/**
* gnutls_priority_set_direct - Sets priorities for the cipher suites supported by gnutls.
* @session: is a #gnutls_session_t structure.
* @priorities: is a string describing priorities
* @err_pos: In case of an error this will have the position in the string the error occured
*
* Sets the priorities to use on the ciphers, key exchange methods,
* macs and compression methods. This function avoids keeping a
* priority cache and is used to directly set string priorities to a
* TLS session. For documentation check the gnutls_priority_init().
*
* On syntax error GNUTLS_E_INVALID_REQUEST is returned and 0 on success.
*
**/
int
gnutls_priority_set_direct (gnutls_session_t session, const char *priorities,
const char **err_pos)
{
gnutls_priority_t prio;
int ret;
ret = gnutls_priority_init (&prio, priorities, err_pos);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_priority_set (session, prio);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
gnutls_priority_deinit (prio);
return 0;
}
static tls_session *
tlsg_session_new ( tls_ctx * ctx, int is_server )
{
tlsg_ctx *c = (tlsg_ctx *)ctx;
tlsg_session *session;
session = ber_memcalloc ( 1, sizeof (*session) );
if ( !session )
return NULL;
session->ctx = c;
gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
gnutls_priority_set( session->session, c->prios );
if ( c->cred )
gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
if ( is_server ) {
int flag = 0;
if ( c->lo->ldo_tls_require_cert ) {
flag = GNUTLS_CERT_REQUEST;
if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
flag = GNUTLS_CERT_REQUIRE;
gnutls_certificate_server_set_request( session->session, flag );
}
}
return (tls_session *)session;
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_CLIENT);
int data_length=0;//hard-coding this length assuming 4 proxies already exist in the connection.
void *data=malloc(80);
/*printf("Existing Proxy_Info retrived by proxy from outgoing TLS connection\n");
for(int i=0;i<data_length;i+=4){
int random_num=rand()%20;
printf("%u ",random_num);
if((i-1)%5==0&&i!=0)
printf("\n");
memcpy(data+i,&random_num,sizeof(int));
}
*/
gnutls_proxyinfo_set (session, GNUTLS_NAME_DNS, "karthikmihir",strlen("karthikmihir"),data,data_length,0);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
return session;
}
void
rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
{
struct ssl_connect *sconn;
if(F == NULL)
return;
sconn = rb_malloc(sizeof(struct ssl_connect));
sconn->data = data;
sconn->callback = callback;
sconn->timeout = timeout;
F->connect = rb_malloc(sizeof(struct conndata));
F->connect->callback = callback;
F->connect->data = data;
F->type |= RB_FD_SSL;
F->ssl = rb_malloc(sizeof(gnutls_session_t));
gnutls_init(F->ssl, GNUTLS_CLIENT);
gnutls_set_default_priority(SSL_P(F));
gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
gnutls_dh_set_prime_bits(SSL_P(F), 1024);
gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
gnutls_priority_set(SSL_P(F), default_priority);
rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
}
/// Initializes GNUTLS session on the given socket.
static gnutls_session_t onion_prepare_gnutls_session(onion *o, int clientfd){
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, o->priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, o->x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t)(long) clientfd);
int ret;
int n_tries=0;
do{
ret = gnutls_handshake (session);
if (n_tries++>10) // Ok, dont abuse the system. Maybe trying to DoS me?
break;
}while (ret<0 && gnutls_error_is_fatal(ret)==0);
if (ret<0){ // could not handshake. assume an error.
ONION_ERROR("Handshake has failed (%s)", gnutls_strerror (ret));
gnutls_deinit (session);
return NULL;
}
return session;
}
/** Create a GNUTLS session.
* Initialises the cyphers and the session database for a new TLS
* session.
*
* @returns The newly created TLS session.
*/
static gnutls_session_t
_crywrap_tls_session_create(const crywrap_config_t * config)
{
gnutls_session_t session;
int ret;
gnutls_init(&session, GNUTLS_SERVER);
if (config->anon) {
gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred);
} else {
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
cred);
}
ret = gnutls_priority_set(session, config->priority);
if (ret < 0) {
cry_error("Error setting priority %s: ",
gnutls_strerror(ret));
exit(4);
}
if (config->verify == 1)
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
else if (config->verify == 2)
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUIRE);
return session;
}
void
rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
{
new_F->type |= RB_FD_SSL;
new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
new_F->accept = rb_malloc(sizeof(struct acceptdata));
new_F->accept->callback = F->accept->callback;
new_F->accept->data = F->accept->data;
rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
memcpy(&new_F->accept->S, st, addrlen);
new_F->accept->addrlen = addrlen;
gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
gnutls_set_default_priority(SSL_P(new_F));
gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
gnutls_priority_set(SSL_P(F), default_priority);
if(do_ssl_handshake(F, rb_ssl_tryaccept, NULL))
{
struct acceptdata *ad = F->accept;
F->accept = NULL;
ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
rb_free(ad);
}
}
void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
gnutls_session_t *ssl;
new_F->type |= RB_FD_SSL;
ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
new_F->accept = rb_malloc(sizeof(struct acceptdata));
new_F->accept->callback = cb;
new_F->accept->data = data;
rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
new_F->accept->addrlen = 0;
gnutls_init(ssl, GNUTLS_SERVER);
gnutls_set_default_priority(*ssl);
gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
gnutls_dh_set_prime_bits(*ssl, 1024);
gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
gnutls_priority_set(*ssl, default_priority);
if(do_ssl_handshake(new_F, rb_ssl_tryaccept, NULL))
{
struct acceptdata *ad = new_F->accept;
new_F->accept = NULL;
ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
rb_free(ad);
}
}
/**
* @short Initializes a connection on a request
* @memberof onion_https_t
*
* Do the accept of the request, and the SSL handshake.
*
* @param req The request
* @returns <0 in case of error.
*/
static int onion_https_request_init(onion_request *req){
onion_listen_point_request_init_from_socket(req);
onion_https *https=(onion_https*)req->connection.listen_point->user_data;
ONION_DEBUG("Accept new request, fd %d",req->connection.fd);
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, https->priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, https->x509_cred);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t)(long) req->connection.fd);
int ret;
do{
ret = gnutls_handshake (session);
}while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret<0){ // could not handshake. assume an error.
ONION_ERROR("Handshake has failed (%s)", gnutls_strerror (ret));
gnutls_bye (session, GNUTLS_SHUT_WR);
gnutls_deinit(session);
onion_listen_point_request_close_socket(req);
return -1;
}
req->connection.user_data=(void*)session;
return 0;
}
void SslSocket::setupSession()
{
qDebug() << "Initialise client session";
// Setup the trust store
gnutls_certificate_allocate_credentials(&d->x509cred);
gnutls_certificate_set_x509_trust_file(d->x509cred, "/etc/ssl/ca-bundle.pem", GNUTLS_X509_FMT_PEM);
// Configure the session
gnutls_init(&d->session, GNUTLS_CLIENT);
gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509cred);
const char *err;
gnutls_priority_init(&d->priority_cache, "NORMAL", &err);
gnutls_priority_set(d->session, d->priority_cache);
// Setup the transport functions to use QTcpSocket
gnutls_transport_set_ptr(d->session, this);
gnutls_transport_set_pull_function(d->session, read_callback);
#ifdef NO_VECTOR_WRITES
gnutls_transport_set_push_function(d->session, write_callback);
#else
gnutls_transport_set_vec_push_function(d->session, write_vector_callback);
#endif
}
void TLSTransaction::init (TLSServer& server)
{
gnutls_init (&_session, GNUTLS_SERVER);
gnutls_priority_set (_session, server._priorities);
gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, server._credentials);
// Require client certificate.
gnutls_certificate_server_set_request (_session, GNUTLS_CERT_REQUIRE);
/*
// Set maximum compatibility mode. This is only suggested on public
// webservers that need to trade security for compatibility
gnutls_session_enable_compatibility_mode (_session);
*/
struct sockaddr_in sa_cli = {0};
socklen_t client_len = sizeof sa_cli;
do
{
_socket = accept (server._socket, (struct sockaddr *) &sa_cli, &client_len);
}
while (errno == EINTR);
if (_socket < 0)
throw std::string (::strerror (errno));
// Obtain client info.
char topbuf[512];
_address = inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf));
_port = ntohs (sa_cli.sin_port);
if (_debug)
std::cout << "s: INFO connection from "
<< _address
<< " port "
<< _port
<< "\n";
#if GNUTLS_VERSION_NUMBER >= 0x030109
gnutls_transport_set_int (_session, _socket);
#else
gnutls_transport_set_ptr (_session, (gnutls_transport_ptr_t) (long) _socket);
#endif
// Key exchange.
int ret;
do
{
ret = gnutls_handshake (_session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0)
throw std::string ("Handshake has failed (") + gnutls_strerror (ret) + ")";
if (_debug)
std::cout << "s: INFO Handshake was completed\n";
}
static void
ssl_gnutls_connect(PurpleSslConnection *gsc)
{
PurpleSslGnutlsData *gnutls_data;
static const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 };
gnutls_data = g_new0(PurpleSslGnutlsData, 1);
gsc->private_data = gnutls_data;
gnutls_init(&gnutls_data->session, GNUTLS_CLIENT);
#ifdef HAVE_GNUTLS_PRIORITY_FUNCS
{
const char *prio_str = NULL;
gboolean set = FALSE;
/* Let's see if someone has specified a specific priority */
if (gsc->host && host_priorities)
prio_str = g_hash_table_lookup(host_priorities, gsc->host);
if (prio_str)
set = (GNUTLS_E_SUCCESS ==
gnutls_priority_set_direct(gnutls_data->session, prio_str,
NULL));
if (!set)
gnutls_priority_set(gnutls_data->session, default_priority);
}
#else
gnutls_set_default_priority(gnutls_data->session);
#endif
gnutls_certificate_type_set_priority(gnutls_data->session,
cert_type_priority);
gnutls_credentials_set(gnutls_data->session, GNUTLS_CRD_CERTIFICATE,
xcred);
gnutls_transport_set_ptr(gnutls_data->session, GINT_TO_POINTER(gsc->fd));
gnutls_data->handshake_handler = purple_input_add(gsc->fd,
PURPLE_INPUT_READ, ssl_gnutls_handshake_cb, gsc);
/* Orborde asks: Why are we configuring a callback, then
(almost) immediately calling it?
Answer: gnutls_handshake (up in handshake_cb) needs to be called
once in order to get the ball rolling on the SSL connection.
Once it has done so, only then will the server reply, triggering
the callback.
Since the logic driving gnutls_handshake is the same with the first
and subsequent calls, we'll just fire the callback immediately to
accomplish this.
*/
gnutls_data->handshake_timer = purple_timeout_add(0, start_handshake_cb,
gsc);
}
void SslDriver::initialize(SslSocket* socket)
{
gnutls_priority_set(socket->session_, priorities_);
// cache
gnutls_db_set_ptr(socket->session_, this);
gnutls_db_set_store_function(socket->session_, &SslDriver::_store);
gnutls_db_set_remove_function(socket->session_, &SslDriver::_remove);
gnutls_db_set_retrieve_function(socket->session_, &SslDriver::_retrieve);
}
TLSSocket::TLSSocket(Fd fd_, const TLSSocket& parent, const std::string& info) : Socket(fd_, parent, info) {
gnutls_init(&session, GNUTLS_SERVER);
gnutls_priority_set(session, priority_cache);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_ptr (session,
(gnutls_transport_ptr_t) fd);
}
void TLSSocket::connect(const std::string& addr, int port) {
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_priority_set(session, priority_cache);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
Socket::connect(addr, port);
gnutls_session_set_ptr(session, (void*)getInfo().c_str());
gnutls_transport_set_ptr (session,
(gnutls_transport_ptr_t) fd);
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
return session;
}
/*
* Starts a standard gnutls session
* on a server port.
*/
static gnutls_session_t initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
return session;
}
bool Plugin::onConnect(LightBird::IClient &client)
{
gnutls_session_t session;
if (gnutls_init(&session, GNUTLS_SERVER) != GNUTLS_E_SUCCESS)
return (false);
client.getInformations().insert("gnutls_session", QVariant().fromValue(session));
if (gnutls_priority_set(session, this->priority) != GNUTLS_E_SUCCESS)
return (false);
if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, this->x509_cred))
return (false);
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)&client);
// Starts the handshake
this->handshake->start(client, session);
return (true);
}
int
manos_tls_accept (manos_tls_socket_t server, manos_tls_socket_t *client, manos_socket_info_t *info)
{
int err, inner_err;
manos_tls_socket_t client_socket;
err = manos_socket_accept (server->socket, info, &inner_err);
if (err < 0) {
if (inner_err == 0) {
return EAGAIN;
} else {
return inner_err;
}
}
client_socket = malloc (sizeof (*client_socket));
if (client_socket == NULL) {
close (info->fd);
return ENOMEM;
}
memset (client_socket, 0, sizeof (*client_socket));
client_socket->socket = info->fd;
err = gnutls_init (&(client_socket->tls_session), GNUTLS_SERVER);
if (err != 0) {
close (info->fd);
if (err != GNUTLS_E_MEMORY_ERROR) {
gnutls_deinit (client_socket->tls_session);
} else {
err = ENOMEM;
}
free (client_socket);
return err;
}
gnutls_priority_set (client_socket->tls_session, priority_cache);
gnutls_credentials_set (client_socket->tls_session, GNUTLS_CRD_CERTIFICATE, server->credentials);
gnutls_transport_set_ptr (client_socket->tls_session, (gnutls_transport_ptr_t) info->fd);
*client = client_socket;
do_handshake(client_socket);
return 0;
}
SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
{
gnutls_session_t * session = calloc(1, sizeof(gnutls_session_t));
gnutls_init(session, GNUTLS_SERVER);
gnutls_priority_set(*session, cipherCache);
gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);
gnutls_transport_set_int(*session, *fileDescriptor);
if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
*isSSLReady = true;
return session;
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* We don't request any certificate from the client.
* If we did we would need to verify it.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);
return session;
}
gnutls_session_t context::session(context *ctx)
{
SSL ssl = NULL;
if(ctx && ctx->xcred && ctx->err() == secure::OK) {
gnutls_init(&ssl, ctx->connect);
switch(ctx->connect) {
case GNUTLS_CLIENT:
gnutls_priority_set_direct(ssl, "PERFORMANCE", NULL);
break;
case GNUTLS_SERVER:
gnutls_priority_set(ssl, context::priority_cache);
gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
gnutls_session_enable_compatibility_mode(ssl);
default:
break;
}
gnutls_credentials_set(ssl, ctx->xtype, ctx->xcred);
}
return ssl;
}
static void gnutls_client_hello_cb(gpointer data, gboolean success, GString *server_name, guint16 protocol) {
mod_connection_ctx *conctx = data;
if (conctx->ctx->protect_against_beast) {
if (!success || protocol <= 0x0301) { /* SSL3: 0x0300, TLS1.0: 0x0301 */
gnutls_priority_set(conctx->session, conctx->ctx->server_priority_beast);
}
}
#ifdef USE_SNI
if (success && NULL != server_name && NULL != conctx->ctx->sni_db && server_name->len > 0) {
conctx->sni_server_name = g_string_new_len(GSTR_LEN(server_name));
sni_job_cb(&conctx->sni_job);
return;
}
#else
UNUSED(server_name);
#endif
li_ssl_client_hello_stream_ready(conctx->client_hello_stream);
}
void InitSession(StreamSocket* user, bool me_server)
{
issl_session* session = &sessions[user->GetFd()];
gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
session->socket = user;
#ifdef GNUTLS_NEW_PRIO_API
gnutls_priority_set(session->sess, priority);
#endif
gnutls_credentials_set(session->sess, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_dh_set_prime_bits(session->sess, dh_bits);
gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session));
gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper);
gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper);
if (me_server)
gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
Handshake(session, user);
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
return session;
}
static void
rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
{
struct ssl_connect *sconn = data;
if(status != RB_OK)
{
rb_ssl_connect_realcb(F, status, sconn);
return;
}
F->type |= RB_FD_SSL;
rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
F->ssl = rb_malloc(sizeof(gnutls_session_t));
gnutls_init(F->ssl, GNUTLS_CLIENT);
gnutls_set_default_priority(SSL_P(F));
gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
gnutls_dh_set_prime_bits(SSL_P(F), 1024);
gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
gnutls_priority_set(SSL_P(F), default_priority);
do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
}
/*
handle_connection - Sets up a PORC connection and serves the list.
*/
void *handle_connection(void *arg) {
int client_socket_descriptor = (int)arg;
gnutls_session_t session;
int ret;
DIRECTORY_REQUEST directory_request;
DIRECTORY_RESPONSE directory_response;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);
gnutls_transport_set_int (session, client_socket_descriptor);
do {
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0) {
close (client_socket_descriptor);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror (ret));
return NULL;
}
printf ("- Handshake was completed\n");
if (gnutls_record_recv (session, (char *)&directory_request, sizeof (directory_request)) != sizeof (directory_request)) {
close (client_socket_descriptor);
gnutls_deinit (session);
fprintf (stderr, "DIRECTORY handshake error (100)\n");
return NULL;
}
bzero ((void *)&directory_response, sizeof(directory_response));
if (directory_request.command != DIRECTORY_ASK) {
directory_response.status = DIRECTORY_FAILURE;
} else {
directory_response.status = DIRECTORY_SUCCESS;
directory_response.nbr = nbr_relays;
}
if (gnutls_record_send (session, (char *)&directory_response, sizeof (directory_response))
!= sizeof (directory_response))
{
close (client_socket_descriptor);
gnutls_deinit (session);
fprintf (stderr, "DIRECTORY handshake error (200)\n");
return NULL;
}
printf ("DIRECTORY handshake completed");
if (directory_response.status == DIRECTORY_SUCCESS) {
printf (" with success.\n");
} else {
printf (" with a failure.\n");
close (client_socket_descriptor);
gnutls_deinit (session);
fprintf (stderr, "DIRECTORY handshake error (200)\n");
return NULL;
}
if (gnutls_record_send (session, (char *)list_relays, sizeof (MYSOCKET)*nbr_relays)
!= sizeof (MYSOCKET)*nbr_relays)
{
close (client_socket_descriptor);
gnutls_deinit (session);
fprintf (stderr, "DIRECTORY error (300)\n");
return NULL;
}
close (client_socket_descriptor);
printf ("Connection closed\n");
return NULL;
}
static gboolean mod_gnutls_con_new(liConnection *con, int fd) {
liEventLoop *loop = &con->wrk->loop;
liServer *srv = con->srv;
mod_context *ctx = con->srv_sock->data;
mod_connection_ctx *conctx;
gnutls_session_t session;
int r;
if (GNUTLS_E_SUCCESS > (r = gnutls_init(&session, GNUTLS_SERVER))) {
ERROR(srv, "gnutls_init (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
}
mod_gnutls_context_acquire(ctx);
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_set(session, ctx->server_priority))) {
ERROR(srv, "gnutls_priority_set (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
}
if (GNUTLS_E_SUCCESS > (r = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->server_cert))) {
ERROR(srv, "gnutls_credentials_set (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
}
if (NULL != ctx->session_db) {
gnutls_db_set_ptr(session, ctx->session_db);
gnutls_db_set_remove_function(session, session_db_remove_cb);
gnutls_db_set_retrieve_function(session, session_db_retrieve_cb);
gnutls_db_set_store_function(session, session_db_store_cb);
}
#ifdef HAVE_SESSION_TICKET
if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_enable_server(session, &ctx->ticket_key))) {
ERROR(srv, "gnutls_session_ticket_enable_server (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
}
#endif
#ifdef GNUTLS_ALPN_MAND
{
static const gnutls_datum_t proto_http1 = { (unsigned char*) CONST_STR_LEN("http/1.1") };
gnutls_alpn_set_protocols(session, &proto_http1, 1, 0);
}
#endif
conctx = g_slice_new0(mod_connection_ctx);
conctx->session = session;
conctx->sock_stream = li_iostream_new(con->wrk, fd, tcp_io_cb, conctx);
conctx->client_hello_stream = li_ssl_client_hello_stream(&con->wrk->loop, gnutls_client_hello_cb, conctx);
#ifdef USE_SNI
li_job_init(&conctx->sni_job, sni_job_cb);
conctx->sni_jobref = li_job_ref(&con->wrk->loop.jobqueue, &conctx->sni_job);
#endif
li_stream_connect(&conctx->sock_stream->stream_in, conctx->client_hello_stream);
conctx->tls_filter = li_gnutls_filter_new(srv, con->wrk, &filter_callbacks, conctx, conctx->session,
conctx->client_hello_stream, &conctx->sock_stream->stream_out);
conctx->con = con;
conctx->ctx = ctx;
con->con_sock.data = conctx;
con->con_sock.callbacks = &gnutls_tcp_cbs;
con->con_sock.raw_out = li_stream_plug_new(loop);
con->con_sock.raw_in = li_stream_plug_new(loop);
con->info.is_ssl = TRUE;
return TRUE;
fail:
gnutls_deinit(session);
mod_gnutls_context_release(ctx);
return FALSE;
}
static bool
ConnSSL_Init_SSL(CONNECTION *c)
{
int ret;
LogDebug("Initializing SSL ...");
assert(c != NULL);
#ifdef HAVE_LIBSSL
if (!ssl_ctx) {
Log(LOG_ERR,
"Can't initialize SSL context, OpenSSL initialization failed at startup!");
return false;
}
assert(c->ssl_state.ssl == NULL);
assert(c->ssl_state.fingerprint == NULL);
c->ssl_state.ssl = SSL_new(ssl_ctx);
if (!c->ssl_state.ssl) {
LogOpenSSLError("Failed to create SSL structure", NULL);
return false;
}
Conn_OPTION_ADD(c, CONN_SSL);
ret = SSL_set_fd(c->ssl_state.ssl, c->sock);
if (ret != 1) {
LogOpenSSLError("Failed to set SSL file descriptor", NULL);
ConnSSL_Free(c);
return false;
}
#endif
#ifdef HAVE_LIBGNUTLS
Conn_OPTION_ADD(c, CONN_SSL);
ret = gnutls_priority_set(c->ssl_state.gnutls_session, priorities_cache);
if (ret != GNUTLS_E_SUCCESS) {
Log(LOG_ERR, "Failed to set GnuTLS session priorities: %s",
gnutls_strerror(ret));
ConnSSL_Free(c);
return false;
}
/*
* The intermediate (long) cast is here to avoid a warning like:
* "cast to pointer from integer of different size" on 64-bit platforms.
* There doesn't seem to be an alternate GNUTLS API we could use instead, see e.g.
* http://www.mail-archive.com/[email protected]/msg00286.html
*/
gnutls_transport_set_ptr(c->ssl_state.gnutls_session,
(gnutls_transport_ptr_t) (long) c->sock);
gnutls_certificate_server_set_request(c->ssl_state.gnutls_session,
GNUTLS_CERT_REQUEST);
ret = gnutls_credentials_set(c->ssl_state.gnutls_session,
GNUTLS_CRD_CERTIFICATE, x509_cred);
if (ret != 0) {
Log(LOG_ERR, "Failed to set SSL credentials: %s",
gnutls_strerror(ret));
ConnSSL_Free(c);
return false;
}
gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN);
#endif
return true;
}
int
main (void)
{
int ret, sd, ii;
gnutls_session_t session;
gnutls_priority_t priorities_cache;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
/* Allow connections to servers that have OpenPGP keys as well.
*/
gnutls_global_init ();
load_keys ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
/* priorities */
gnutls_priority_init( &priorities_cache, "NORMAL", NULL);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set (session, priorities_cache);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_priority_deinit( priorities_cache);
gnutls_global_deinit ();
return 0;
}