/* initializes a gnutls_session_t with some defaults.
*/
static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
gnutls_session_t session;
gnutls_init (&session, GNUTLS_CLIENT);
if (gnutls_priority_set_direct (session, info.priorities, &err) < 0)
{
fprintf (stderr, "Syntax error at: %s\n", err);
exit (1);
}
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
gnutls_handshake_set_private_extensions (session, 1);
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
if (cert_type_priority[0])
gnutls_certificate_type_set_priority (session, cert_type_priority);
}
if (cipher_priority[0])
gnutls_cipher_set_priority (session, cipher_priority);
if (comp_priority[0])
gnutls_compression_set_priority (session, comp_priority);
if (kx_priority[0])
gnutls_kx_set_priority (session, kx_priority);
if (protocol_priority[0])
gnutls_protocol_set_priority (session, protocol_priority);
if (mac_priority[0])
gnutls_mac_set_priority (session, mac_priority);
gnutls_dh_set_prime_bits (session, 512);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
if (psk_cred)
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
if (fingerprint != 0)
gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT);
#endif
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
#ifdef ENABLE_OPRFI
if (info.opaque_prf_input)
gnutls_oprfi_enable_client (session, strlen (info.opaque_prf_input),
info.opaque_prf_input);
#endif
#ifdef ENABLE_SESSION_TICKET
if (!info.noticket)
gnutls_session_ticket_enable_client (session);
#endif
return session;
}
/* initializes a gnutls_session_t with some defaults.
*/
static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
int ret;
gnutls_session_t session;
if (priorities == NULL)
priorities = "NORMAL";
if (udp)
{
gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM);
if (mtu)
gnutls_dtls_set_mtu(session, mtu);
}
else
gnutls_init (&session, GNUTLS_CLIENT);
if ((ret = gnutls_priority_set_direct (session, priorities, &err)) < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at: %s\n", err);
else
fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret));
exit (1);
}
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
if (!isdigit(hostname[0]) && strchr(hostname, ':') == 0)
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
}
gnutls_dh_set_prime_bits (session, 512);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
if (psk_cred)
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_set_retrieve_function2 (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
if (fingerprint != 0)
gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT);
#endif
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
#ifdef ENABLE_SESSION_TICKET
if (disable_extensions == 0 && !HAVE_OPT(NOTICKET)t)
gnutls_session_ticket_enable_client (session);
#endif
return session;
}
void session::send_openpgp_cert (gnutls_openpgp_crt_status_t status)
{
#ifdef ENABLE_OPENPGP
gnutls_openpgp_send_cert (s, status);
#endif
}
void doit(void)
{
int err, i;
int sockets[2];
const char *srcdir;
pid_t child;
char pub_key_path[512], priv_key_path[512];
global_init();
srcdir = getenv("srcdir") ? getenv("srcdir") : ".";
for (i = 0; i < 5; i++) {
if (i <= 1)
key_id = NULL; /* try using the master key */
else if (i == 2)
key_id = "auto"; /* test auto */
else if (i >= 3)
key_id = "f30fd423c143e7ba";
if (debug) {
gnutls_global_set_log_level(5);
gnutls_global_set_log_function(log_message);
}
err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets);
if (err != 0)
fail("socketpair %s\n", strerror(errno));
if (sizeof(pub_key_path) <
strlen(srcdir) + strlen(pub_key_file) + 2)
abort();
strcpy(pub_key_path, srcdir);
strcat(pub_key_path, "/");
strcat(pub_key_path, pub_key_file);
if (sizeof(priv_key_path) <
strlen(srcdir) + strlen(priv_key_file) + 2)
abort();
strcpy(priv_key_path, srcdir);
strcat(priv_key_path, "/");
strcat(priv_key_path, priv_key_file);
child = fork();
if (child == -1)
fail("fork %s\n", strerror(errno));
if (child == 0) {
/* Child process (client). */
gnutls_session_t session;
gnutls_certificate_credentials_t cred;
ssize_t sent;
if (debug)
printf("client process %i\n", getpid());
err = gnutls_init(&session, GNUTLS_CLIENT);
if (err != 0)
fail("client session %d\n", err);
if (i == 0) /* we use the primary key which is RSA. Test the RSA ciphersuite */
gnutls_priority_set_direct(session,
"NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+RSA:+CTYPE-OPENPGP",
NULL);
else
gnutls_priority_set_direct(session,
"NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+DHE-DSS:+DHE-RSA:+CTYPE-OPENPGP",
NULL);
gnutls_transport_set_int(session, sockets[0]);
err =
gnutls_certificate_allocate_credentials(&cred);
if (err != 0)
fail("client credentials %d\n", err);
err =
gnutls_certificate_set_openpgp_key_file2(cred,
pub_key_path,
priv_key_path,
key_id,
GNUTLS_OPENPGP_FMT_BASE64);
if (err != 0)
fail("client openpgp keys %s\n",
gnutls_strerror(err));
check_loaded_key(cred);
err =
gnutls_credentials_set(session,
GNUTLS_CRD_CERTIFICATE,
cred);
if (err != 0)
fail("client credential_set %d\n", err);
gnutls_dh_set_prime_bits(session, 1024);
if (i == 4)
gnutls_openpgp_send_cert(session,
GNUTLS_OPENPGP_CERT_FINGERPRINT);
err = gnutls_handshake(session);
if (err != 0)
fail("client handshake %s (%d) \n",
gnutls_strerror(err), err);
else if (debug)
printf("client handshake successful\n");
sent =
gnutls_record_send(session, message,
sizeof(message));
if (sent != sizeof(message))
fail("client sent %li vs. %li\n",
(long) sent, (long) sizeof(message));
err = gnutls_bye(session, GNUTLS_SHUT_RDWR);
if (err != 0)
fail("client bye %d\n", err);
if (debug)
printf("client done\n");
gnutls_deinit(session);
gnutls_certificate_free_credentials(cred);
gnutls_free(stored_cli_cert.data);
gnutls_global_deinit();
return;
} else {
/* Parent process (server). */
gnutls_session_t session;
gnutls_dh_params_t dh_params;
gnutls_certificate_credentials_t cred;
char greetings[sizeof(message) * 2];
ssize_t received;
pid_t done;
int status;
const gnutls_datum_t p3 =
{ (void *) pkcs3, strlen(pkcs3) };
if (debug)
printf("server process %i (child %i)\n",
getpid(), child);
err = gnutls_init(&session, GNUTLS_SERVER);
if (err != 0)
fail("server session %d\n", err);
gnutls_priority_set_direct(session,
"NONE:+VERS-TLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+DHE-DSS:+DHE-RSA:+RSA:+CTYPE-OPENPGP",
NULL);
gnutls_transport_set_int(session, sockets[1]);
err =
gnutls_certificate_allocate_credentials(&cred);
if (err != 0)
fail("server credentials %d\n", err);
err =
gnutls_certificate_set_openpgp_key_file2(cred,
pub_key_path,
priv_key_path,
key_id,
GNUTLS_OPENPGP_FMT_BASE64);
if (err != 0)
fail("server openpgp keys %s\n",
gnutls_strerror(err));
check_loaded_key(cred);
err = gnutls_dh_params_init(&dh_params);
if (err)
fail("server DH params init %d\n", err);
err =
gnutls_dh_params_import_pkcs3(dh_params, &p3,
GNUTLS_X509_FMT_PEM);
if (err)
fail("server DH params generate %d\n",
err);
gnutls_certificate_set_dh_params(cred, dh_params);
err =
gnutls_credentials_set(session,
GNUTLS_CRD_CERTIFICATE,
cred);
if (err != 0)
fail("server credential_set %d\n", err);
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUIRE);
if (i == 4)
gnutls_openpgp_set_recv_key_function
(session, key_recv_func);
err = gnutls_handshake(session);
if (err != 0)
fail("server handshake %s (%d) \n",
gnutls_strerror(err), err);
if (stored_cli_cert.data == NULL) {
const gnutls_datum_t *d;
unsigned int d_size;
d = gnutls_certificate_get_peers(session,
&d_size);
if (d != NULL) {
stored_cli_cert.data =
gnutls_malloc(d[0].size);
memcpy(stored_cli_cert.data,
d[0].data, d[0].size);
stored_cli_cert.size = d[0].size;
}
}
received =
gnutls_record_recv(session, greetings,
sizeof(greetings));
if (received != sizeof(message)
|| memcmp(greetings, message, sizeof(message)))
fail("server received %li vs. %li\n",
(long) received,
(long) sizeof(message));
err = gnutls_bye(session, GNUTLS_SHUT_RDWR);
if (err != 0)
fail("server bye %s (%d) \n",
gnutls_strerror(err), err);
if (debug)
printf("server done\n");
gnutls_deinit(session);
gnutls_certificate_free_credentials(cred);
gnutls_dh_params_deinit(dh_params);
done = wait(&status);
if (done < 0)
fail("wait %s\n", strerror(errno));
if (done != child)
fail("who's that?! %d\n", done);
check_wait_status(status);
}
}
gnutls_free(stored_cli_cert.data);
gnutls_global_deinit();
}
/* initializes a gnutls_session_t with some defaults.
*/
static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
int ret;
gnutls_session_t session;
if (priorities == NULL)
priorities = "NORMAL";
if (udp)
{
gnutls_init (&session, GNUTLS_DATAGRAM|init_flags);
if (mtu)
gnutls_dtls_set_mtu(session, mtu);
}
else
gnutls_init (&session, init_flags);
if ((ret = gnutls_priority_set_direct (session, priorities, &err)) < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at: %s\n", err);
else
fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret));
exit (1);
}
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
if (!isdigit(hostname[0]) && strchr(hostname, ':') == 0)
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
}
if (HAVE_OPT(DH_BITS))
gnutls_dh_set_prime_bits( session, OPT_VALUE_DH_BITS);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
if (psk_cred)
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_set_retrieve_function2 (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
if (fingerprint != 0)
gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT);
#endif
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
if (HAVE_OPT(HEARTBEAT))
gnutls_heartbeat_enable (session, GNUTLS_HB_PEER_ALLOWED_TO_SEND);
#ifdef ENABLE_DTLS_SRTP
if (HAVE_OPT(SRTP_PROFILES))
{
ret = gnutls_srtp_set_profile_direct (session, OPT_ARG(SRTP_PROFILES), &err);
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at: %s\n", err);
else
fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret));
exit (1);
}
#endif
return session;
}