/* Converts a data string to an LDAP rfc2253 hex string * something like '#01020304' */ static int data2hex(const void *data, size_t data_size, gnutls_datum_t *out) { gnutls_datum_t tmp, td; int ret; size_t size; td.size = hex_str_size(data_size) + 1; /* +1 for '#' */ td.data = gnutls_malloc(td.size); if (td.data == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); tmp.data = (void*)data; tmp.size = data_size; td.data[0] = '#'; size = td.size-1; /* don't include '#' */ ret = gnutls_hex_encode(&tmp, (char*)&td.data[1], &size); if (ret < 0) { gnutls_assert(); gnutls_free(td.data); return GNUTLS_E_SHORT_MEMORY_BUFFER; } td.size--; /* don't include null */ out->data = td.data; out->size = td.size; return 0; }
void seclog_hex(const struct sec_mod_st* sec, int priority, const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64) { char buf[512]; int ret; size_t buf_size; gnutls_datum_t data = {bin, bin_size}; if (priority == LOG_DEBUG && sec->perm_config->debug == 0) return; if (b64) { oc_base64_encode((char*)bin, bin_size, (char*)buf, sizeof(buf)); } else { buf_size = sizeof(buf); ret = gnutls_hex_encode(&data, buf, &buf_size); if (ret < 0) return; } seclog(sec, priority, "%s %s", prefix, buf); return; }
static void client(int fd, int profile) { gnutls_session_t session; int ret; gnutls_anon_client_credentials_t anoncred; uint8_t km[MAX_KEY_MATERIAL]; char buf[2 * MAX_KEY_MATERIAL]; gnutls_datum_t cli_key, cli_salt, server_key, server_salt; /* Need to enable anonymous KX specifically. */ global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_client_credentials(&anoncred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM); gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); gnutls_dtls_set_mtu(session, 1500); /* Use default priorities */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); if (profile) ret = gnutls_srtp_set_profile_direct(session, "SRTP_AES128_CM_HMAC_SHA1_80", NULL); else ret = gnutls_srtp_set_profile_direct(session, "SRTP_NULL_HMAC_SHA1_80", NULL); if (ret < 0) { gnutls_perror(ret); exit(1); } /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: DTLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); ret = gnutls_srtp_get_keys(session, km, sizeof(km), &cli_key, &cli_salt, &server_key, &server_salt); if (ret < 0) { gnutls_perror(ret); exit(1); } if (debug) { size_t size = sizeof(buf); gnutls_hex_encode(&cli_key, buf, &size); success("Client key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&cli_salt, buf, &size); success("Client salt: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_key, buf, &size); success("Server key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_salt, buf, &size); success("Server salt: %s\n", buf); } gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_client_credentials(anoncred); gnutls_global_deinit(); }
static void server(int fd, int profile) { int ret; gnutls_session_t session; gnutls_anon_server_credentials_t anoncred; uint8_t km[MAX_KEY_MATERIAL]; char buf[2 * MAX_KEY_MATERIAL]; gnutls_datum_t cli_key, cli_salt, server_key, server_salt; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_server_credentials(&anoncred); gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); gnutls_dtls_set_mtu(session, 1500); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); if (profile) ret = gnutls_srtp_set_profile_direct(session, "SRTP_AES128_CM_HMAC_SHA1_80", NULL); else ret = gnutls_srtp_set_profile_direct(session, "SRTP_NULL_HMAC_SHA1_80", NULL); if (ret < 0) { gnutls_perror(ret); exit(1); } gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); ret = gnutls_srtp_get_keys(session, km, sizeof(km), &cli_key, &cli_salt, &server_key, &server_salt); if (ret < 0) { gnutls_perror(ret); exit(1); } if (debug) { size_t size = sizeof(buf); gnutls_hex_encode(&cli_key, buf, &size); success("Client key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&cli_salt, buf, &size); success("Client salt: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_key, buf, &size); success("Server key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_salt, buf, &size); success("Server salt: %s\n", buf); } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_server_credentials(anoncred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
int main (int argc, char **argv) { gaainfo info; int ret; struct passwd *pwd; unsigned char key[MAX_KEY_SIZE]; char hex_key[MAX_KEY_SIZE * 2 + 1]; gnutls_datum_t dkey; size_t hex_key_size = sizeof (hex_key); if ((ret = gnutls_global_init ()) < 0) { fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret)); exit (1); } umask (066); if (gaa (argc, argv, &info) != -1) { fprintf (stderr, "Error in the arguments.\n"); return -1; } if (info.passwd == NULL) info.passwd = KPASSWD; if (info.username == NULL) { #ifndef _WIN32 pwd = getpwuid (getuid ()); if (pwd == NULL) { fprintf (stderr, "No such user\n"); return -1; } info.username = pwd->pw_name; #else fprintf (stderr, "Please specify a user\n"); return -1; #endif } if (info.key_size > MAX_KEY_SIZE) { fprintf (stderr, "Key size is too long\n"); exit (1); } if (info.netconf_hint) { char *passwd; if (info.key_size != 0 && info.key_size != 20) { fprintf (stderr, "For netconf, key size must always be 20.\n"); exit (1); } passwd = getpass ("Enter password: "******"Please specify a password\n"); exit (1); } ret = gnutls_psk_netconf_derive_key (passwd, info.username, info.netconf_hint, &dkey); } else { if (info.key_size < 1) info.key_size = 16; printf ("Generating a random key for user '%s'\n", info.username); ret = _gnutls_rnd (GNUTLS_RND_RANDOM, (char *) key, info.key_size); if (ret < 0) { fprintf (stderr, "Not enough randomness\n"); exit (1); } dkey.data = key; dkey.size = info.key_size; } ret = gnutls_hex_encode (&dkey, hex_key, &hex_key_size); if (info.netconf_hint) gnutls_free (dkey.data); if (ret < 0) { fprintf (stderr, "HEX encoding error\n"); exit (1); } ret = write_key (info.username, hex_key, hex_key_size, info.passwd); if (ret == 0) printf ("Key stored to %s\n", info.passwd); return ret; }
int main (int argc, char **argv) { gaainfo info; int ret; #ifndef _WIN32 struct passwd *pwd; #endif unsigned char key[MAX_KEY_SIZE]; char hex_key[MAX_KEY_SIZE * 2 + 1]; gnutls_datum_t dkey; size_t hex_key_size = sizeof (hex_key); set_program_name (argv[0]); if ((ret = gnutls_global_init ()) < 0) { fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret)); exit (1); } umask (066); if (gaa (argc, argv, &info) != -1) { fprintf (stderr, "Error in the arguments.\n"); return -1; } if (info.passwd == NULL) info.passwd = (char *) KPASSWD; if (info.username == NULL) { #ifndef _WIN32 pwd = getpwuid (getuid ()); if (pwd == NULL) { fprintf (stderr, "No such user\n"); return -1; } info.username = pwd->pw_name; #else fprintf (stderr, "Please specify a user\n"); return -1; #endif } if (info.key_size > MAX_KEY_SIZE) { fprintf (stderr, "Key size is too long\n"); exit (1); } if (info.key_size < 1) info.key_size = 16; printf ("Generating a random key for user '%s'\n", info.username); ret = gnutls_rnd (GNUTLS_RND_RANDOM, (char *) key, info.key_size); if (ret < 0) { fprintf (stderr, "Not enough randomness\n"); exit (1); } dkey.data = key; dkey.size = info.key_size; ret = gnutls_hex_encode (&dkey, hex_key, &hex_key_size); if (ret < 0) { fprintf (stderr, "HEX encoding error\n"); exit (1); } ret = write_key (info.username, hex_key, hex_key_size, info.passwd); if (ret == 0) printf ("Key stored to %s\n", info.passwd); return ret; }
static int psk_callback (gnutls_session_t session, char **username, gnutls_datum_t * key) { const char *hint = gnutls_psk_client_get_hint (session); char *passwd; int ret; printf ("- PSK client callback. "); if (hint) printf ("PSK hint '%s'\n", hint); else printf ("No PSK hint\n"); if (info.psk_username) *username = gnutls_strdup (info.psk_username); else { char *tmp = NULL; size_t n; ssize_t len; printf ("Enter PSK identity: "); fflush (stdout); len = getline (&tmp, &n, stdin); if (tmp == NULL) { fprintf (stderr, "No username given, aborting...\n"); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } if (tmp[strlen (tmp) - 1] == '\n') tmp[strlen (tmp) - 1] = '\0'; if (tmp[strlen (tmp) - 1] == '\r') tmp[strlen (tmp) - 1] = '\0'; *username = gnutls_strdup (tmp); free (tmp); } if (!*username) return GNUTLS_E_MEMORY_ERROR; passwd = getpass ("Enter password: "******"No password given, aborting...\n"); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } ret = gnutls_psk_netconf_derive_key (passwd, *username, hint ? hint : "", key); if (ret < 0) { fprintf (stderr, "Error deriving password: %s\n", gnutls_strerror (ret)); gnutls_free (*username); return ret; } if (info.debug) { char hexkey[41]; size_t res_size = sizeof (hexkey); gnutls_hex_encode (key, hexkey, &res_size); fprintf (stderr, "PSK username: %s\n", *username); fprintf (stderr, "PSK hint: %s\n", hint); fprintf (stderr, "PSK key: %s\n", hexkey); } return 0; }
static void dane_info(const char *host, const char *proto, unsigned int port, unsigned int ca, unsigned int domain, common_info_st * cinfo) { gnutls_pubkey_t pubkey; gnutls_x509_crt_t crt; unsigned char digest[64]; gnutls_datum_t t; int ret; unsigned int usage, selector, type; size_t size; if (proto == NULL) proto = "tcp"; if (port == 0) port = 443; crt = load_cert(0, cinfo); if (crt != NULL && HAVE_OPT(X509)) { selector = 0; /* X.509 */ size = lbuffer_size; ret = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, lbuffer, &size); if (ret < 0) { fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_deinit(crt); } else { /* use public key only */ selector = 1; ret = gnutls_pubkey_init(&pubkey); if (ret < 0) { fprintf(stderr, "pubkey_init: %s\n", gnutls_strerror(ret)); exit(1); } if (crt != NULL) { ret = gnutls_pubkey_import_x509(pubkey, crt, 0); if (ret < 0) { fprintf(stderr, "pubkey_import_x509: %s\n", gnutls_strerror(ret)); exit(1); } size = lbuffer_size; ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, lbuffer, &size); if (ret < 0) { fprintf(stderr, "pubkey_export: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_deinit(crt); } else { pubkey = load_pubkey(1, cinfo); size = lbuffer_size; ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, lbuffer, &size); if (ret < 0) { fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); exit(1); } } gnutls_pubkey_deinit(pubkey); } if (default_dig != GNUTLS_DIG_SHA256 && default_dig != GNUTLS_DIG_SHA512) { if (default_dig != GNUTLS_DIG_UNKNOWN) fprintf(stderr, "Unsupported digest. Assuming SHA256.\n"); default_dig = GNUTLS_DIG_SHA256; } ret = gnutls_hash_fast(default_dig, lbuffer, size, digest); if (ret < 0) { fprintf(stderr, "hash error: %s\n", gnutls_strerror(ret)); exit(1); } if (default_dig == GNUTLS_DIG_SHA256) type = 1; else type = 2; /* DANE certificate classification crap */ if (domain == 0) { if (ca) usage = 0; else usage = 1; } else { if (ca) usage = 2; else usage = 3; } t.data = digest; t.size = gnutls_hash_get_len(default_dig); size = lbuffer_size; ret = gnutls_hex_encode(&t, (void *) lbuffer, &size); if (ret < 0) { fprintf(stderr, "hex encode error: %s\n", gnutls_strerror(ret)); exit(1); } fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n", port, proto, host, usage, selector, type, lbuffer); }
static void dane_check(const char *host, const char *proto, unsigned int port, common_info_st * cinfo) { #ifdef HAVE_DANE dane_state_t s; dane_query_t q; int ret, retcode = 1; unsigned entries; unsigned int flags = DANE_F_IGNORE_LOCAL_RESOLVER, i; unsigned int usage, type, match; gnutls_datum_t data, file; size_t size; unsigned del = 0; unsigned vflags = DANE_VFLAG_FAIL_IF_NOT_CHECKED; const char *cstr; char *str; gnutls_x509_crt_t *clist = NULL; unsigned int clist_size = 0; gnutls_datum_t certs[MAX_CLIST_SIZE]; if (ENABLED_OPT(LOCAL_DNS)) flags = 0; if (HAVE_OPT(INSECURE)) flags |= DANE_F_INSECURE; if (HAVE_OPT(CHECK_EE)) vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE; if (HAVE_OPT(CHECK_CA)) vflags |= DANE_VFLAG_ONLY_CHECK_CA_USAGE; if (!cinfo->cert) { const char *app_proto = NULL; if (HAVE_OPT(APP_PROTO)) app_proto = OPT_ARG(APP_PROTO); cinfo->cert = obtain_cert(host, proto, port, app_proto, HAVE_OPT(QUIET)); del = 1; } if (!HAVE_OPT(QUIET)) fprintf(stderr, "Querying DNS for %s (%s:%d)...\n", host, proto, port); ret = dane_state_init(&s, flags); if (ret < 0) { fprintf(stderr, "dane_state_init: %s\n", dane_strerror(ret)); retcode = 1; goto error; } if (HAVE_OPT(DLV)) { ret = dane_state_set_dlv_file(s, OPT_ARG(DLV)); if (ret < 0) { fprintf(stderr, "dane_state_set_dlv_file: %s\n", dane_strerror(ret)); retcode = 1; goto error; } } ret = dane_query_tlsa(s, &q, host, proto, port); if (ret < 0) { fprintf(stderr, "dane_query_tlsa: %s\n", dane_strerror(ret)); retcode = 1; goto error; } if (ENABLED_OPT(PRINT_RAW)) { gnutls_datum_t t; char **dane_data; int *dane_data_len; int secure; int bogus; ret = dane_query_to_raw_tlsa(q, &entries, &dane_data, &dane_data_len, &secure, &bogus); if (ret < 0) { fprintf(stderr, "dane_query_to_raw_tlsa: %s\n", dane_strerror(ret)); retcode = 1; goto error; } for (i=0;i<entries;i++) { size_t str_size; t.data = (void*)dane_data[i]; t.size = dane_data_len[i]; str_size = t.size * 2 + 1; str = gnutls_malloc(str_size); ret = gnutls_hex_encode(&t, str, &str_size); if (ret < 0) { fprintf(stderr, "gnutls_hex_encode: %s\n", dane_strerror(ret)); retcode = 1; goto error; } fprintf(outfile, "[%u]: %s\n", i, str); gnutls_free(str); } fprintf(outfile, "\n"); } if (cinfo->cert) { ret = gnutls_load_file(cinfo->cert, &file); if (ret < 0) { fprintf(stderr, "gnutls_load_file: %s\n", gnutls_strerror(ret)); retcode = 1; goto error; } ret = gnutls_x509_crt_list_import2(&clist, &clist_size, &file, cinfo-> incert_format, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret)); retcode = 1; goto error; } if (clist_size > 0) { for (i = 0; i < MIN(MAX_CLIST_SIZE,clist_size); i++) { ret = gnutls_x509_crt_export2(clist [i], GNUTLS_X509_FMT_DER, &certs [i]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_export2: %s\n", gnutls_strerror (ret)); retcode = 1; goto error; } } } } entries = dane_query_entries(q); for (i = 0; i < entries; i++) { ret = dane_query_data(q, i, &usage, &type, &match, &data); if (ret < 0) { fprintf(stderr, "dane_query_data: %s\n", dane_strerror(ret)); retcode = 1; goto error; } size = lbuffer_size; ret = gnutls_hex_encode(&data, (void *) lbuffer, &size); if (ret < 0) { fprintf(stderr, "gnutls_hex_encode: %s\n", dane_strerror(ret)); retcode = 1; goto error; } if (entries > 1 && !HAVE_OPT(QUIET)) fprintf(outfile, "\n==== Entry %d ====\n", i + 1); fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n", port, proto, host, usage, type, match, lbuffer); if (!HAVE_OPT(QUIET)) { cstr = dane_cert_usage_name(usage); if (cstr == NULL) cstr= "Unknown"; fprintf(outfile, "Certificate usage: %s (%.2x)\n", cstr, usage); cstr = dane_cert_type_name(type); if (cstr == NULL) cstr= "Unknown"; fprintf(outfile, "Certificate type: %s (%.2x)\n", cstr, type); cstr = dane_match_type_name(match); if (cstr == NULL) cstr= "Unknown"; fprintf(outfile, "Contents: %s (%.2x)\n", cstr, match); fprintf(outfile, "Data: %s\n", lbuffer); } /* Verify the DANE data */ if (cinfo->cert) { unsigned int status; gnutls_datum_t out; ret = dane_verify_crt(s, certs, clist_size, GNUTLS_CRT_X509, host, proto, port, 0, vflags, &status); if (ret < 0) { fprintf(stderr, "dane_verify_crt: %s\n", dane_strerror(ret)); retcode = 1; goto error; } ret = dane_verification_status_print(status, &out, 0); if (ret < 0) { fprintf(stderr, "dane_verification_status_print: %s\n", dane_strerror(ret)); retcode = 1; goto error; } if (!HAVE_OPT(QUIET)) fprintf(outfile, "\nVerification: %s\n", out.data); gnutls_free(out.data); /* if there is at least one correct accept */ if (status == 0) retcode = 0; } else { fprintf(stderr, "\nCertificate could not be obtained. You can explicitly load the certificate using --load-certificate.\n"); } } if (clist_size > 0) { for (i = 0; i < clist_size; i++) { gnutls_free(certs[i].data); gnutls_x509_crt_deinit(clist[i]); } gnutls_free(clist); } dane_query_deinit(q); dane_state_deinit(s); error: if (del != 0 && cinfo->cert) { remove(cinfo->cert); } exit(retcode); #else fprintf(stderr, "This functionality is disabled (GnuTLS was not compiled with support for DANE).\n"); return; #endif }
EAPI void eet_identity_print(Eet_Key *key, FILE *out) { #ifdef HAVE_SIGNATURE # ifdef HAVE_GNUTLS const char *names[6] = { "Modulus", "Public exponent", "Private exponent", "First prime", "Second prime", "Coefficient" }; int err = 0; gnutls_datum_t data = { NULL, 0 }; gnutls_datum_t rsa_raw[6]; size_t size = 128; char *res = NULL; char buf[33]; unsigned int i, j; if (!key) return; if (!emile_cipher_init()) return ; if (key->private_key) { if (gnutls_x509_privkey_export_rsa_raw(key->private_key, rsa_raw + 0, /* Modulus */ rsa_raw + 1, /* Public exponent */ rsa_raw + 2, /* Private exponent */ rsa_raw + 3, /* First prime */ rsa_raw + 4, /* Second prime */ rsa_raw + 5)) /* Coefficient */ goto on_error; if (!(res = malloc(size))) goto on_error; fprintf(out, "Private Key:\n"); buf[32] = '\0'; for (i = 0; i < 6; i++) { while ((err = gnutls_hex_encode(rsa_raw + i, res, &size)) == GNUTLS_E_SHORT_MEMORY_BUFFER) { char *temp; size += 128; if (!(temp = realloc(res, size))) goto on_error; res = temp; } if (err) goto on_error; fprintf(out, "\t%s:\n", names[i]); for (j = 0; strlen(res) > j; j += 32) { snprintf(buf, 32, "%s", res + j); fprintf(out, "\t\t%s\n", buf); } } free(res); res = NULL; } if (key->certificate) { fprintf(out, "Public certificate:\n"); if (gnutls_x509_crt_print(key->certificate, GNUTLS_X509_CRT_FULL, &data)) goto on_error; fprintf(out, "%s\n", data.data); gnutls_free(data.data); data.data = NULL; } on_error: if (res) free(res); if (data.data) gnutls_free(data.data); return; # else /* ifdef HAVE_GNUTLS */ RSA *rsa; DSA *dsa; DH *dh; if (!key) return; if (!emile_cipher_init()) return ; rsa = EVP_PKEY_get1_RSA(key->private_key); if (rsa) { fprintf(out, "Private key (RSA):\n"); RSA_print_fp(out, rsa, 0); } dsa = EVP_PKEY_get1_DSA(key->private_key); if (dsa) { fprintf(out, "Private key (DSA):\n"); DSA_print_fp(out, dsa, 0); } dh = EVP_PKEY_get1_DH(key->private_key); if (dh) { fprintf(out, "Private key (DH):\n"); DHparams_print_fp(out, dh); } fprintf(out, "Public certificate:\n"); X509_print_fp(out, key->certificate); # endif /* ifdef HAVE_GNUTLS */ #else /* ifdef HAVE_SIGNATURE */ key = NULL; out = NULL; ERR("You need to compile signature support in EET."); #endif /* ifdef HAVE_SIGNATURE */ }
/** * infd_acl_account_info_to_xml: * @info: A #InfdAclAccountInfo. * @xml: XML node to write the account information to. * * Serializes a #InfdAclAccountInfo object into an XML node. The account * information can be deserialized again with * infd_acl_account_info_from_xml(). */ void infd_acl_account_info_to_xml(const InfdAclAccountInfo* info, xmlNodePtr xml) { guint i; gnutls_datum_t datum; size_t out_size; gchar* out; int res; g_return_if_fail(info != NULL); g_return_if_fail(xml != NULL); inf_acl_account_to_xml(&info->account, xml); for(i = 0; i < info->n_certificates; ++i) { xmlNewChild( xml, NULL, (const xmlChar*)"certificate", (const xmlChar*)info->certificates[i] ); } if(info->password_salt != NULL) { datum.data = info->password_salt; datum.size = 32; res = gnutls_hex_encode(&datum, NULL, &out_size); g_assert(res == GNUTLS_E_SHORT_MEMORY_BUFFER); out = g_malloc(out_size + 1); res = gnutls_hex_encode(&datum, out, &out_size); g_assert(res == GNUTLS_E_SUCCESS); out[out_size] = '\0'; inf_xml_util_set_attribute(xml, "password-salt", out); g_free(out); } if(info->password_hash != NULL) { datum.data = info->password_hash; datum.size = gnutls_hash_get_len(GNUTLS_DIG_SHA256); res = gnutls_hex_encode(&datum, NULL, &out_size); g_assert(res == GNUTLS_E_SHORT_MEMORY_BUFFER); out = g_malloc(out_size + 1); res = gnutls_hex_encode(&datum, out, &out_size); g_assert(res == GNUTLS_E_SUCCESS); out[out_size] = '\0'; inf_xml_util_set_attribute(xml, "password-hash", out); g_free(out); } if(info->first_seen != 0) { inf_xml_util_set_attribute_double( xml, "first-seen", info->first_seen / 1e6 ); } if(info->last_seen != 0) { inf_xml_util_set_attribute_double( xml, "last-seen", info->last_seen / 1e6 ); } }
static int psk_callback (gnutls_session_t session, char **username, gnutls_datum_t * key) { const char *hint = gnutls_psk_client_get_hint (session); unsigned char *rawkey; char *passwd; int ret; size_t res_size; gnutls_datum_t tmp; printf ("- PSK client callback. "); if (hint) printf ("PSK hint '%s'\n", hint); else printf ("No PSK hint\n"); if (info.psk_username) *username = gnutls_strdup (info.psk_username); else { char *tmp = NULL; size_t n; printf ("Enter PSK identity: "); fflush (stdout); getline (&tmp, &n, stdin); if (tmp == NULL) { fprintf (stderr, "No username given, aborting...\n"); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } if (tmp[strlen (tmp) - 1] == '\n') tmp[strlen (tmp) - 1] = '\0'; if (tmp[strlen (tmp) - 1] == '\r') tmp[strlen (tmp) - 1] = '\0'; *username = gnutls_strdup (tmp); free (tmp); } if (!*username) return GNUTLS_E_MEMORY_ERROR; passwd = getpass ("Enter key: "); if (passwd == NULL) { fprintf (stderr, "No key given, aborting...\n"); return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } tmp.data = passwd; tmp.size = strlen (passwd); res_size = tmp.size / 2 + 1; rawkey = gnutls_malloc (res_size); if (rawkey == NULL) return GNUTLS_E_MEMORY_ERROR; ret = gnutls_hex_decode (&tmp, rawkey, &res_size); if (ret < 0) { fprintf (stderr, "Error deriving password: %s\n", gnutls_strerror (ret)); gnutls_free (*username); return ret; } key->data = rawkey; key->size = res_size; if (info.debug) { char hexkey[41]; res_size = sizeof (hexkey); gnutls_hex_encode (key, hexkey, &res_size); fprintf (stderr, "PSK username: %s\n", *username); fprintf (stderr, "PSK hint: %s\n", hint); fprintf (stderr, "PSK key: %s\n", hexkey); } return 0; }
static void dane_check(const char *host, const char *proto, unsigned int port, common_info_st * cinfo) { #ifdef HAVE_DANE dane_state_t s; dane_query_t q; int ret, retcode = 0; unsigned entries; unsigned int flags = DANE_F_IGNORE_LOCAL_RESOLVER, i; unsigned int usage, type, match; gnutls_datum_t data, file; size_t size; unsigned vflags = DANE_VFLAG_FAIL_IF_NOT_CHECKED; if (ENABLED_OPT(LOCAL_DNS)) flags = 0; if (HAVE_OPT(INSECURE)) flags |= DANE_F_INSECURE; if (HAVE_OPT(CHECK_EE)) vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE; if (HAVE_OPT(CHECK_CA)) vflags |= DANE_VFLAG_ONLY_CHECK_CA_USAGE; printf("Querying %s (%s:%d)...\n", host, proto, port); ret = dane_state_init(&s, flags); if (ret < 0) { fprintf(stderr, "dane_state_init: %s\n", dane_strerror(ret)); exit(1); } if (HAVE_OPT(DLV)) { ret = dane_state_set_dlv_file(s, OPT_ARG(DLV)); if (ret < 0) { fprintf(stderr, "dane_state_set_dlv_file: %s\n", dane_strerror(ret)); exit(1); } } ret = dane_query_tlsa(s, &q, host, proto, port); if (ret < 0) { fprintf(stderr, "dane_query_tlsa: %s\n", dane_strerror(ret)); exit(1); } entries = dane_query_entries(q); for (i = 0; i < entries; i++) { ret = dane_query_data(q, i, &usage, &type, &match, &data); if (ret < 0) { fprintf(stderr, "dane_query_data: %s\n", dane_strerror(ret)); exit(1); } size = buffer_size; ret = gnutls_hex_encode(&data, (void *) buffer, &size); if (ret < 0) { fprintf(stderr, "gnutls_hex_encode: %s\n", dane_strerror(ret)); exit(1); } if (entries > 1) printf("\nEntry %d:\n", i + 1); fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n", port, proto, host, usage, type, match, buffer); printf("Certificate usage: %s (%.2x)\n", dane_cert_usage_name(usage), usage); printf("Certificate type: %s (%.2x)\n", dane_cert_type_name(type), type); printf("Contents: %s (%.2x)\n", dane_match_type_name(match), match); printf("Data: %s\n", buffer); /* Verify the DANE data */ if (cinfo->cert) { gnutls_x509_crt_t *clist; unsigned int clist_size, status; ret = gnutls_load_file(cinfo->cert, &file); if (ret < 0) { fprintf(stderr, "gnutls_load_file: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_crt_list_import2(&clist, &clist_size, &file, cinfo-> incert_format, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret)); exit(1); } if (clist_size > 0) { gnutls_datum_t certs[clist_size]; gnutls_datum_t out; unsigned int i; for (i = 0; i < clist_size; i++) { ret = gnutls_x509_crt_export2(clist [i], GNUTLS_X509_FMT_DER, &certs [i]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_export2: %s\n", gnutls_strerror (ret)); exit(1); } } ret = dane_verify_crt(s, certs, clist_size, GNUTLS_CRT_X509, host, proto, port, 0, vflags, &status); if (ret < 0) { fprintf(stderr, "dane_verify_crt: %s\n", dane_strerror(ret)); exit(1); } ret = dane_verification_status_print(status, &out, 0); if (ret < 0) { fprintf(stderr, "dane_verification_status_print: %s\n", dane_strerror(ret)); exit(1); } printf("\nVerification: %s\n", out.data); gnutls_free(out.data); if (status != 0) retcode = 1; for (i = 0; i < clist_size; i++) { gnutls_free(certs[i].data); gnutls_x509_crt_deinit(clist[i]); } gnutls_free(clist); } } else { fprintf(stderr, "\nCertificate was not verified. Use --load-certificate.\n"); } } dane_query_deinit(q); dane_state_deinit(s); exit(retcode); #else fprintf(stderr, "This functionality was disabled (GnuTLS was not compiled with support for DANE).\n"); return; #endif }
int main(int argc, char **argv) { int ret; #ifndef _WIN32 struct passwd *pwd; #endif unsigned char key[MAX_KEY_SIZE]; char hex_key[MAX_KEY_SIZE * 2 + 1]; int optct, key_size; gnutls_datum_t dkey; const char *passwd, *username; size_t hex_key_size = sizeof(hex_key); if ((ret = gnutls_global_init()) < 0) { fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret)); exit(1); } umask(066); optct = optionProcess(&psktoolOptions, argc, argv); argc -= optct; argv += optct; if (!HAVE_OPT(PASSWD)) passwd = (char *) KPASSWD; else passwd = OPT_ARG(PASSWD); if (!HAVE_OPT(USERNAME)) { #ifndef _WIN32 pwd = getpwuid(getuid()); if (pwd == NULL) { fprintf(stderr, "No such user\n"); return -1; } username = pwd->pw_name; #else fprintf(stderr, "Please specify a user\n"); return -1; #endif } else username = OPT_ARG(USERNAME); if (HAVE_OPT(KEYSIZE) && OPT_VALUE_KEYSIZE > MAX_KEY_SIZE) { fprintf(stderr, "Key size is too long\n"); exit(1); } if (!HAVE_OPT(KEYSIZE) || OPT_VALUE_KEYSIZE < 1) key_size = 16; else key_size = OPT_VALUE_KEYSIZE; printf("Generating a random key for user '%s'\n", username); ret = gnutls_rnd(GNUTLS_RND_RANDOM, (char *) key, key_size); if (ret < 0) { fprintf(stderr, "Not enough randomness\n"); exit(1); } dkey.data = key; dkey.size = key_size; ret = gnutls_hex_encode(&dkey, hex_key, &hex_key_size); if (ret < 0) { fprintf(stderr, "HEX encoding error\n"); exit(1); } ret = write_key(username, hex_key, hex_key_size, passwd); if (ret == 0) printf("Key stored to %s\n", passwd); return ret; }