(xcred,
certPath.c_str(),
keyPath.c_str(),
GNUTLS_X509_FMT_PEM);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, 1024);
gnutls_priority_init(&priority_cache, "NORMAL", NULL);
gnutls_certificate_set_dh_params(xcred, dh_params);
}
static int generate_dh_params (void)
{
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_generate2 (dh_params, DH_BITS);
return 0;
}
void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
int ret = gnutls_global_init ();
if (ret < 0)
throw format ("TLS init error. {1}", gnutls_strerror (ret));
ret = gnutls_certificate_allocate_credentials (&_credentials);
if (ret < 0)
throw format ("TLS allocation error. {1}", gnutls_strerror (ret));
if (_ca != "" &&
(ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CA file. {1}", gnutls_strerror (ret));
if ( _crl != "" &&
(ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CRL file. {1}", gnutls_strerror (ret));
if (_cert != "" &&
_key != "" &&
(ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0)
throw format ("Bad CERT file. {1}", gnutls_strerror (ret));
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
// The automatic verification for the client certificate with
// gnutls_certificate_set_verify_function only works with gnutls
// >=2.9.10. So with older versions we should call the verify function
// manually after the gnutls handshake.
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
static Ecore_Con_Ssl_Error
_ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr,
int ssl_type)
{
int ret;
if (ssl_type & ECORE_CON_USE_SSL2)
return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
switch (ssl_type)
{
case ECORE_CON_USE_SSL3:
case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
case ECORE_CON_USE_TLS:
case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
case ECORE_CON_USE_MIXED:
case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT:
break;
default:
return ECORE_CON_SSL_ERROR_NONE;
}
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert));
if ((!svr->use_cert) && svr->created)
{
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params));
INF("Generating DH params");
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024));
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s));
/* TODO: implement PSK */
// SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s));
gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params);
gnutls_certificate_set_dh_params(svr->cert, svr->dh_params);
//gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params);
INF("DH params successfully generated and applied!");
}
else if (!svr->use_cert)
{
//SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c));
SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c));
}
return ECORE_CON_SSL_ERROR_NONE;
error:
_gnutls_print_errors(ret);
_ecore_con_ssl_server_shutdown_gnutls(svr);
return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
}
/* Server mode: Set DH parameters */
int ufwissl_ssl_context_set_dh_bits(ufwissl_ssl_context * ctx,
unsigned int dh_bits)
{
ctx->dh_bits = dh_bits;
if (gnutls_dh_params_init(&ctx->dh) < 0)
return UFWISSL_ERROR;
if (gnutls_dh_params_generate2(ctx->dh, ctx->dh_bits) < 0)
return UFWISSL_ERROR;
return UFWISSL_OK;
}
void gtlsGlobalServerData::generate_dh_params()
{
int ret = 0;
ret = gnutls_dh_params_init(&dh_params);
// printerror("gnutls_dh_params_init", ret);
if (ret < 0) { initialized_ = false; }
ret = gnutls_dh_params_generate2(dh_params, gtlsGeneric::GNUTLSIF_DH_BITS);
// printerror("gnutls_dh_params_generate2", ret);
if (ret < 0) { initialized_ = false; }
}
static int
generate_dh_params (void)
{
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. These should be discarded and regenerated
* once a day, once a week or once a month. Depending on the
* security requirements.
*/
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_generate2 (dh_params, DH_BITS);
return 0;
}
static int
generate_dh_params (void)
{
int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW);
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often.
*/
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_generate2 (dh_params, bits);
return 0;
}
static int generate_dh_params(void)
{
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters.
*
* Check the ex-serv-export.c example for using static
* parameters.
*/
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, DH_BITS);
return 0;
}
void initialize_tls_global(void)
{
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, CACERT,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, CACRL,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file (x509_cred, SERVERCERT, SERVERKEY,
GNUTLS_X509_FMT_PEM);
gnutls_dh_params_init (&dh_params);
gnutls_dh_params_generate2 (dh_params, DH_BITS);
gnutls_certificate_set_dh_params (x509_cred, dh_params);
}
void TLSServer::init (
const std::string& ca,
const std::string& crl,
const std::string& cert,
const std::string& key)
{
_ca = ca;
_crl = crl;
_cert = cert;
_key = key;
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&_credentials);
if (_ca != "" &&
gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CA file.");
if ( _crl != "" &&
gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CRL file.");
if (_cert != "" &&
_key != "" &&
gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0)
throw std::string ("Missing CERT file.");
#if GNUTLS_VERSION_NUMBER >= 0x020b00
#if GNUTLS_VERSION_NUMBER >= 0x03000d
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
#else
unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
#endif
#else
unsigned int bits = DH_BITS;
#endif
gnutls_dh_params_init (&_params);
gnutls_dh_params_generate2 (_params, bits);
if (_ciphers == "")
_ciphers = "NORMAL";
gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL);
gnutls_certificate_set_dh_params (_credentials, _params);
#if GNUTLS_VERSION_NUMBER >= 0x02090a
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif
}
/// Enables TLS on the given server.
static void onion_enable_tls(onion *o){
#ifdef HAVE_PTHREADS
gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
#endif
if (!(o->flags&O_USE_DEV_RANDOM)){
gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
}
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&o->x509_cred);
gnutls_dh_params_init (&o->dh_params);
gnutls_dh_params_generate2 (o->dh_params, 1024);
gnutls_certificate_set_dh_params (o->x509_cred, o->dh_params);
gnutls_priority_init (&o->priority_cache, "NORMAL", NULL);
o->flags|=O_SSL_ENABLED;
}
static rfbBool
InitializeTLS(void)
{
int ret;
if (rfbTLSInitialized) return TRUE;
if ((ret = gnutls_global_init()) < 0 ||
(ret = gnutls_dh_params_init(&rfbDHParams)) < 0 ||
(ret = gnutls_dh_params_generate2(rfbDHParams, DH_BITS)) < 0)
{
rfbClientLog("Failed to initialized GnuTLS: %s.\n", gnutls_strerror(ret));
return FALSE;
}
rfbClientLog("GnuTLS initialized.\n");
rfbTLSInitialized = TRUE;
return TRUE;
}
int server_create(prelude_client_profile_t *cp, const char *addr, unsigned int port,
prelude_bool_t keepalive, const char *pass, gnutls_x509_privkey_t key, gnutls_x509_crt_t cacrt, gnutls_x509_crt_t crt)
{
int sock;
size_t size;
struct pollfd pfd[128];
gnutls_dh_params_t dh_params;
#ifdef GNUTLS_SRP_ENABLED
int ret;
ret = gnutls_srp_allocate_server_credentials(&srpcred);
if ( ret < 0 ) {
fprintf(stderr, "error creating SRP credentials: %s.\n", gnutls_strerror(ret));
return -1;
}
gnutls_srp_set_server_credentials_function(srpcred, srp_callback);
#endif
one_shot_passwd = pass;
gnutls_anon_allocate_server_credentials(&anoncred);
fprintf(stderr, "Generating %d bits Diffie-Hellman key for anonymous authentication...", ANON_DH_BITS);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, ANON_DH_BITS);
gnutls_anon_set_server_dh_params(anoncred, dh_params);
fprintf(stderr, "\n");
size = sizeof(pfd) / sizeof(*pfd);
sock = setup_server(addr, port, pfd, &size);
if ( sock < 0 )
return -1;
wait_connection(cp, sock, pfd, size, keepalive, key, cacrt, crt);
#ifdef GNUTLS_SRP_ENABLED
gnutls_srp_free_server_credentials(srpcred);
#endif
gnutls_anon_free_server_credentials(anoncred);
return 0;
}
static gnutls_dh_params
get_dh_params(void)
{
static gnutls_dh_params dh_params;
static bool initialized = FALSE;
if (!initialized) {
if (gnutls_dh_params_init(&dh_params)) {
g_warning("%s(): gnutls_dh_params_init() failed", G_STRFUNC);
return NULL;
}
if (gnutls_dh_params_generate2(dh_params, TLS_DH_BITS)) {
g_warning("%s(): gnutls_dh_params_generate2() failed", G_STRFUNC);
return NULL;
}
initialized = TRUE;
}
return dh_params;
}
SslContext::SslContext() :
enabled(true),
certFile(this),
keyFile(this),
crlFile(this),
trustFile(this),
error_(),
logger_(0),
numX509Certs_(0),
clientVerifyMode_(GNUTLS_CERT_IGNORE),
caList_(0)
{
TRACE("SslContext()");
gnutls_dh_params_init(&dhParams_);
gnutls_dh_params_generate2(dhParams_, 1024);
gnutls_certificate_allocate_credentials(&certs_);
gnutls_anon_allocate_server_credentials(&anonCreds_);
}
void doit(void)
{
gnutls_dh_params_t dh_params = NULL;
int rc;
rc = global_init();
if (rc)
fail("global_init\n");
if (gnutls_dh_params_init(&dh_params) < 0)
fail("Error in dh parameter initialization\n");
if (gnutls_dh_params_generate2(dh_params, 1024) < 0)
fail("Error in prime generation\n");
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("generated DH params OK\n");
}
GnuTlsInit::GnuTlsInit()
{
int ret;
cxxtools::MutexLock lock(mutex);
if (_initCount++ == 0)
{
log_debug("gnutls_global_init()");
ret = gnutls_global_init();
if (ret != 0)
throw GnuTlsException("gnutls_global_init", ret);
log_debug("gnutls_dh_params_init(dhParams)");
ret = gnutls_dh_params_init(&_dhParams);
if (ret != 0)
throw GnuTlsException("gnutls_dh_params_init", ret);
log_debug("gnutls_dh_params_generate2(dh_params, 1024)");
ret = gnutls_dh_params_generate2(_dhParams, 1024);
if (ret != 0)
throw GnuTlsException("gnutls_dh_params_generate2", ret);
}
}
void SSLi_init()
{
unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
gnutls_priority_init(&cipherCache, ciphers, NULL);
initializeCertificate();
gnutls_dh_params_init(&dhParameters);
Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount);
int error = gnutls_dh_params_generate2(dhParameters, bitCount);
if(!error) {
Log_info("Successfully generated Diffie-Hellman parameters");
} else {
Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error));
}
gnutls_certificate_set_dh_params(certificate, dhParameters);
Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
}
void Plugin::_loadDHParams()
{
QByteArray data;
QFile file(this->dhParamsFile);
int bits;
gnutls_datum_t datum;
int error;
if (!file.open(QIODevice::ReadWrite))
throw Properties("error", "Unable to open the Diffie-Hellman parameters file").add("file", this->dhParamsFile);
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, this->secParam);
ASSERT_INIT(gnutls_dh_params_init(&this->dhParams), "dh_params");
// The Diffie-Hellman parameters expired
if (QFileInfo(file).lastModified() < this->dhParamsExpiration)
file.resize(0);
// Import the DH parameters from the PEM file
if (file.size() > 0)
{
data = file.readAll();
datum.data = (unsigned char *)data.data();
datum.size = data.size();
if (gnutls_dh_params_import_pkcs3(this->dhParams, &datum, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
file.resize(0);
}
// Generates the DH parameters and store them in a PEM file
if (file.size() == 0)
{
LOG_INFO("Generating new Diffie-Hellman parameters. This might take some time.", Properties("secParam", gnutls_sec_param_get_name(this->secParam)).add("bits", bits).toMap(), "Plugin", "_generateDHParams");
data.resize(bits);
datum.data = (unsigned char *)data.data();
datum.size = bits;
ASSERT(gnutls_dh_params_generate2(this->dhParams, bits));
size_t size = datum.size;
ASSERT(gnutls_dh_params_export_pkcs3(this->dhParams, GNUTLS_X509_FMT_PEM, datum.data, &size));
file.write(data.data(), size);
}
}
static bool
Load_DH_params(void)
{
#ifdef HAVE_LIBSSL
FILE *fp;
bool ret = true;
if (!Conf_SSLOptions.DHFile) {
Log(LOG_NOTICE, "Configuration option \"DHFile\" not set!");
return false;
}
fp = fopen(Conf_SSLOptions.DHFile, "r");
if (!fp) {
Log(LOG_ERR, "%s: %s", Conf_SSLOptions.DHFile, strerror(errno));
return false;
}
dh_params = PEM_read_DHparams(fp, NULL, NULL, NULL);
if (!dh_params) {
Log(LOG_ERR, "%s: Failed to read SSL DH parameters!",
Conf_SSLOptions.DHFile);
ret = false;
}
fclose(fp);
return ret;
#endif
#ifdef HAVE_LIBGNUTLS
bool need_dhgenerate = true;
int err;
gnutls_dh_params_t tmp_dh_params;
err = gnutls_dh_params_init(&tmp_dh_params);
if (err < 0) {
Log(LOG_ERR, "Failed to initialize SSL DH parameters: %s",
gnutls_strerror(err));
return false;
}
if (Conf_SSLOptions.DHFile) {
gnutls_datum_t dhparms;
size_t size;
dhparms.data = (unsigned char *) openreadclose(Conf_SSLOptions.DHFile, &size);
if (dhparms.data) {
dhparms.size = size;
err = gnutls_dh_params_import_pkcs3(tmp_dh_params, &dhparms, GNUTLS_X509_FMT_PEM);
if (err == 0)
need_dhgenerate = false;
else
Log(LOG_ERR,
"Failed to initialize SSL DH parameters: %s",
gnutls_strerror(err));
memset(dhparms.data, 0, size);
free(dhparms.data);
}
}
if (need_dhgenerate) {
Log(LOG_WARNING,
"DHFile not set, generating %u bit DH parameters. This may take a while ...",
DH_BITS);
err = gnutls_dh_params_generate2(tmp_dh_params, DH_BITS);
if (err < 0) {
Log(LOG_ERR, "Failed to generate SSL DH parameters: %s",
gnutls_strerror(err));
return false;
}
}
dh_params = tmp_dh_params;
return true;
#endif
}
/*
* initialize a new TLS context
*/
static int
tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
{
tlsg_ctx *ctx = lo->ldo_tls_ctx;
int rc;
if ( lo->ldo_tls_ciphersuite &&
tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list %s.\n",
lo->ldo_tls_ciphersuite, 0, 0 );
return -1;
}
if (lo->ldo_tls_cacertdir != NULL) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: cacertdir not implemented for gnutls\n",
NULL, NULL, NULL );
}
if (lo->ldo_tls_cacertfile != NULL) {
rc = gnutls_certificate_set_x509_trust_file(
ctx->cred,
lt->lt_cacertfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
}
if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
gnutls_x509_privkey_t key;
gnutls_datum_t buf;
gnutls_x509_crt_t certs[VERIFY_DEPTH];
unsigned int max = VERIFY_DEPTH;
rc = gnutls_x509_privkey_init( &key );
if ( rc ) return -1;
/* OpenSSL builds the cert chain for us, but GnuTLS
* expects it to be present in the certfile. If it's
* not, we have to build it ourselves. So we have to
* do some special checks here...
*/
rc = tlsg_getfile( lt->lt_keyfile, &buf );
if ( rc ) return -1;
rc = gnutls_x509_privkey_import( key, &buf,
GNUTLS_X509_FMT_PEM );
LDAP_FREE( buf.data );
if ( rc < 0 ) return rc;
rc = tlsg_getfile( lt->lt_certfile, &buf );
if ( rc ) return -1;
rc = gnutls_x509_crt_list_import( certs, &max, &buf,
GNUTLS_X509_FMT_PEM, 0 );
LDAP_FREE( buf.data );
if ( rc < 0 ) return rc;
/* If there's only one cert and it's not self-signed,
* then we have to build the cert chain.
*/
if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
gnutls_x509_crt_t *cas;
unsigned int i, j, ncas;
gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
for ( i = 1; i<VERIFY_DEPTH; i++ ) {
for ( j = 0; j<ncas; j++ ) {
if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
certs[i] = cas[j];
max++;
/* If this CA is self-signed, we're done */
if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
j = ncas;
break;
}
}
/* only continue if we found a CA and it was not self-signed */
if ( j == ncas )
break;
}
}
rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
if ( rc ) return -1;
} else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n",
NULL, NULL, NULL );
return -1;
}
if ( lo->ldo_tls_dhfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: ignoring dhfile\n",
NULL, NULL, NULL );
}
if ( lo->ldo_tls_crlfile ) {
rc = gnutls_certificate_set_x509_crl_file(
ctx->cred,
lt->lt_crlfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
rc = 0;
}
/* FIXME: ITS#5992 - this should go be configurable,
* and V1 CA certs should be phased out ASAP.
*/
gnutls_certificate_set_verify_flags( ctx->cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
if ( is_server ) {
gnutls_dh_params_init(&ctx->dh_params);
gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
}
return 0;
}
/* If how is zero then the included parameters are used.
*/
int
generate_prime (int bits, int how)
{
unsigned int i;
int ret;
gnutls_dh_params dh_params;
gnutls_datum p, g;
gnutls_dh_params_init (&dh_params);
fprintf (stderr, "Generating DH parameters...");
if (how != 0)
{
ret = gnutls_dh_params_generate2 (dh_params, bits);
if (ret < 0)
{
fprintf (stderr, "Error generating parameters: %s\n",
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_dh_params_export_raw (dh_params, &p, &g, NULL);
if (ret < 0)
{
fprintf (stderr, "Error exporting parameters: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
#ifdef ENABLE_SRP
if (bits <= 1024)
{
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
}
else if (bits <= 1536)
{
p = gnutls_srp_1536_group_prime;
g = gnutls_srp_1536_group_generator;
}
else
{
p = gnutls_srp_2048_group_prime;
g = gnutls_srp_2048_group_generator;
}
ret = gnutls_dh_params_import_raw (dh_params, &p, &g);
if (ret < 0)
{
fprintf (stderr, "Error exporting parameters: %s\n",
gnutls_strerror (ret));
exit (1);
}
#else
fprintf (stderr, "Parameters unavailable as SRP disabled.\n");
#endif
}
if (cparams)
{
fprintf (outfile, "/* generator */\n");
fprintf (outfile, "\nconst uint8 g[%d] = { ", g.size);
for (i = 0; i < g.size; i++)
{
if (i % 7 == 0)
fprintf (outfile, "\n\t");
fprintf (outfile, "0x%.2x", g.data[i]);
if (i != g.size - 1)
fprintf (outfile, ", ");
}
fprintf (outfile, "\n};\n\n");
}
else
{
fprintf (outfile, "\nGenerator: ");
for (i = 0; i < g.size; i++)
{
if (i != 0 && i % 12 == 0)
fprintf (outfile, "\n\t");
else if (i != 0 && i != g.size)
fprintf (outfile, ":");
fprintf (outfile, "%.2x", g.data[i]);
}
fprintf (outfile, "\n\n");
}
/* print prime */
if (cparams)
{
fprintf (outfile, "/* prime - %d bits */\n", p.size * 8);
fprintf (outfile, "\nconst uint8 prime[%d] = { ", p.size);
for (i = 0; i < p.size; i++)
{
if (i % 7 == 0)
fprintf (outfile, "\n\t");
fprintf (outfile, "0x%.2x", p.data[i]);
if (i != p.size - 1)
fprintf (outfile, ", ");
}
fprintf (outfile, "\n};\n");
}
else
{
fprintf (outfile, "Prime: ");
for (i = 0; i < p.size; i++)
{
if (i != 0 && i % 12 == 0)
fprintf (outfile, "\n\t");
else if (i != 0 && i != p.size)
fprintf (outfile, ":");
fprintf (outfile, "%.2x", p.data[i]);
}
fprintf (outfile, "\n\n");
}
if (!cparams)
{ /* generate a PKCS#3 structure */
int ret;
size_t len = buffer_size;
ret = gnutls_dh_params_export_pkcs3 (dh_params, GNUTLS_X509_FMT_PEM,
buffer, &len);
if (ret == 0)
{
fprintf (outfile, "\n%s", buffer);
}
else
{
fprintf (stderr, "Error: %s\n", gnutls_strerror (ret));
}
}
return 0;
}
int
init_remote_listener(int port, gboolean encrypted)
{
int ssock;
struct sockaddr_in saddr;
int optval;
if (port <= 0) {
/* dont start it */
return 0;
}
if (encrypted) {
#ifndef HAVE_GNUTLS_GNUTLS_H
crm_warn("TLS support is not available");
return 0;
#else
crm_notice("Starting a tls listener on port %d.", port);
gnutls_global_init();
/* gnutls_global_set_log_level (10); */
gnutls_global_set_log_function(debug_log);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, DH_BITS);
gnutls_anon_allocate_server_credentials(&anon_cred_s);
gnutls_anon_set_server_dh_params(anon_cred_s, dh_params);
#endif
} else {
crm_warn("Starting a plain_text listener on port %d.", port);
}
#ifndef HAVE_PAM
crm_warn("PAM is _not_ enabled!");
#endif
/* create server socket */
ssock = socket(AF_INET, SOCK_STREAM, 0);
if (ssock == -1) {
crm_perror(LOG_ERR, "Can not create server socket." ERROR_SUFFIX);
return -1;
}
/* reuse address */
optval = 1;
setsockopt(ssock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
/* bind server socket */
memset(&saddr, '\0', sizeof(saddr));
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons(port);
if (bind(ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) {
crm_perror(LOG_ERR, "Can not bind server socket." ERROR_SUFFIX);
return -2;
}
if (listen(ssock, 10) == -1) {
crm_perror(LOG_ERR, "Can not start listen." ERROR_SUFFIX);
return -3;
}
G_main_add_fd(G_PRIORITY_HIGH, ssock, FALSE,
cib_remote_listen, NULL, default_ipc_connection_destroy);
return ssock;
}
/* If how is zero then the included parameters are used.
*/
int generate_prime(FILE * outfile, int how, common_info_st * info)
{
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
int bits = get_bits(GNUTLS_PK_DH, info->bits, info->sec_param, 1);
unsigned int q_bits = 0;
gnutls_dh_params_init(&dh_params);
if (how != 0) {
fprintf(stderr, "Generating DH parameters (%d bits)...\n",
bits);
fprintf(stderr, "(might take long time)\n");
} else
fprintf(stderr, "Retrieving DH parameters...\n");
if (how != 0) {
ret = gnutls_dh_params_generate2(dh_params, bits);
if (ret < 0) {
fprintf(stderr,
"Error generating parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_dh_params_export_raw(dh_params, &p, &g,
&q_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
} else {
#ifdef ENABLE_SRP
if (bits <= 1024) {
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
bits = 1024;
} else if (bits <= 1536) {
p = gnutls_srp_1536_group_prime;
g = gnutls_srp_1536_group_generator;
bits = 1536;
} else if (bits <= 2048) {
p = gnutls_srp_2048_group_prime;
g = gnutls_srp_2048_group_generator;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_srp_3072_group_prime;
g = gnutls_srp_3072_group_generator;
bits = 3072;
} else {
p = gnutls_srp_4096_group_prime;
g = gnutls_srp_4096_group_generator;
bits = 4096;
}
ret = gnutls_dh_params_import_raw(dh_params, &p, &g);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#else
fprintf(stderr,
"Parameters unavailable as SRP is disabled.\n");
exit(1);
#endif
}
print_dh_info(outfile, &p, &g, q_bits, info->cprint);
if (!info->cprint) { /* generate a PKCS#3 structure */
size_t len = buffer_size;
ret =
gnutls_dh_params_export_pkcs3(dh_params,
GNUTLS_X509_FMT_PEM,
buffer, &len);
if (ret == 0) {
fprintf(outfile, "\n%s", buffer);
} else {
fprintf(stderr, "Error: %s\n",
gnutls_strerror(ret));
}
}
gnutls_dh_params_deinit(dh_params);
return 0;
}
void GnuTLSServerAnon::generateDH()
{
gnutls_dh_params_init( &m_dhParams );
gnutls_dh_params_generate2( m_dhParams, m_dhBits );
}
