unsigned char * get_ssl_connection_cipher(struct socket *socket) { ssl_t *ssl = socket->ssl; struct string str; if (!init_string(&str)) return NULL; #ifdef USE_OPENSSL add_format_to_string(&str, "%ld-bit %s %s", SSL_get_cipher_bits(ssl, NULL), SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl)); #elif defined(CONFIG_GNUTLS) /* XXX: How to get other relevant parameters? */ add_format_to_string(&str, "%s - %s - %s - %s - %s (compr: %s)", gnutls_protocol_get_name(gnutls_protocol_get_version(*ssl)), gnutls_kx_get_name(gnutls_kx_get(*ssl)), gnutls_cipher_get_name(gnutls_cipher_get(*ssl)), gnutls_mac_get_name(gnutls_mac_get(*ssl)), gnutls_certificate_type_get_name(gnutls_certificate_type_get(*ssl)), gnutls_compression_get_name(gnutls_compression_get(*ssl))); #endif return str.source; }
const char *dtls_gnutls_get_cipher(struct conn *conn, char *dst) { struct dtls_gnutls_data * d; const char *comp, *cipher, *mac, *proto, *kxname, *auth; gnutls_kx_algorithm_t kx; gnutls_credentials_type_t cred; if (!conn->dtls_data){ sprintf(dst, "%s","None"); return dst; } d = (struct dtls_gnutls_data*)conn->dtls_data; if ( !d->session ){ sprintf(dst, "%s","None"); return dst; } kx = gnutls_kx_get(d->session); kxname = gnutls_kx_get_name(kx); cred = gnutls_auth_get_type(d->session); proto = gnutls_protocol_get_name(gnutls_protocol_get_version(d->session)); comp = gnutls_compression_get_name(gnutls_compression_get(d->session)); cipher = gnutls_cipher_get_name(gnutls_cipher_get(d->session)); mac = gnutls_mac_get_name(gnutls_mac_get(d->session)); sprintf(dst,"cipher: %s/%s/%s/%s/%s",proto,kxname,cipher,mac,comp); return dst; }
int rfbssl_init(rfbClientPtr cl) { int ret = -1; struct rfbssl_ctx *ctx; char *keyfile; if (!(keyfile = cl->screen->sslkeyfile)) keyfile = cl->screen->sslcertfile; if (NULL == (ctx = rfbssl_init_global(keyfile, cl->screen->sslcertfile))) { /* */ } else if (GNUTLS_E_SUCCESS != (ret = rfbssl_init_session(ctx, cl->sock))) { /* */ } else { while (GNUTLS_E_SUCCESS != (ret = gnutls_handshake(ctx->session))) { if (ret == GNUTLS_E_AGAIN) continue; break; } } if (ret != GNUTLS_E_SUCCESS) { rfbssl_error(__func__, ret); } else { cl->sslctx = (rfbSslCtx *)ctx; rfbLog("%s protocol initialized\n", gnutls_protocol_get_name(gnutls_protocol_get_version(ctx->session))); } return ret; }
static void main_latex(void) { int i, j; const char* desc; const char* _name; puts( headers); printf("\\begin{supertabular}{|p{.64\\linewidth}|p{.12\\linewidth}|p{.09\\linewidth}|}\n"); { size_t i; const char *name; char id[2]; gnutls_kx_algorithm_t kx; gnutls_cipher_algorithm_t cipher; gnutls_mac_algorithm_t mac; gnutls_protocol_t version; for (i = 0; (name = gnutls_cipher_suite_info (i, id, &kx, &cipher, &mac, &version)); i++) { printf ("{\\small{%s}} & \\code{0x%02X 0x%02X} & %s", escape_string(name, buffer, sizeof(buffer)), (unsigned char) id[0], (unsigned char) id[1], gnutls_protocol_get_name (version)); printf( "\\\\\n"); } printf("\\end{supertabular}\n\n"); } return; }
bool ConnSSL_GetCipherInfo(CONNECTION *c, char *buf, size_t len) { #ifdef HAVE_LIBSSL char *nl; SSL *ssl = c->ssl_state.ssl; if (!ssl) return false; *buf = 0; SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, len); nl = strchr(buf, '\n'); if (nl) *nl = 0; return true; #endif #ifdef HAVE_LIBGNUTLS if (Conn_OPTION_ISSET(c, CONN_SSL)) { const char *name_cipher, *name_mac, *name_proto, *name_keyexchange; unsigned keysize; gnutls_session_t sess = c->ssl_state.gnutls_session; gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(sess); name_cipher = gnutls_cipher_get_name(cipher); name_mac = gnutls_mac_get_name(gnutls_mac_get(sess)); keysize = gnutls_cipher_get_key_size(cipher) * 8; name_proto = gnutls_protocol_get_name(gnutls_protocol_get_version(sess)); name_keyexchange = gnutls_kx_get_name(gnutls_kx_get(sess)); return snprintf(buf, len, "%s-%s%15s Kx=%s Enc=%s(%u) Mac=%s", name_cipher, name_mac, name_proto, name_keyexchange, name_cipher, keysize, name_mac) > 0; } return false; #endif }
char * SSL_CIPHER_description (SSL_CIPHER * cipher, char *buf, int size) { char *tmpbuf; int tmpsize; int local_alloc; if (buf) { tmpbuf = buf; tmpsize = size; local_alloc = 0; } else { tmpbuf = (char *) malloc (128); tmpsize = 128; local_alloc = 1; } if (snprintf (tmpbuf, tmpsize, "%s %s %s %s", gnutls_protocol_get_name (cipher->version), gnutls_kx_get_name (cipher->kx), gnutls_cipher_get_name (cipher->cipher), gnutls_mac_get_name (cipher->mac)) == -1) { if (local_alloc) free (tmpbuf); return (char *) "Buffer too small"; } return tmpbuf; }
static void tls_print_session_info(const host_addr_t addr, uint16 port, gnutls_session session, bool incoming) { const char *proto, *cert, *kx, *ciph, *mac, *comp; g_return_if_fail(session); proto = gnutls_protocol_get_name(gnutls_protocol_get_version(session)); cert = gnutls_certificate_type_get_name( gnutls_certificate_type_get(session)); kx = gnutls_kx_get_name(gnutls_kx_get(session)); comp = gnutls_compression_get_name(gnutls_compression_get(session)); ciph = gnutls_cipher_get_name(gnutls_cipher_get(session)); mac = gnutls_mac_get_name(gnutls_mac_get (session)); g_debug( "TLS session info (%s):\n" " Host: %s\n" " Protocol: %s\n" " Certificate: %s\n" " Key Exchange: %s\n" " Cipher: %s\n" " MAC: %s\n" " Compression: %s", incoming ? "incoming" : "outgoing", host_addr_port_to_string(addr, port), NULL_STRING(proto), NULL_STRING(cert), NULL_STRING(kx), NULL_STRING(ciph), NULL_STRING(mac), NULL_STRING(comp) ); }
static void do_fork_stuff(gnutls_session_t session) { pid_t pid; int ret; char buf[64]; /* separate sending from receiving */ pid = fork(); if (pid == -1) { exit(1); } else if (pid != 0) { if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); sec_sleep(1); /* the server should reflect our messages */ ret = gnutls_record_recv(session, buf, sizeof(buf)); if (ret != sizeof(MSG)-1 || memcmp(buf, MSG, sizeof(MSG)-1) != 0) { fail("client: recv failed: %s\n", gnutls_strerror(ret)); exit(1); } if (debug) { fprintf(stderr, "client received: %.*s\n", ret, buf); } ret = gnutls_record_recv(session, buf, sizeof(buf)); if (ret != sizeof(MSG2)-1 || memcmp(buf, MSG2, sizeof(MSG2)-1) != 0) { fail("client: recv2 failed: %s\n", gnutls_strerror(ret)); exit(1); } if (debug) { fprintf(stderr, "client received: %.*s\n", ret, buf); } ret = gnutls_record_recv(session, buf, sizeof(buf)); if (ret != 0) { fail("client: recv3 failed: %s\n", gnutls_strerror(ret)); exit(1); } } else if (pid == 0) { /* child */ ret = gnutls_record_send(session, MSG, sizeof(MSG)-1); if (ret != sizeof(MSG)-1) { fail("client: send failed: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_record_send(session, MSG2, sizeof(MSG2)-1); if (ret != sizeof(MSG2)-1) { fail("client: send2 failed: %s\n", gnutls_strerror(ret)); exit(1); } sec_sleep(2); gnutls_bye(session, GNUTLS_SHUT_WR); } }
static void server (int fd, const char* prio) { int ret; char buffer[MAX_BUF + 1]; gnutls_session_t session; /* this must be called once in the program */ gnutls_global_init (); memset(buffer, 0, sizeof(buffer)); if (debug) { gnutls_global_set_log_function (server_log_func); gnutls_global_set_log_level (4711); } gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_anon_allocate_server_credentials (&anoncred); session = initialize_tls_session (prio); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd); do { ret = gnutls_handshake (session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close (fd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); terminate(); } if (debug) success ("server: Handshake was completed\n"); if (debug) success ("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); close(fd); gnutls_deinit (session); gnutls_anon_free_server_credentials (anoncred); gnutls_certificate_free_credentials (x509_cred); gnutls_global_deinit (); if (debug) success ("server: finished\n"); }
my_bool ma_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version) { if (!cssl || !cssl->ssl) return 1; version->iversion= gnutls_protocol_get_version(cssl->ssl); version->cversion= (char *)gnutls_protocol_get_name(version->iversion); return 0; }
wxString CTlsSocket::GetProtocolName() { wxString protocol = _("unknown"); const char* s = gnutls_protocol_get_name( gnutls_protocol_get_version( m_session ) ); if (s && *s) protocol = wxString(s, wxConvUTF8); return protocol; }
/* This function will log some details of the given session. */ static void logtlsinfo (gnutls_session_t session) { gnutls_credentials_type_t cred; const char *protocol = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); gnutls_kx_algorithm_t kx = gnutls_kx_get (session); const char *keyexchange = gnutls_kx_get_name (kx); const char *certtype = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); const char *cipher = gnutls_cipher_get_name (gnutls_cipher_get (session)); const char *mac = gnutls_mac_get_name (gnutls_mac_get (session)); const char *compression = gnutls_compression_get_name (gnutls_compression_get (session)); int resumedp = gnutls_session_is_resumed (session); /* This message can arguably belong to LOG_AUTH. */ syslog (LOG_INFO, "TLS handshake negotiated protocol `%s', " "key exchange `%s', certficate type `%s', cipher `%s', " "mac `%s', compression `%s', %s", protocol ? protocol : "N/A", keyexchange ? keyexchange : "N/A", certtype ? certtype : "N/A", cipher ? cipher : "N/A", mac ? mac : "N/A", compression ? compression : "N/A", resumedp ? "resumed session" : "session not resumed"); cred = gnutls_auth_get_type (session); switch (cred) { case GNUTLS_CRD_ANON: syslog (LOG_INFO | LOG_DAEMON, "TLS anonymous authentication with %d bit Diffie-Hellman", gnutls_dh_get_prime_bits (session)); break; case GNUTLS_CRD_CERTIFICATE: if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) syslog (LOG_INFO | LOG_DAEMON, "TLS certificate authentication with %d bits " "ephemeral Diffie-Hellman", gnutls_dh_get_prime_bits (session)); logcertinfo (session); break; case GNUTLS_CRD_SRP: case GNUTLS_CRD_PSK: case GNUTLS_CRD_IA: default: syslog (LOG_ERR | LOG_DAEMON, "Unknown TLS authentication (%d)", cred); break; } }
const char * rb_ssl_get_cipher(rb_fde_t *F) { static char buf[1024]; snprintf(buf, sizeof(buf), "%s-%s-%s-%s", gnutls_protocol_get_name(gnutls_protocol_get_version(SSL_P(F))), gnutls_kx_get_name(gnutls_kx_get(SSL_P(F))), gnutls_cipher_get_name(gnutls_cipher_get(SSL_P(F))), gnutls_mac_get_name(gnutls_mac_get(SSL_P(F)))); return buf; }
static void client(int fd, const char *prio) { int ret; gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(7); } gnutls_certificate_allocate_credentials(&x509_cred); assert(gnutls_init(&session, GNUTLS_CLIENT)>=0); assert(gnutls_priority_set_direct(session, prio, NULL)>=0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); terminate(); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); }
static void client(int fd) { int ret; gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; gnutls_certificate_allocate_credentials(&x509_cred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL)>=0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); }
const char * SSL_CIPHER_get_version (SSL_CIPHER * cipher) { const char *ret; if (!cipher) return ("(NONE)"); ret = gnutls_protocol_get_name (cipher->version); if (ret) return ret; return ("unknown"); }
wxString CTlsSocket::ListTlsCiphers(wxString priority) { if (priority.IsEmpty()) priority = wxString::FromUTF8(ciphers); wxString list = wxString::Format(_T("Ciphers for %s:\n"), priority.c_str()); #if GNUTLS_VERSION_NUMBER >= 0x030009 gnutls_priority_t pcache; const char *err = 0; int ret = gnutls_priority_init(&pcache, priority.mb_str(), &err); if (ret < 0) { list += wxString::Format(_T("gnutls_priority_init failed with code %d: %s"), ret, wxString::FromUTF8(err ? err : "").c_str()); return list; } else { for (size_t i = 0; ; i++) { unsigned int idx; ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) continue; gnutls_protocol_t version; unsigned char id[2]; const char* name = gnutls_cipher_suite_info(idx, id, NULL, NULL, NULL, &version); if (name != 0) { list += wxString::Format( _T("%-50s 0x%02x, 0x%02x %s\n"), wxString::FromUTF8(name).c_str(), (unsigned char)id[0], (unsigned char)id[1], wxString::FromUTF8(gnutls_protocol_get_name(version)).c_str()); } } } #else list += _T("Unknown\n"); #endif return list; }
static void print_cipher_suite_list(const char *priorities) { size_t i; int ret; unsigned int idx; const char *name; const char *err; unsigned char id[2]; gnutls_protocol_t version; gnutls_priority_t pcache; if (priorities != NULL) { printf("Cipher suites for %s\n", priorities); ret = gnutls_priority_init(&pcache, priorities, &err); if (ret < 0) { fprintf(stderr, "Syntax error at: %s\n", err); exit(1); } for (i = 0;; i++) { ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) continue; name = gnutls_cipher_suite_info(idx, id, NULL, NULL, NULL, &version); if (name != NULL) printf("%-50s\t0x%02x, 0x%02x\t%s\n", name, (unsigned char) id[0], (unsigned char) id[1], gnutls_protocol_get_name(version)); } return; } }
static void *start_thread(void *arg) { gnutls_session_t session = arg; int ret; char buf[64]; if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); sleep(1); /* the server should reflect our messages */ ret = gnutls_record_recv(session, buf, sizeof(buf)); if (ret != sizeof(MSG)-1 || memcmp(buf, MSG, sizeof(MSG)-1) != 0) { fail("client: recv failed: %s\n", gnutls_strerror(ret)); exit(1); } if (debug) { fprintf(stderr, "client received: %.*s\n", ret, buf); } ret = gnutls_record_recv(session, buf, sizeof(buf)); if (ret != sizeof(MSG2)-1 || memcmp(buf, MSG2, sizeof(MSG2)-1) != 0) { fail("client: recv2 failed: %s\n", gnutls_strerror(ret)); exit(1); } if (debug) { fprintf(stderr, "client received: %.*s\n", ret, buf); } ret = gnutls_record_recv(session, buf, sizeof(buf)); if (ret != 0) { fail("client: recv3 failed: %s\n", gnutls_strerror(ret)); exit(1); } pthread_exit(0); }
static void ConnSSL_LogCertInfo( CONNECTION *c ) { #ifdef HAVE_LIBSSL SSL *ssl = c->ssl_state.ssl; assert(ssl); Log(LOG_INFO, "Connection %d: initialized %s using cipher %s.", c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl)); #endif #ifdef HAVE_LIBGNUTLS gnutls_session_t sess = c->ssl_state.gnutls_session; gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(sess); Log(LOG_INFO, "Connection %d: initialized %s using cipher %s-%s.", c->sock, gnutls_protocol_get_name(gnutls_protocol_get_version(sess)), gnutls_cipher_get_name(cipher), gnutls_mac_get_name(gnutls_mac_get(sess))); #endif }
static void construct_cipher_name(gnutls_session session) { static uschar cipherbuf[256]; uschar *ver; int bits, c, kx, mac; ver = string_copy( US gnutls_protocol_get_name(gnutls_protocol_get_version(session))); if (Ustrncmp(ver, "TLS ", 4) == 0) ver[3] = '-'; /* Don't want space */ c = gnutls_cipher_get(session); bits = gnutls_cipher_get_key_size(c); mac = gnutls_mac_get(session); kx = gnutls_kx_get(session); string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver, gnutls_cipher_suite_get_name(kx, c, mac), bits); tls_cipher = cipherbuf; DEBUG(D_tls) debug_printf("cipher: %s\n", cipherbuf); }
void GnuTLSClientAnon::getCertInfo() { m_certInfo.status = CertOk; const char* info; info = gnutls_compression_get_name( gnutls_compression_get( *m_session ) ); if( info ) m_certInfo.compression = info; info = gnutls_mac_get_name( gnutls_mac_get( *m_session ) ); if( info ) m_certInfo.mac = info; info = gnutls_cipher_get_name( gnutls_cipher_get( *m_session ) ); if( info ) m_certInfo.cipher = info; info = gnutls_protocol_get_name( gnutls_protocol_get_version( *m_session ) ); if( info ) m_certInfo.protocol = info; m_valid = true; }
void server (void) { client_len = sizeof (sa_cli); session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); success ("server: connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); return; } success ("server: Handshake was completed\n"); success ("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ print_info(session); i = 0; for (;;) { bzero (buffer, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("server: Peer has closed the GNUTLS connection\n"); break; } else if (ret < 0) { fail ("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); close (listen_sd); gnutls_certificate_free_credentials (x509_cred); gnutls_global_deinit (); success ("server: finished\n"); }
void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&xcred); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (xcred, &cert, &key, GNUTLS_X509_FMT_PEM); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { success ("client: Handshake was completed\n"); } success ("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ print_info(session); gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_global_deinit (); }
void print_list (const char *priorities, int verbose) { size_t i; int ret; unsigned int idx; const char *name; const char *err; unsigned char id[2]; gnutls_kx_algorithm_t kx; gnutls_cipher_algorithm_t cipher; gnutls_mac_algorithm_t mac; gnutls_protocol_t version; gnutls_priority_t pcache; const unsigned int *list; if (priorities != NULL) { printf ("Cipher suites for %s\n", priorities); ret = gnutls_priority_init (&pcache, priorities, &err); if (ret < 0) { fprintf (stderr, "Syntax error at: %s\n", err); exit (1); } for (i = 0;; i++) { ret = gnutls_priority_get_cipher_suite_index (pcache, i, &idx); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) continue; name = gnutls_cipher_suite_info (idx, id, NULL, NULL, NULL, &version); if (name != NULL) printf ("%-50s\t0x%02x, 0x%02x\t%s\n", name, (unsigned char) id[0], (unsigned char) id[1], gnutls_protocol_get_name (version)); } printf("\n"); { ret = gnutls_priority_certificate_type_list (pcache, &list); printf ("Certificate types: "); if (ret == 0) printf("none\n"); for (i = 0; i < (unsigned)ret; i++) { printf ("CTYPE-%s", gnutls_certificate_type_get_name (list[i])); if (i+1!=(unsigned)ret) printf (", "); else printf ("\n"); } } { ret = gnutls_priority_protocol_list (pcache, &list); printf ("Protocols: "); if (ret == 0) printf("none\n"); for (i = 0; i < (unsigned)ret; i++) { printf ("VERS-%s", gnutls_protocol_get_name (list[i])); if (i+1!=(unsigned)ret) printf (", "); else printf ("\n"); } } { ret = gnutls_priority_compression_list (pcache, &list); printf ("Compression: "); if (ret == 0) printf("none\n"); for (i = 0; i < (unsigned)ret; i++) { printf ("COMP-%s", gnutls_compression_get_name (list[i])); if (i+1!=(unsigned)ret) printf (", "); else printf ("\n"); } } { ret = gnutls_priority_ecc_curve_list (pcache, &list); printf ("Elliptic curves: "); if (ret == 0) printf("none\n"); for (i = 0; i < (unsigned)ret; i++) { printf ("CURVE-%s", gnutls_ecc_curve_get_name (list[i])); if (i+1!=(unsigned)ret) printf (", "); else printf ("\n"); } } { ret = gnutls_priority_sign_list (pcache, &list); printf ("PK-signatures: "); if (ret == 0) printf("none\n"); for (i = 0; i < (unsigned)ret; i++) { printf ("SIGN-%s", gnutls_sign_algorithm_get_name (list[i])); if (i+1!=(unsigned)ret) printf (", "); else printf ("\n"); } } return; } printf ("Cipher suites:\n"); for (i = 0; (name = gnutls_cipher_suite_info (i, id, &kx, &cipher, &mac, &version)); i++) { printf ("%-50s\t0x%02x, 0x%02x\t%s\n", name, (unsigned char) id[0], (unsigned char) id[1], gnutls_protocol_get_name (version)); if (verbose) printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n", gnutls_kx_get_name (kx), gnutls_cipher_get_name (cipher), gnutls_mac_get_name (mac)); } printf("\n"); { const gnutls_certificate_type_t *p = gnutls_certificate_type_list (); printf ("Certificate types: "); for (; *p; p++) { printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_protocol_t *p = gnutls_protocol_list (); printf ("Protocols: "); for (; *p; p++) { printf ("VERS-%s", gnutls_protocol_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_cipher_algorithm_t *p = gnutls_cipher_list (); printf ("Ciphers: "); for (; *p; p++) { printf ("%s", gnutls_cipher_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_mac_algorithm_t *p = gnutls_mac_list (); printf ("MACs: "); for (; *p; p++) { printf ("%s", gnutls_mac_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_kx_algorithm_t *p = gnutls_kx_list (); printf ("Key exchange algorithms: "); for (; *p; p++) { printf ("%s", gnutls_kx_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_compression_method_t *p = gnutls_compression_list (); printf ("Compression: "); for (; *p; p++) { printf ("COMP-%s", gnutls_compression_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list (); printf ("Elliptic curves: "); for (; *p; p++) { printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_pk_algorithm_t *p = gnutls_pk_list (); printf ("Public Key Systems: "); for (; *p; p++) { printf ("%s", gnutls_pk_algorithm_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } { const gnutls_sign_algorithm_t *p = gnutls_sign_list (); printf ("PK-signatures: "); for (; *p; p++) { printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p)); if (*(p + 1)) printf (", "); else printf ("\n"); } } }
int print_info (gnutls_session_t session, int print_cert) { const char *tmp; gnutls_credentials_type_t cred; gnutls_kx_algorithm_t kx; unsigned char session_id[33]; size_t session_id_size = sizeof (session_id); /* print session ID */ gnutls_session_get_id (session, session_id, &session_id_size); printf ("- Session ID: %s\n", raw_to_string (session_id, session_id_size)); /* print the key exchange's algorithm name */ kx = gnutls_kx_get (session); cred = gnutls_auth_get_type (session); switch (cred) { #ifdef ENABLE_ANON case GNUTLS_CRD_ANON: if (kx == GNUTLS_KX_ANON_ECDH) print_ecdh_info (session, "Anonymous "); else print_dh_info (session, "Anonymous ", verbose); break; #endif #ifdef ENABLE_SRP case GNUTLS_CRD_SRP: /* This should be only called in server * side. */ if (gnutls_srp_server_get_username (session) != NULL) printf ("- SRP authentication. Connected as '%s'\n", gnutls_srp_server_get_username (session)); break; #endif #ifdef ENABLE_PSK case GNUTLS_CRD_PSK: /* This returns NULL in server side. */ if (gnutls_psk_client_get_hint (session) != NULL) printf ("- PSK authentication. PSK hint '%s'\n", gnutls_psk_client_get_hint (session)); /* This returns NULL in client side. */ if (gnutls_psk_server_get_username (session) != NULL) printf ("- PSK authentication. Connected as '%s'\n", gnutls_psk_server_get_username (session)); if (kx == GNUTLS_KX_DHE_PSK) print_dh_info (session, "Ephemeral ", verbose); if (kx == GNUTLS_KX_ECDHE_PSK) print_ecdh_info (session, "Ephemeral "); break; #endif case GNUTLS_CRD_IA: printf ("- TLS/IA authentication\n"); break; case GNUTLS_CRD_CERTIFICATE: { char dns[256]; size_t dns_size = sizeof (dns); unsigned int type; /* This fails in client side */ if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0) { printf ("- Given server name[%d]: %s\n", type, dns); } } print_cert_info (session, verbose?GNUTLS_CRT_PRINT_FULL:GNUTLS_CRT_PRINT_COMPACT, print_cert); if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) print_dh_info (session, "Ephemeral ", verbose); else if (kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA) print_ecdh_info (session, "Ephemeral "); } tmp = SU (gnutls_protocol_get_name (gnutls_protocol_get_version (session))); printf ("- Version: %s\n", tmp); tmp = SU (gnutls_kx_get_name (kx)); printf ("- Key Exchange: %s\n", tmp); tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session))); printf ("- Cipher: %s\n", tmp); tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session))); printf ("- MAC: %s\n", tmp); tmp = SU (gnutls_compression_get_name (gnutls_compression_get (session))); printf ("- Compression: %s\n", tmp); if (verbose) { gnutls_datum_t cb; int rc; rc = gnutls_session_channel_binding (session, GNUTLS_CB_TLS_UNIQUE, &cb); if (rc) fprintf (stderr, "Channel binding error: %s\n", gnutls_strerror (rc)); else { size_t i; printf ("- Channel binding 'tls-unique': "); for (i = 0; i < cb.size; i++) printf ("%02x", cb.data[i]); printf ("\n"); } } /* Warning: Do not print anything more here. The 'Compression:' output MUST be the last non-verbose output. This is used by Emacs starttls.el code. */ fflush (stdout); return 0; }
/* tls_negotiate: After TLS state has been initialised, attempt to negotiate * TLS over the wire, including certificate checks. */ static int tls_negotiate (CONNECTION * conn) { tlssockdata *data; int err; size_t nproto = 0; /* number of tls/ssl protocols */ data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata)); conn->sockdata = data; err = gnutls_certificate_allocate_credentials (&data->xcred); if (err < 0) { FREE(&conn->sockdata); mutt_error ("gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err)); mutt_sleep (2); return -1; } gnutls_certificate_set_x509_trust_file (data->xcred, SslCertFile, GNUTLS_X509_FMT_PEM); /* ignore errors, maybe file doesn't exist yet */ if (SslCACertFile) { gnutls_certificate_set_x509_trust_file (data->xcred, SslCACertFile, GNUTLS_X509_FMT_PEM); } if (SslClientCert) { dprint (2, (debugfile, "Using client certificate %s\n", SslClientCert)); gnutls_certificate_set_x509_key_file (data->xcred, SslClientCert, SslClientCert, GNUTLS_X509_FMT_PEM); } #if HAVE_DECL_GNUTLS_VERIFY_DISABLE_TIME_CHECKS /* disable checking certificate activation/expiration times in gnutls, we do the checks ourselves */ gnutls_certificate_set_verify_flags(data->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS); #endif if ((err = gnutls_init(&data->state, GNUTLS_CLIENT))) { mutt_error ("gnutls_handshake: %s", gnutls_strerror(err)); mutt_sleep (2); goto fail; } /* set socket */ gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd); if (option(OPTTLSV1_2)) protocol_priority[nproto++] = GNUTLS_TLS1_2; if (option(OPTTLSV1_1)) protocol_priority[nproto++] = GNUTLS_TLS1_1; if (option(OPTTLSV1)) protocol_priority[nproto++] = GNUTLS_TLS1; if (option(OPTSSLV3)) protocol_priority[nproto++] = GNUTLS_SSL3; protocol_priority[nproto] = 0; /* disable TLS/SSL protocols as needed */ if (nproto == 0) { mutt_error (_("All available protocols for TLS/SSL connection disabled")); goto fail; } /* else use the list set above */ /* We use default priorities (see gnutls documentation), except for protocol version */ gnutls_set_default_priority (data->state); gnutls_protocol_set_priority (data->state, protocol_priority); if (SslDHPrimeBits > 0) { gnutls_dh_set_prime_bits (data->state, SslDHPrimeBits); } /* gnutls_set_cred (data->state, GNUTLS_ANON, NULL); */ gnutls_credentials_set (data->state, GNUTLS_CRD_CERTIFICATE, data->xcred); err = gnutls_handshake(data->state); while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED) { err = gnutls_handshake(data->state); } if (err < 0) { if (err == GNUTLS_E_FATAL_ALERT_RECEIVED) { mutt_error("gnutls_handshake: %s(%s)", gnutls_strerror(err), gnutls_alert_get_name(gnutls_alert_get(data->state))); } else { mutt_error("gnutls_handshake: %s", gnutls_strerror(err)); } mutt_sleep (2); goto fail; } if (!tls_check_certificate(conn)) goto fail; /* set Security Strength Factor (SSF) for SASL */ /* NB: gnutls_cipher_get_key_size() returns key length in bytes */ conn->ssf = gnutls_cipher_get_key_size (gnutls_cipher_get (data->state)) * 8; tls_get_client_cert (conn); if (!option(OPTNOCURSES)) { mutt_message (_("SSL/TLS connection using %s (%s/%s/%s)"), gnutls_protocol_get_name (gnutls_protocol_get_version (data->state)), gnutls_kx_get_name (gnutls_kx_get (data->state)), gnutls_cipher_get_name (gnutls_cipher_get (data->state)), gnutls_mac_get_name (gnutls_mac_get (data->state))); mutt_sleep (0); } return 0; fail: gnutls_certificate_free_credentials (data->xcred); gnutls_deinit (data->state); FREE(&conn->sockdata); return -1; }
void gtlsGeneric::logSessionInfo(LogWrapperType _logwrapper, gnutls_session_t _session) { const char *tmp; gnutls_credentials_type_t cred; gnutls_kx_algorithm_t kx; // print the key exchange's algorithm name kx = gnutls_kx_get(_session); tmp = gnutls_kx_get_name(kx); BTG_NOTICE(_logwrapper, "- Key Exchange: " << tmp); // Check the authentication type used and switch // to the appropriate. cred = gnutls_auth_get_type(_session); switch (cred) { case GNUTLS_CRD_SRP: { BTG_NOTICE(_logwrapper, "- SRP session"); break; } case GNUTLS_CRD_ANON: { BTG_NOTICE(_logwrapper, "- Anonymous DH using prime of " << gnutls_dh_get_prime_bits (_session) << " bits"); break; } case GNUTLS_CRD_CERTIFICATE: { // Check if we have been using ephemeral Diffie Hellman. if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { BTG_NOTICE(_logwrapper, "- Ephemeral DH using prime of " << gnutls_dh_get_prime_bits(_session) << " bits"); } /* if the certificate list is available, then * print some information about it. */ gtlsGeneric::logX509CertificateInfo(_logwrapper, _session); break; } default: { BTG_NOTICE(_logwrapper, "Unknown cred."); } } /* print the protocol's name (ie TLS 1.0) */ tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(_session)); BTG_NOTICE(_logwrapper, "- Protocol: " << tmp); /* print the certificate type of the peer. * ie X.509 */ tmp = gnutls_certificate_type_get_name(gnutls_certificate_type_get(_session)); BTG_NOTICE(_logwrapper, "- Certificate Type: " << tmp); /* print the compression algorithm (if any) */ tmp = gnutls_compression_get_name(gnutls_compression_get(_session)); BTG_NOTICE(_logwrapper, "- Compression: " << tmp); /* print the name of the cipher used. * ie 3DES. */ tmp = gnutls_cipher_get_name(gnutls_cipher_get(_session)); BTG_NOTICE(_logwrapper, "- Cipher: " << tmp); /* Print the MAC algorithms name. * ie SHA1 */ tmp = gnutls_mac_get_name(gnutls_mac_get(_session)); BTG_NOTICE(_logwrapper, "- MAC: " << tmp); }
static void client(int fd, int profile) { gnutls_session_t session; int ret; gnutls_anon_client_credentials_t anoncred; uint8_t km[MAX_KEY_MATERIAL]; char buf[2 * MAX_KEY_MATERIAL]; gnutls_datum_t cli_key, cli_salt, server_key, server_salt; /* Need to enable anonymous KX specifically. */ global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_client_credentials(&anoncred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM); gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); gnutls_dtls_set_mtu(session, 1500); /* Use default priorities */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); if (profile) ret = gnutls_srtp_set_profile_direct(session, "SRTP_AES128_CM_HMAC_SHA1_80", NULL); else ret = gnutls_srtp_set_profile_direct(session, "SRTP_NULL_HMAC_SHA1_80", NULL); if (ret < 0) { gnutls_perror(ret); exit(1); } /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: DTLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); ret = gnutls_srtp_get_keys(session, km, sizeof(km), &cli_key, &cli_salt, &server_key, &server_salt); if (ret < 0) { gnutls_perror(ret); exit(1); } if (debug) { size_t size = sizeof(buf); gnutls_hex_encode(&cli_key, buf, &size); success("Client key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&cli_salt, buf, &size); success("Client salt: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_key, buf, &size); success("Server key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_salt, buf, &size); success("Server salt: %s\n", buf); } gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_client_credentials(anoncred); gnutls_global_deinit(); }
static void server(int fd, int profile) { int ret; gnutls_session_t session; gnutls_anon_server_credentials_t anoncred; uint8_t km[MAX_KEY_MATERIAL]; char buf[2 * MAX_KEY_MATERIAL]; gnutls_datum_t cli_key, cli_salt, server_key, server_salt; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_server_credentials(&anoncred); gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); gnutls_dtls_set_mtu(session, 1500); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); if (profile) ret = gnutls_srtp_set_profile_direct(session, "SRTP_AES128_CM_HMAC_SHA1_80", NULL); else ret = gnutls_srtp_set_profile_direct(session, "SRTP_NULL_HMAC_SHA1_80", NULL); if (ret < 0) { gnutls_perror(ret); exit(1); } gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); ret = gnutls_srtp_get_keys(session, km, sizeof(km), &cli_key, &cli_salt, &server_key, &server_salt); if (ret < 0) { gnutls_perror(ret); exit(1); } if (debug) { size_t size = sizeof(buf); gnutls_hex_encode(&cli_key, buf, &size); success("Client key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&cli_salt, buf, &size); success("Client salt: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_key, buf, &size); success("Server key: %s\n", buf); size = sizeof(buf); gnutls_hex_encode(&server_salt, buf, &size); success("Server salt: %s\n", buf); } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_server_credentials(anoncred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }