bool CTlsSocket::InitSession() { int res = gnutls_init(&m_session, GNUTLS_CLIENT); if (res) { LogError(res, _T("gnutls_init")); Uninit(); return false; } // Even though the name gnutls_db_set_cache_expiration // implies expiration of some cache, it also governs // the actual session lifetime, independend whether the // session is cached or not. gnutls_db_set_cache_expiration(m_session, 100000000); res = gnutls_priority_set_direct(m_session, ciphers, 0); if (res) { LogError(res, _T("gnutls_priority_set_direct")); Uninit(); return false; } gnutls_dh_set_prime_bits(m_session, 512); gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials); // Setup transport functions gnutls_transport_set_push_function(m_session, PushFunction); gnutls_transport_set_pull_function(m_session, PullFunction); gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this); return true; }
struct tls_connection * tls_connection_init(void *ssl_ctx) { struct tls_connection *conn; const int cert_types[2] = { GNUTLS_CRT_X509, 0 }; const int protos[2] = { GNUTLS_TLS1, 0 }; conn = malloc(sizeof(*conn)); if (conn == NULL) return NULL; memset(conn, 0, sizeof(*conn)); if (gnutls_init(&conn->session, GNUTLS_CLIENT) < 0) { wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS " "connection"); free(conn); return NULL; } gnutls_set_default_priority(conn->session); gnutls_certificate_type_set_priority(conn->session, cert_types); gnutls_protocol_set_priority(conn->session, protos); gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn); gnutls_certificate_allocate_credentials(&conn->xcred); return conn; }
//general tls stuff------------------------------------------------------------- static gnutls_session_t initialize_tls_session(bool sServer, gnutls_srp_client_credentials_t &cClient, const struct sockaddr *aAddress, socklen_t lLength, const char *aActual) { gnutls_session_t session; gnutls_init(&session, sServer? GNUTLS_SERVER : GNUTLS_CLIENT); if (use_srp_auth) { gnutls_priority_set_direct(session, sServer? "NORMAL:+SRP" : "PERFORMANCE:+SRP", NULL); if (!sServer) set_client_passwd(cClient, aAddress, lLength, aActual); gnutls_credentials_set(session, GNUTLS_CRD_SRP, sServer? (void*) srp_server : (void*) cClient); } else { gnutls_priority_set_direct(session, sServer? "NORMAL:+ANON-DH" : "PERFORMANCE:+ANON-DH", NULL); gnutls_credentials_set(session, GNUTLS_CRD_ANON, credentials); } gnutls_dh_set_prime_bits(session, 1024); gnutls_transport_set_push_function(session, (gnutls_push_func) &write_wrapper); gnutls_transport_set_pull_function(session, (gnutls_pull_func) &read_wrapper); return session; }
static gnutls_session new_tls_session(int sock) { int ret; gnutls_session session; const int kx_priority[] = { GNUTLS_KX_ANON_DH, #ifdef GNUTLS_SRP_ENABLED GNUTLS_KX_SRP, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA, #endif 0 }; gnutls_init(&session, GNUTLS_SERVER); gnutls_set_default_priority(session); gnutls_kx_set_priority(session, kx_priority); #ifdef GNUTLS_SRP_ENABLED gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred); gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); #endif gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_ptr(session, fd_to_ptr(sock)); gnutls_transport_set_pull_function(session, tls_pull); gnutls_transport_set_push_function(session, tls_push); ret = gnutls_handshake(session); if ( ret < 0 ) { fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret)); gnutls_alert_send_appropriate(session, ret); return NULL; } return session; }
static rfbBool InitializeTLSSession(rfbClient* client, rfbBool anonTLS) { int ret; const char *p; if (client->tlsSession) return TRUE; if ((ret = gnutls_init((gnutls_session_t*)&client->tlsSession, GNUTLS_CLIENT)) < 0) { rfbClientLog("Failed to initialized TLS session: %s.\n", gnutls_strerror(ret)); return FALSE; } if ((ret = gnutls_priority_set_direct((gnutls_session_t)client->tlsSession, anonTLS ? rfbAnonTLSPriority : rfbTLSPriority, &p)) < 0) { rfbClientLog("Warning: Failed to set TLS priority: %s (%s).\n", gnutls_strerror(ret), p); } gnutls_transport_set_ptr((gnutls_session_t)client->tlsSession, (gnutls_transport_ptr_t)client); gnutls_transport_set_push_function((gnutls_session_t)client->tlsSession, PushTLS); gnutls_transport_set_pull_function((gnutls_session_t)client->tlsSession, PullTLS); rfbClientLog("TLS session initialized.\n"); return TRUE; }
bool CTlsSocket::Init() { // This function initializes GnuTLS int res = gnutls_global_init(); if (res) { LogError(res); return false; } m_initialized = true; res = gnutls_certificate_allocate_credentials(&m_certCredentials); if (res < 0) { LogError(res); Uninit(); return false; } res = gnutls_init(&m_session, GNUTLS_CLIENT); if (res) { LogError(res); Uninit(); return false; } res = gnutls_set_default_priority(m_session); if (res) { LogError(res); Uninit(); return false; } // Set which type of certificates we accept const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; gnutls_certificate_type_set_priority(m_session, cert_type_priority); if (res) { LogError(res); Uninit(); return false; } gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials); // Setup transport functions gnutls_transport_set_push_function(m_session, PushFunction); gnutls_transport_set_pull_function(m_session, PullFunction); gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this); gnutls_transport_set_lowat(m_session, 0); m_shutdown_requested = false; // At this point, we can start shaking hands. return true; }
static int tls_handshake (struct ikstls_data **datap, ikstransport *trans, void *sock) { const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; struct ikstls_data *data; int ret; *datap = NULL; data = iks_malloc (sizeof(*data)); if (!data) return IKS_NOMEM; memset (data, 0, sizeof(*data)); data->trans = trans; data->sock = sock; data->timeout = -1; if (gnutls_global_init () != 0) { iks_free (data); return IKS_NOMEM; } if (gnutls_certificate_allocate_credentials (&data->cred) < 0) { iks_free (data); return IKS_NOMEM; } if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); iks_free (data); return IKS_NOMEM; } gnutls_protocol_set_priority (data->sess, protocol_priority); gnutls_cipher_set_priority(data->sess, cipher_priority); gnutls_compression_set_priority(data->sess, comp_priority); gnutls_kx_set_priority(data->sess, kx_priority); gnutls_mac_set_priority(data->sess, mac_priority); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); gnutls_transport_set_ptr (data->sess, data); ret = gnutls_handshake (data->sess); if (ret != 0) { gnutls_deinit (data->sess); gnutls_certificate_free_credentials (data->cred); iks_free (data); return IKS_NET_TLSFAIL; } *datap = data; return IKS_OK; }
TLSSocket::TLSSocket(std::shared_ptr<TLSSession> session, std::shared_ptr<socket> sok) : m_session(session), m_wrapped(sok), m_connected(false), m_handshaking(false), m_ex(NULL) { gnutls_transport_set_ptr(*m_session->m_gnutlsSession, this); gnutls_transport_set_push_function(*m_session->m_gnutlsSession, gnutlsPushFunc); gnutls_transport_set_pull_function(*m_session->m_gnutlsSession, gnutlsPullFunc); }
liGnuTLSFilter* li_gnutls_filter_new( liServer *srv, liWorker *wrk, const liGnuTLSFilterCallbacks *callbacks, gpointer data, gnutls_session_t session, liStream *crypt_source, liStream *crypt_drain ) { liEventLoop *loop = crypt_source->loop; liGnuTLSFilter *f; liCQLimit *out_limit; f = g_slice_new0(liGnuTLSFilter); f->refcount = 5; /* 1 + 4 streams */ f->callbacks = callbacks; f->callback_data = data; f->srv = srv; f->wrk = wrk; f->session = session; gnutls_transport_set_ptr(f->session, (gnutls_transport_ptr_t) f); gnutls_transport_set_push_function(f->session, stream_push); #ifdef HAVE_GIOVEC gnutls_transport_set_vec_push_function(f->session, stream_pushv); #endif gnutls_transport_set_pull_function(f->session, stream_pull); gnutls_session_set_ptr(f->session, f); gnutls_handshake_set_post_client_hello_function(f->session, post_client_hello_cb); f->initial_handshaked_finished = 0; f->closing = f->aborted = 0; f->write_wants_read = 0; li_stream_init(&f->crypt_source, loop, stream_crypt_source_cb); li_stream_init(&f->crypt_drain, loop, stream_crypt_drain_cb); li_stream_init(&f->plain_source, loop, stream_plain_source_cb); li_stream_init(&f->plain_drain, loop, stream_plain_drain_cb); /* "virtual" connections - the content goes through SSL */ li_stream_connect(&f->plain_drain, &f->crypt_source); li_stream_connect(&f->crypt_drain, &f->plain_source); li_stream_connect(crypt_source, &f->crypt_drain); li_stream_connect(&f->crypt_source, crypt_drain); /* separate limit for buffer of encrypted data * * f->plain_drain is already connected to f->crypt_source, * so they won't share the same limit */ out_limit = li_cqlimit_new(); out_limit->notify = stream_crypt_source_limit_notify_cb; out_limit->context = f; li_cqlimit_set_limit(out_limit, 32*1024); li_chunkqueue_set_limit(crypt_drain->out, out_limit); li_chunkqueue_set_limit(f->crypt_source.out, out_limit); li_cqlimit_release(out_limit); return f; }
/** * Enables SSL for the given connection. * * @param connection The connection to enable SSL for. * * @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection * is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when * SSL initialization, setup, or handshake fails. */ idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection) { if (!connection || connection->ssl_data) return IDEVICE_E_INVALID_ARG; idevice_error_t ret = IDEVICE_E_SSL_ERROR; uint32_t return_me = 0; ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); /* Set up GnuTLS... */ debug_info("enabling SSL mode"); errno = 0; gnutls_global_init(); gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate); gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback); gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT); gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL); gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate); gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc); gnutls_x509_crt_init(&ssl_data_loc->root_cert); gnutls_x509_crt_init(&ssl_data_loc->host_cert); gnutls_x509_privkey_init(&ssl_data_loc->root_privkey); gnutls_x509_privkey_init(&ssl_data_loc->host_privkey); userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert); if (uerr != USERPREF_E_SUCCESS) { debug_info("Error %d when loading keys and certificates! %d", uerr); } debug_info("GnuTLS step 1..."); gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection); debug_info("GnuTLS step 2..."); gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write); debug_info("GnuTLS step 3..."); gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read); debug_info("GnuTLS step 4 -- now handshaking..."); if (errno) debug_info("WARN: errno says %s before handshake!", strerror(errno)); return_me = gnutls_handshake(ssl_data_loc->session); debug_info("GnuTLS handshake done..."); if (return_me != GNUTLS_E_SUCCESS) { internal_ssl_cleanup(ssl_data_loc); free(ssl_data_loc); debug_info("GnuTLS reported something wrong."); gnutls_perror(return_me); debug_info("oh.. errno says %s", strerror(errno)); } else { connection->ssl_data = ssl_data_loc; ret = IDEVICE_E_SUCCESS; debug_info("SSL mode enabled"); } return ret; }
GIOChannel *g_io_channel_gnutls_new(int fd) { GIOGnuTLSChannel *gnutls_channel; GIOChannel *channel; int err; DBG(""); gnutls_channel = g_new(GIOGnuTLSChannel, 1); channel = (GIOChannel *) gnutls_channel; g_io_channel_init(channel); channel->funcs = &gnutls_channel_funcs; gnutls_channel->fd = fd; channel->is_seekable = FALSE; channel->is_readable = TRUE; channel->is_writeable = TRUE; channel->do_encode = FALSE; g_io_gnutls_global_init(); err = gnutls_init(&gnutls_channel->session, GNUTLS_CLIENT); if (err < 0) { g_free(gnutls_channel); return NULL; } gnutls_transport_set_ptr(gnutls_channel->session, gnutls_channel); gnutls_transport_set_push_function(gnutls_channel->session, g_io_gnutls_push_func); gnutls_transport_set_pull_function(gnutls_channel->session, g_io_gnutls_pull_func); #if GNUTLS_VERSION_NUMBER < 0x020c00 gnutls_transport_set_lowat(gnutls_channel->session, 0); gnutls_priority_set_direct(gnutls_channel->session, "NORMAL:%COMPAT", NULL); #else gnutls_priority_set_direct(gnutls_channel->session, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL); #endif gnutls_certificate_allocate_credentials(&gnutls_channel->cred); gnutls_credentials_set(gnutls_channel->session, GNUTLS_CRD_CERTIFICATE, gnutls_channel->cred); DBG("channel %p", channel); return channel; }
void InitSession(StreamSocket* user, bool me_server) { gnutls_init(&sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT); profile->SetupSession(sess); gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(user)); gnutls_transport_set_push_function(sess, gnutls_push_wrapper); gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper); if (me_server) gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); // Request client certificate if any. }
static int tls_gnutls_init_session(struct tls_global *global, struct tls_connection *conn) { #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 const char *err; #else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */ const int cert_types[2] = { GNUTLS_CRT_X509, 0 }; const int protos[2] = { GNUTLS_TLS1, 0 }; #endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */ int ret; ret = gnutls_init(&conn->session, global->server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (ret < 0) { wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS " "connection: %s", gnutls_strerror(ret)); return -1; } ret = gnutls_set_default_priority(conn->session); if (ret < 0) goto fail; #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0", &err); if (ret < 0) { wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at " "'%s'", err); goto fail; } #else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */ ret = gnutls_certificate_type_set_priority(conn->session, cert_types); if (ret < 0) goto fail; ret = gnutls_protocol_set_priority(conn->session, protos); if (ret < 0) goto fail; #endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */ gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn); return 0; fail: wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s", gnutls_strerror(ret)); gnutls_deinit(conn->session); return -1; }
static int handshake (struct stream_data *data) { const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; int ret; #ifndef WIN32 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); #endif if (gnutls_global_init () != 0) return IKS_NOMEM; if (gnutls_certificate_allocate_credentials (&data->cred) < 0) return IKS_NOMEM; if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); return IKS_NOMEM; } gnutls_protocol_set_priority (data->sess, protocol_priority); gnutls_cipher_set_priority(data->sess, cipher_priority); gnutls_compression_set_priority(data->sess, comp_priority); gnutls_kx_set_priority(data->sess, kx_priority); gnutls_mac_set_priority(data->sess, mac_priority); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); gnutls_transport_set_ptr (data->sess, data->prs); ret = gnutls_handshake (data->sess); if (ret != 0) { gnutls_deinit (data->sess); gnutls_certificate_free_credentials (data->cred); return IKS_NET_TLSFAIL; } data->flags &= (~SF_TRY_SECURE); data->flags |= SF_SECURE; iks_send_header (data->prs, data->server); return IKS_OK; } // HAVE_GNUTLS
void GnuTlsStream::handshake(const GnuTlsServer& server) { log_debug("gnutls_init(session, GNUTLS_SERVER)"); int ret = gnutls_init(&_session, GNUTLS_SERVER); if (ret != 0) throw GnuTlsException("gnutls_init", ret); log_debug("gnutls_set_default_priority"); ret = gnutls_set_default_priority(_session); if (ret != 0) throw GnuTlsException("gnutls_set_default_priority", ret); log_debug("gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, " << server.getCred() << ')'); ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, server.getCred()); if (ret != 0) throw GnuTlsException("gnutls_credentials_set", ret); log_debug("gnutls_dh_set_prime_bits(session, 1024)"); gnutls_dh_set_prime_bits(_session, 1024); _fdInfo.fd = getFd(); _fdInfo.timeout = getTimeout(); log_debug("gnutls_transport_set_ptr(ptr)"); gnutls_transport_set_ptr(_session, static_cast<gnutls_transport_ptr_t>(&_fdInfo)); log_debug("gnutls_transport_set_pull_function()"); gnutls_transport_set_pull_function(_session, pull_func); log_debug("gnutls_transport_set_push_function()"); gnutls_transport_set_push_function(_session, push_func); // non-blocking/with timeout _fdInfo.timeout = 10000; log_debug("gnutls_handshake"); ret = gnutls_handshake(_session); log_debug("gnutls_handshake => " << ret); if (ret != 0) throw GnuTlsException("gnutls_handshake", ret); _connected = true; _fdInfo.timeout = getTimeout(); log_debug("ssl-handshake was completed"); }
void evcom_stream_assign_fds (evcom_stream *stream, int recvfd, int sendfd) { assert(recvfd >= 0); assert(sendfd >= 0); if (recvfd == sendfd) stream->flags |= EVCOM_DUPLEX; if (set_nonblock(recvfd) != 0) { evcom_perror("set_nonblock(recvfd)", errno); } if (set_nonblock(sendfd) != 0) { evcom_perror("set_nonblock(sendfd)", errno); } #ifdef SO_NOSIGPIPE if (DUPLEX(stream)) { int flags = 1; int r = setsockopt(sendfd, SOL_SOCKET, SO_NOSIGPIPE, &flags, sizeof(flags)); if (r < 0) { evcom_perror("setsockopt(SO_NOSIGPIPE)", errno); } } #endif ev_io_set(&stream->read_watcher, recvfd, EV_READ); ev_io_set(&stream->write_watcher, sendfd, EV_WRITE); stream->recvfd = recvfd; stream->sendfd = sendfd; stream->send_action = stream__connection_established; stream->recv_action = stream__connection_established; stream->flags |= EVCOM_READABLE; stream->flags |= EVCOM_WRITABLE; #if EVCOM_HAVE_GNUTLS if (SECURE(stream)) { gnutls_transport_set_lowat(stream->session, 0); gnutls_transport_set_push_function(stream->session, nosigpipe_push); gnutls_transport_set_pull_function(stream->session, pull); gnutls_transport_set_ptr2(stream->session, stream, stream); } #endif }
TLSSocket_GnuTLS::TLSSocket_GnuTLS( const shared_ptr <TLSSession_GnuTLS>& session, const shared_ptr <socket>& sok ) : m_session(session), m_wrapped(sok), m_connected(false), m_ex(NULL), m_status(0), m_errno(0) { gnutls_transport_set_ptr(*m_session->m_gnutlsSession, this); gnutls_transport_set_push_function(*m_session->m_gnutlsSession, gnutlsPushFunc); gnutls_transport_set_pull_function(*m_session->m_gnutlsSession, gnutlsPullFunc); gnutls_transport_set_errno_function(*m_session->m_gnutlsSession, gnutlsErrnoFunc); }
static gnutls_session_t new_tls_session(int sock) { int ret; gnutls_session_t session; const char *err; #if defined LIBGNUTLS_VERSION_MAJOR && LIBGNUTLS_VERSION_MAJOR >= 3 # define TLS_DH_STR "+ANON-ECDH:+ANON-DH" #else # define TLS_DH_STR "+ANON-DH" #endif #ifdef GNUTLS_SRP_ENABLED const char *pstring = "NORMAL:+SRP:+SRP-DSS:+SRP-RSA:" TLS_DH_STR; #else const char *pstring = "NORMAL:" TLS_DH_STR; #endif gnutls_init(&session, GNUTLS_SERVER); gnutls_set_default_priority(session); ret = gnutls_priority_set_direct(session, pstring, &err); if (ret < 0) { fprintf(stderr, "TLS priority syntax error at: %s\n", err); return NULL; } #ifdef GNUTLS_SRP_ENABLED gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred); gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); #endif gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_ptr(session, fd_to_ptr(sock)); gnutls_transport_set_pull_function(session, tls_pull); gnutls_transport_set_push_function(session, tls_push); ret = gnutls_handshake(session); if ( ret < 0 ) { fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret)); gnutls_alert_send_appropriate(session, ret); return NULL; } return session; }
/** \brief Start the action */ crypto_err_t tls_full_t::start(tls_privctx_t * p_tls_privctx , const pkt_t &p_lower_buf_l2u) throw() { // log to debug KLOG_DBG("enter"); // copy the parameters this->m_tls_privctx = p_tls_privctx; this->m_lower_buf_l2u = p_lower_buf_l2u; // set all the custom read/write function gnutls_session_t gnutls_sess = m_tls_privctx->session(); gnutls_transport_set_ptr(gnutls_sess, (gnutls_transport_ptr_t) this); gnutls_transport_set_pull_function(gnutls_sess, tls_full_c_read_cb); gnutls_transport_set_push_function(gnutls_sess, tls_full_c_write_cb); // return no error return crypto_err_t::OK; }
bool GnuTLSClientAnon::init( const std::string&, const std::string&, const StringList& ) { if( m_initLib && gnutls_global_init() != 0 ) return false; if( gnutls_anon_allocate_client_credentials( &m_anoncred ) < 0 ) return false; if( gnutls_init( m_session, GNUTLS_CLIENT ) != 0 ) return false; #if GNUTLS_VERSION_NUMBER >= 0x020600 int ret = gnutls_priority_set_direct( *m_session, "SECURE128:+PFS:+COMP-ALL:+VERS-TLS-ALL:-VERS-SSL3.0:+SIGN-ALL:+CURVE-ALL", 0 ); if( ret != GNUTLS_E_SUCCESS ) return false; #else const int protocolPriority[] = { #ifdef GNUTLS_TLS1_2 GNUTLS_TLS1_2, #endif GNUTLS_TLS1_1, GNUTLS_TLS1, 0 }; const int protocolPriority[] = { GNUTLS_TLS1, 0 }; const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 }; const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 }; const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; gnutls_protocol_set_priority( *m_session, protocolPriority ); gnutls_cipher_set_priority( *m_session, cipherPriority ); gnutls_compression_set_priority( *m_session, compPriority ); gnutls_kx_set_priority( *m_session, kxPriority ); gnutls_mac_set_priority( *m_session, macPriority ); #endif gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred ); gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this ); gnutls_transport_set_push_function( *m_session, pushFunc ); gnutls_transport_set_pull_function( *m_session, pullFunc ); m_valid = true; return true; }
void Plugin::onDestroy(LightBird::IClient &client) { gnutls_session_t session; if (client.getInformations().contains("gnutls_session")) { session = client.getInformations().value("gnutls_session").value<gnutls_session_t>(); // Properly terminates the TLS session if (client.getSocket().isConnected()) { gnutls_transport_set_pull_function(session, Record::pull); gnutls_transport_set_push_function(session, Plugin::push); gnutls_bye(session, GNUTLS_SHUT_RDWR); } this->handshake->removeTimeout(client); gnutls_deinit(session); } }
/** \brief Start the action */ crypto_err_t tls_resp_t::start() throw() { crypto_err_t crypto_err; // log to debug KLOG_DBG("enter"); // start the tls_privctx_t m_tls_privctx = nipmem_new tls_privctx_t(); crypto_err = m_tls_privctx->start_server(m_profile); if( crypto_err.failed() ) return crypto_err; // set all the custom read/write function gnutls_session_t gnutls_sess = m_tls_privctx->session(); gnutls_transport_set_ptr(gnutls_sess, (gnutls_transport_ptr_t) this); gnutls_transport_set_pull_function(gnutls_sess, tls_resp_c_read_cb); gnutls_transport_set_push_function(gnutls_sess, tls_resp_c_write_cb); // return no error return crypto_err_t::OK; }
void ssl_init(gnutls_session_t *session, gnutls_certificate_credentials_t *xcred, void *push_cb, void *pull_cb, void *pull_timeout_cb) { /* X509 */ gnutls_certificate_allocate_credentials(xcred); gnutls_certificate_set_verify_function(*xcred, _verify_certificate_callback); /* init things! */ gnutls_init(session, GNUTLS_CLIENT); gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, *xcred); gnutls_transport_set_push_function(*session, push_cb); gnutls_transport_set_pull_function(*session, pull_cb); gnutls_transport_set_pull_timeout_function(*session, pull_timeout_cb); /* handshake */ gnutls_handshake(*session); }
my_bool ma_ssl_connect(MARIADB_SSL *cssl) { gnutls_session_t ssl = (gnutls_session_t)cssl->ssl; my_bool blocking; MYSQL *mysql; MARIADB_PVIO *pvio; int ret; mysql= (MYSQL *)gnutls_session_get_ptr(ssl); if (!mysql) return 1; pvio= mysql->net.pvio; /* Set socket to blocking if not already set */ if (!(blocking= pvio->methods->is_blocking(pvio))) pvio->methods->blocking(pvio, TRUE, 0); /* we don't use GnuTLS read/write functions */ gnutls_transport_set_ptr(ssl, pvio); gnutls_transport_set_push_function(ssl, ma_ssl_push); gnutls_transport_set_pull_function(ssl, ma_ssl_pull); gnutls_transport_set_pull_timeout_function(ssl, ma_ssl_pull_timeout); gnutls_handshake_set_timeout(ssl, pvio->timeout[PVIO_CONNECT_TIMEOUT]); do { ret = gnutls_handshake(ssl); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { ma_ssl_set_error(mysql, ret); /* restore blocking mode */ if (!blocking) pvio->methods->blocking(pvio, FALSE, 0); return 1; } cssl->ssl= (void *)ssl; return 0; }
static int tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg ) { struct tls_data *p; tlsg_session *session = arg; assert( sbiod != NULL ); p = LBER_MALLOC( sizeof( *p ) ); if ( p == NULL ) { return -1; } gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p ); gnutls_transport_set_pull_function( session->session, tlsg_recv ); gnutls_transport_set_push_function( session->session, tlsg_send ); p->session = session; p->sbiod = sbiod; sbiod->sbiod_pvt = p; return 0; }
void InitSession(StreamSocket* user, bool me_server) { issl_session* session = &sessions[user->GetFd()]; gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT); session->socket = user; #ifdef GNUTLS_NEW_PRIO_API gnutls_priority_set(session->sess, priority); #endif gnutls_credentials_set(session->sess, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_dh_set_prime_bits(session->sess, dh_bits); gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session)); gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper); gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper); if (me_server) gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any. Handshake(session, user); }
static int tls_gnutls_init_session(struct tls_global *global, struct tls_connection *conn) { const int cert_types[2] = { GNUTLS_CRT_X509, 0 }; const int protos[2] = { GNUTLS_TLS1, 0 }; int ret; ret = gnutls_init(&conn->session, global->server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (ret < 0) { wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS " "connection: %s", gnutls_strerror(ret)); return -1; } ret = gnutls_set_default_priority(conn->session); if (ret < 0) goto fail; ret = gnutls_certificate_type_set_priority(conn->session, cert_types); if (ret < 0) goto fail; ret = gnutls_protocol_set_priority(conn->session, protos); if (ret < 0) goto fail; gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn); return 0; fail: wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s", gnutls_strerror(ret)); gnutls_deinit(conn->session); return -1; }
bool GnuTLSServerAnon::init( const std::string&, const std::string&, const StringList& ) { const int protocolPriority[] = { GNUTLS_TLS1, 0 }; const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 }; const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 }; const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; if( m_initLib && gnutls_global_init() != 0 ) return false; if( gnutls_anon_allocate_server_credentials( &m_anoncred ) < 0 ) return false; generateDH(); gnutls_anon_set_server_dh_params( m_anoncred, m_dhParams ); if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 ) return false; gnutls_protocol_set_priority( *m_session, protocolPriority ); gnutls_cipher_set_priority( *m_session, cipherPriority ); gnutls_compression_set_priority( *m_session, compPriority ); gnutls_kx_set_priority( *m_session, kxPriority ); gnutls_mac_set_priority( *m_session, macPriority ); gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred ); gnutls_dh_set_prime_bits( *m_session, m_dhBits ); gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this ); gnutls_transport_set_push_function( *m_session, pushFunc ); gnutls_transport_set_pull_function( *m_session, pullFunc ); m_valid = true; return true; }
static int tls_gnutls_init_session(struct tls_global *global, struct tls_connection *conn) { const char *err; int ret; ret = gnutls_init(&conn->session, global->server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (ret < 0) { wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS " "connection: %s", gnutls_strerror(ret)); return -1; } ret = gnutls_set_default_priority(conn->session); if (ret < 0) goto fail; ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0", &err); if (ret < 0) { wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at " "'%s'", err); goto fail; } gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr_t) conn); gnutls_session_set_ptr(conn->session, conn); return 0; fail: wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s", gnutls_strerror(ret)); gnutls_deinit(conn->session); return -1; }
static void ekg_gnutls_new_session( GSocketClient *sockclient, GSocketConnection *sock, struct ekg_connection_starter *cs) { gnutls_session_t s; gnutls_certificate_credentials_t cred; struct ekg_gnutls_connection *conn = g_slice_new(struct ekg_gnutls_connection); struct ekg_gnutls_connection_starter *gcs = g_slice_new(struct ekg_gnutls_connection_starter); g_assert(!gnutls_certificate_allocate_credentials(&cred)); g_assert(!gnutls_init(&s, GNUTLS_CLIENT)); g_assert(!gnutls_priority_set_direct(s, "PERFORMANCE", NULL)); /* XXX */ g_assert(!gnutls_credentials_set(s, GNUTLS_CRD_CERTIFICATE, cred)); gnutls_transport_set_pull_function(s, ekg_gnutls_pull); gnutls_transport_set_push_function(s, ekg_gnutls_push); gnutls_transport_set_ptr(s, conn); gcs->parent = cs; gcs->conn = conn; gcs->sockclient = sockclient; conn->session = s; conn->cred = cred; conn->connection_error = NULL; conn->connection = get_connection_by_outstream( ekg_connection_add( sock, g_io_stream_get_input_stream(G_IO_STREAM(sock)), g_io_stream_get_output_stream(G_IO_STREAM(sock)), ekg_gnutls_handle_handshake_input, ekg_gnutls_handle_handshake_failure, gcs) ); g_assert(conn->connection); ekg_gnutls_async_handshake(gcs); }