static void server(int sd, const char *prio)
{
gnutls_psk_server_credentials_t server_pskcred;
int ret;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
side = "server";
gnutls_psk_allocate_server_credentials(&server_pskcred);
gnutls_psk_set_server_credentials_hint(server_pskcred, "hint");
gnutls_psk_set_server_credentials_function(server_pskcred,
pskfunc);
gnutls_psk_set_server_dh_params(server_pskcred, dh_params);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, prio, NULL);
gnutls_credentials_set(session, GNUTLS_CRD_PSK, server_pskcred);
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
gnutls_record_set_timeout(session, 10000);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_psk_free_server_credentials(server_pskcred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
void
server (void)
{
client_len = sizeof (sa_cli);
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
return;
}
success ("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
i = 0;
for (;;)
{
bzero (buffer, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
success ("server: Peer has closed the GNUTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
close (listen_sd);
gnutls_psk_free_server_credentials (server_pskcred);
gnutls_global_deinit ();
success ("server: finished\n");
}
int
main (void)
{
int ret;
int sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_srp_client_credentials_t srp_cred;
gnutls_certificate_credentials_t cert_cred;
gnutls_global_init ();
/* now enable the gnutls-extra library which contains the
* SRP stuff.
*/
gnutls_global_init_extra ();
gnutls_srp_allocate_client_credentials (&srp_cred);
gnutls_certificate_allocate_credentials (&cert_cred);
gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_srp_set_client_credentials (srp_cred, USERNAME, PASSWORD);
/* connects to server
*/
sd = tcp_connect ();
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Set the priorities.
*/
gnutls_priority_set_direct (session, "NORMAL:+SRP:+SRP-RSA:+SRP-DSS", NULL);
/* put the SRP credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (gnutls_error_is_fatal (ret) == 1 || ret == 0)
{
if (ret == 0)
{
printf ("- Peer has closed the GNUTLS connection\n");
goto end;
}
else
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
}
else
check_alert (session, ret);
if (ret > 0)
{
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
}
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_srp_free_client_credentials (srp_cred);
gnutls_certificate_free_credentials (cert_cred);
gnutls_global_deinit ();
return 0;
}
mref_err_t mref_fetch_handle(struct mref *m, FILE *h, const char *me) {
char *mhsh, *rhsh, *store;
gnutls_session_t sess;
gnutls_anon_client_credentials_t cred;
int fd = fileno(h);
int err, i, store_good;
unsigned char h_mref[32], h_calc[32];
gcry_md_hd_t ghd;
size_t mhsh_len, ns_len, rhsh_len, store_len;
if (!mref_split(m)) return MREF_ERR_NOT_FIELDS;
store = mref_field_alloc(m, MREF_FLD_STORE);
if (!store) return MREF_ERR_NOMEM;
//printf("store is: %s\n", store);
mhsh = mref_field_alloc(m, MREF_FLD_MESSAGE_HASH);
if (!mhsh) return MREF_ERR_NOMEM;
_mref_b64dec(h_mref, mhsh, mref_field_length(m, MREF_FLD_MESSAGE_HASH));
//printf("mhsh is: %s\n", mhsh);
rhsh = mref_field_alloc(m, MREF_FLD_MREF_HASH);
rhsh_len = mref_field_length(m, MREF_FLD_MREF_HASH);
if (!rhsh) return MREF_ERR_NOMEM;
//printf("rhsh is: %s\n", rhsh);
/*
err = gnutls_global_init();
if (err != GNUTLS_E_SUCCESS) return MREF_ERR_TLS(err);
err = gnutls_init(&sess, GNUTLS_CLIENT);
if (err != GNUTLS_E_SUCCESS) return MREF_ERR_TLS(err);
err = gnutls_credentials_set(sess, GNUTLS_CRD_ANON, &cred);
if (err != GNUTLS_E_SUCCESS) return MREF_ERR_TLS(err);
*/
/*** from info gnutls ***/
{
int ret, sd;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
const char *err;
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
gnutls_session_set_ptr (session, (void *) store);
gnutls_server_name_set (session, GNUTLS_NAME_DNS, store, strlen(store));
/* Use default priorities */
ret = gnutls_priority_set_direct (session, "NORMAL", &err);
if (ret < 0)
{
if (ret == GNUTLS_E_INVALID_REQUEST)
{
fprintf (stderr, "Syntax error at: %s\n", err);
}
exit (1);
}
/* put the x509 credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, mref_cred());
/* connect to the peer
*/
sd = tcp_connect(store);
if (sd == -1) {
gnutls_deinit (session);
return MREF_ERR_CONNECT_FAIL;
}
gnutls_transport_set_int (session, sd);
gnutls_handshake_set_timeout (session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake
*/
do
ret = gnutls_handshake (session);
while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret < 0) {
tcp_close(sd);
gnutls_deinit(session);
return MREF_ERR_TLS(ret);
}
gnutls_record_send (session, rhsh, rhsh_len);
//fprintf(stderr, "sent rhsh, %d bytes\n", rhsh_len);
mref_trace_headers(m, h, sd, me);
state = st_goodbad;
ns_len = 0;
gcry_md_open(&ghd, GCRY_MD_SHA256, 0);
if (!ghd) return MREF_ERR_GCRYPT;
while ((ret = gnutls_record_recv (session, buffer, MAX_BUF)) > 0) {
int i;
for (i = 0; i < ret; ++i) {
switch (state) {
case st_goodbad:
store_good = buffer[i] == '+';
++state;
break;
case st_count:
if (buffer[i] >= '0' && buffer[i] <= '9')
ns_len = ns_len * 10 + buffer[i] - '0';
else if (buffer[i] == ':') ++state;
else return MREF_ERR_STORE_PROTO;
break;
case st_data:
if (store_good) fputc(buffer[i], h);
else fputc(buffer[i], stderr);
gcry_md_write(ghd, buffer + i, 1);
if (--ns_len == 0) ++ state;
break;
case st_comma:
if (buffer[i] == ',') break;
case st_toomuch:
return MREF_ERR_STORE_PROTO;
}
}
}
if (ret < 0) {
if (gnutls_error_is_fatal(ret)) {
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
} else {
fprintf (stderr, "*** Warning: %s\n", gnutls_strerror (ret));
gnutls_bye (session, GNUTLS_SHUT_RDWR);
}
tcp_close(sd);
gnutls_deinit (session);
return MREF_ERR_TLS(ret);
}
tcp_close(sd);
gnutls_deinit (session);
memcpy(h_calc, gcry_md_read(ghd, 0), 32);
gcry_md_close(ghd);
if (memcmp(h_mref, h_calc, 32) != 0) return MREF_ERR_BAD_MSG_HASH;
if (fflush(h) != 0) return MREF_ERR_SYS;
if (fsync(fd) != 0) return MREF_ERR_SYS;
fclose(h); /* cannot fail */
return 0;
}
}
static void client(int fd)
{
gnutls_session_t session;
int ret;
gnutls_anon_client_credentials_t anoncred;
gnutls_datum_t mac_key, iv, cipher_key;
gnutls_datum_t read_mac_key, read_iv, read_cipher_key;
unsigned char rseq_number[8];
unsigned char wseq_number[8];
unsigned char key_material[512], *p;
unsigned i;
unsigned block_size, hash_size, key_size, iv_size;
const char *err;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_client_credentials(&anoncred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
ret = gnutls_priority_set_direct(session,
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH:+ANON-ECDH:+CURVE-ALL",
&err);
if (ret < 0) {
fail("client: priority set failed (%s): %s\n",
gnutls_strerror(ret), err);
exit(1);
}
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed: %s\n", strerror(ret));
terminate();
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
ret = gnutls_cipher_get(session);
if (ret != GNUTLS_CIPHER_AES_128_CBC) {
fprintf(stderr, "negotiated unexpected cipher: %s\n", gnutls_cipher_get_name(ret));
terminate();
}
ret = gnutls_mac_get(session);
if (ret != GNUTLS_MAC_SHA1) {
fprintf(stderr, "negotiated unexpected mac: %s\n", gnutls_mac_get_name(ret));
terminate();
}
iv_size = 16;
hash_size = 20;
key_size = 16;
block_size = 2*hash_size + 2*key_size + 2 *iv_size;
ret = gnutls_prf(session, 13, "key expansion", 1, 0, NULL, block_size,
(void*)key_material);
if (ret < 0) {
fprintf(stderr, "error in %d\n", __LINE__);
gnutls_perror(ret);
terminate();
}
p = key_material;
/* check whether the key material matches our calculations */
ret = gnutls_record_get_state(session, 0, &mac_key, &iv, &cipher_key, wseq_number);
if (ret < 0) {
fprintf(stderr, "error in %d\n", __LINE__);
gnutls_perror(ret);
terminate();
}
if (memcmp(wseq_number, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) != 0) {
dump("wseq:", wseq_number, 8);
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
ret = gnutls_record_get_state(session, 1, &read_mac_key, &read_iv, &read_cipher_key, rseq_number);
if (ret < 0) {
fprintf(stderr, "error in %d\n", __LINE__);
gnutls_perror(ret);
terminate();
}
if (memcmp(rseq_number, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) != 0) {
dump("rseq:", rseq_number, 8);
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
if (hash_size != mac_key.size || memcmp(p, mac_key.data, hash_size) != 0) {
dump("MAC:", mac_key.data, mac_key.size);
dump("Block:", key_material, block_size);
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
p+= hash_size;
if (hash_size != read_mac_key.size || memcmp(p, read_mac_key.data, hash_size) != 0) {
dump("MAC:", read_mac_key.data, read_mac_key.size);
dump("Block:", key_material, block_size);
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
p+= hash_size;
if (key_size != cipher_key.size || memcmp(p, cipher_key.data, key_size) != 0) {
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
p+= key_size;
if (key_size != read_cipher_key.size || memcmp(p, read_cipher_key.data, key_size) != 0) {
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
p+= key_size;
if (iv_size != iv.size || memcmp(p, iv.data, iv_size) != 0) {
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
p+=iv_size;
if (iv_size != read_iv.size || memcmp(p, read_iv.data, iv_size) != 0) {
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
/* check sequence numbers */
for (i=0;i<5;i++) {
ret = gnutls_record_send(session, "hello", 5);
if (ret < 0) {
fail("gnutls_record_send: %s\n", gnutls_strerror(ret));
}
}
ret = gnutls_record_get_state(session, 0, NULL, NULL, NULL, wseq_number);
if (ret < 0) {
fprintf(stderr, "error in %d\n", __LINE__);
gnutls_perror(ret);
terminate();
}
if (memcmp(wseq_number, "\x00\x00\x00\x00\x00\x00\x00\x06", 8) != 0) {
dump("wseq:", wseq_number, 8);
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
ret = gnutls_record_get_state(session, 1, NULL, NULL, NULL, rseq_number);
if (ret < 0) {
fprintf(stderr, "error in %d\n", __LINE__);
gnutls_perror(ret);
terminate();
}
if (memcmp(rseq_number, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) != 0) {
dump("wseq:", wseq_number, 8);
fprintf(stderr, "error in %d\n", __LINE__);
terminate();
}
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_client_credentials(anoncred);
gnutls_global_deinit();
}
static void server(int fd)
{
int ret;
gnutls_certificate_credentials_t xcred;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
ret = gnutls_certificate_set_x509_key_mem(xcred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
gnutls_init(&session, GNUTLS_SERVER);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
memset(buffer, 1, sizeof(buffer));
do {
ret = gnutls_record_send(session, buffer, sizeof(buffer)-1);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: data sending has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
if (ret < 0) {
fail("server: error in closing session: %s\n", gnutls_strerror(ret));
}
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
int
main (void)
{
int ret;
int sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
/* variables used in session resuming
*/
int t;
char *session_data = NULL;
size_t session_data_size = 0;
gnutls_global_init ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
for (t = 0; t < 2; t++)
{ /* connect 2 times to the server */
sd = tcp_connect ();
gnutls_init (&session, GNUTLS_CLIENT);
gnutls_priority_set_direct (session, "PERFORMANCE:!ARCFOUR-128", NULL);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
if (t > 0)
{
/* if this is not the first time we connect */
gnutls_session_set_data (session, session_data, session_data_size);
free (session_data);
}
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
if (t == 0)
{ /* the first time we connect */
/* get the session data size */
gnutls_session_get_data (session, NULL, &session_data_size);
session_data = malloc (session_data_size);
/* put session data to the session variable */
gnutls_session_get_data (session, session_data, &session_data_size);
}
else
{ /* the second time we connect */
/* check if we actually resumed the previous session */
if (gnutls_session_is_resumed (session) != 0)
{
printf ("- Previous session was resumed\n");
}
else
{
fprintf (stderr, "*** Previous session was NOT resumed\n");
}
}
/* This function was defined in a previous example
*/
/* print_info(session); */
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
} /* for() */
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
return 0;
}
/*
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
{
ssize_t result;
int retval = 0;
struct SessionHandle *data = conn->data;
int done = 0;
char buf[120];
/* This has only been tested on the proftpd server, and the mod_tls code
sends a close notify alert without waiting for a close notify alert in
response. Thus we wait for a close notify alert from the server, but
we do not send one. Let's hope other servers do the same... */
if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
gnutls_bye(conn->ssl[sockindex].session, GNUTLS_SHUT_WR);
if(conn->ssl[sockindex].session) {
while(!done) {
int what = Curl_socket_ready(conn->sock[sockindex],
CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
if(what > 0) {
/* Something to read, let's do it and hope that it is the close
notify alert from the server */
result = gnutls_record_recv(conn->ssl[sockindex].session,
buf, sizeof(buf));
switch(result) {
case 0:
/* This is the expected response. There was no data but only
the close notify alert */
done = 1;
break;
case GNUTLS_E_AGAIN:
case GNUTLS_E_INTERRUPTED:
infof(data, "GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED\n");
break;
default:
retval = -1;
done = 1;
break;
}
}
else if(0 == what) {
/* timeout */
failf(data, "SSL shutdown timeout");
done = 1;
break;
}
else {
/* anything that gets here is fatally bad */
failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
retval = -1;
done = 1;
}
}
gnutls_deinit(conn->ssl[sockindex].session);
}
gnutls_certificate_free_credentials(conn->ssl[sockindex].cred);
#ifdef USE_TLS_SRP
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP
&& data->set.ssl.username != NULL)
gnutls_srp_free_client_credentials(conn->ssl[sockindex].srp_client_cred);
#endif
conn->ssl[sockindex].cred = NULL;
conn->ssl[sockindex].session = NULL;
return retval;
}
int main(void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_datum_t out;
int type;
unsigned status;
#if 0
const char *err;
#endif
gnutls_certificate_credentials_t xcred;
if (gnutls_check_version("3.4.6") == NULL) {
fprintf(stderr, "GnuTLS 3.4.6 or later is required for this example\n");
exit(1);
}
/* for backwards compatibility with gnutls < 3.3.0 */
CHECK(gnutls_global_init());
/* X509 stuff */
CHECK(gnutls_certificate_allocate_credentials(&xcred));
/* sets the trusted cas file
*/
CHECK(gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
GNUTLS_X509_FMT_PEM));
/* If client holds a certificate it can be set using the following:
*
gnutls_certificate_set_x509_key_file (xcred,
"cert.pem", "key.pem",
GNUTLS_X509_FMT_PEM);
*/
/* Initialize TLS session
*/
CHECK(gnutls_init(&session, GNUTLS_CLIENT));
gnutls_session_set_ptr(session, (void *) "my_host_name");
CHECK(gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name",
strlen("my_host_name")));
/* It is recommended to use the default priorities */
CHECK(gnutls_set_default_priority(session));
#if 0
/* if more fine-graned control is required */
ret = gnutls_priority_set_direct(session,
"NORMAL", &err);
if (ret < 0) {
if (ret == GNUTLS_E_INVALID_REQUEST) {
fprintf(stderr, "Syntax error at: %s\n", err);
}
exit(1);
}
#endif
/* put the x509 credentials to the current session
*/
CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred));
gnutls_session_set_verify_cert(session, "my_host_name", 0);
/* connect to the peer
*/
sd = tcp_connect();
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
if (ret == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) {
/* check certificate verification status */
type = gnutls_certificate_type_get(session);
status = gnutls_session_get_verify_cert_status(session);
CHECK(gnutls_certificate_verification_status_print(status,
type, &out, 0));
printf("cert verify output: %s\n", out.data);
gnutls_free(out.data);
}
fprintf(stderr, "*** Handshake failed: %s\n", gnutls_strerror(ret));
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(session);
printf("- Session info: %s\n", desc);
gnutls_free(desc);
}
/* send data */
CHECK(gnutls_record_send(session, MSG, strlen(MSG)));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR));
end:
tcp_close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
return 0;
}
static void server(int fd, const char *prio)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
gnutls_datum_t skey;
/* this must be called once in the program
*/
global_init();
memset(buffer, 0, sizeof(buffer));
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
assert(gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&session, GNUTLS_SERVER)>=0);
assert(gnutls_session_ticket_key_generate(&skey)>=0);
assert(gnutls_session_ticket_enable_server(session, &skey) >= 0);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET,
GNUTLS_HOOK_POST,
handshake_callback);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
assert(gnutls_priority_set_direct(session, prio, NULL)>=0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
/* failure is expected here */
goto end;
}
if (debug) {
success("server: Handshake was completed\n");
}
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
if (sent == 0) {
fail("client: didn't send new sessiont ticket\n");
terminate();
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_free(skey.data);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
gboolean
cib_remote_listen(int ssock, gpointer data)
{
int lpc = 0;
int csock = 0;
unsigned laddr;
struct sockaddr_in addr;
#ifdef HAVE_GNUTLS_GNUTLS_H
gnutls_session *session = NULL;
#endif
cib_client_t *new_client = NULL;
xmlNode *login = NULL;
const char *user = NULL;
const char *pass = NULL;
const char *tmp = NULL;
cl_uuid_t client_id;
char uuid_str[UU_UNPARSE_SIZEOF];
/* accept the connection */
laddr = sizeof(addr);
csock = accept(ssock, (struct sockaddr*)&addr, &laddr);
crm_debug("New %s connection from %s",
ssock == remote_tls_fd?"secure":"clear-text",
inet_ntoa(addr.sin_addr));
if (csock == -1) {
crm_err("accept socket failed");
return TRUE;
}
if(ssock == remote_tls_fd) {
#ifdef HAVE_GNUTLS_GNUTLS_H
/* create gnutls session for the server socket */
session = create_tls_session(csock, GNUTLS_SERVER);
if (session == NULL) {
crm_err("TLS session creation failed");
close(csock);
return TRUE;
}
#endif
}
do {
crm_debug_2("Iter: %d", lpc);
if(ssock == remote_tls_fd) {
#ifdef HAVE_GNUTLS_GNUTLS_H
login = cib_recv_remote_msg(session, TRUE);
#endif
} else {
login = cib_recv_remote_msg(GINT_TO_POINTER(csock), FALSE);
}
sleep(1);
} while(login == NULL && ++lpc < 10);
crm_log_xml_info(login, "Login: "******"cib_command")) {
crm_err("Wrong tag: %s", tmp);
goto bail;
}
tmp = crm_element_value(login, "op");
if(safe_str_neq(tmp, "authenticate")) {
crm_err("Wrong operation: %s", tmp);
goto bail;
}
user = crm_element_value(login, "user");
pass = crm_element_value(login, "password");
/* Non-root daemons can only validate the password of the
* user they're running as
*/
if(check_group_membership(user, CRM_DAEMON_GROUP) == FALSE) {
crm_err("User is not a member of the required group");
goto bail;
} else if (authenticate_user(user, pass) == FALSE) {
crm_err("PAM auth failed");
goto bail;
}
/* send ACK */
crm_malloc0(new_client, sizeof(cib_client_t));
num_clients++;
new_client->channel_name = "remote";
new_client->name = crm_element_value_copy(login, "name");
cl_uuid_generate(&client_id);
cl_uuid_unparse(&client_id, uuid_str);
CRM_CHECK(new_client->id == NULL, crm_free(new_client->id));
new_client->id = crm_strdup(uuid_str);
new_client->callback_id = NULL;
if(ssock == remote_tls_fd) {
#ifdef HAVE_GNUTLS_GNUTLS_H
new_client->encrypted = TRUE;
new_client->channel = (void*)session;
#endif
} else {
new_client->channel = GINT_TO_POINTER(csock);
}
free_xml(login);
login = create_xml_node(NULL, "cib_result");
crm_xml_add(login, F_CIB_OPERATION, CRM_OP_REGISTER);
crm_xml_add(login, F_CIB_CLIENTID, new_client->id);
cib_send_remote_msg(new_client->channel, login, new_client->encrypted);
free_xml(login);
new_client->source = (void*)G_main_add_fd(
G_PRIORITY_DEFAULT, csock, FALSE, cib_remote_msg, new_client,
cib_remote_connection_destroy);
g_hash_table_insert(client_list, new_client->id, new_client);
return TRUE;
bail:
if(ssock == remote_tls_fd) {
#ifdef HAVE_GNUTLS_GNUTLS_H
gnutls_bye(*session, GNUTLS_SHUT_RDWR);
gnutls_deinit(*session);
gnutls_free(session);
#endif
}
close(csock);
free_xml(login);
return TRUE;
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_certificate_credentials_t serverx509cred;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
ret = gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+RSA:%NO_SESSION_HASH", NULL);
if (ret < 0) {
fail("server: priority set failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
ret = gnutls_session_set_premaster(session, GNUTLS_SERVER,
GNUTLS_TLS1_0, GNUTLS_KX_RSA,
GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1,
GNUTLS_COMP_NULL, &master, &sess_id);
if (ret < 0) {
fail("server: gnutls_session_set_premaster failed: %s\n", gnutls_strerror(ret));
exit(1);
}
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_handshake_set_random(session, &hsrnd);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void client(int fd)
{
gnutls_session_t session;
int ret;
gnutls_certificate_credentials_t clientx509cred;
const char *err;
/* Need to enable anonymous KX specifically. */
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&clientx509cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
ret = gnutls_session_set_premaster(session, GNUTLS_CLIENT,
GNUTLS_TLS1_0, GNUTLS_KX_RSA,
GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1,
GNUTLS_COMP_NULL, &master, &sess_id);
if (ret < 0) {
fail("client: gnutls_session_set_premaster failed: %s\n", gnutls_strerror(ret));
exit(1);
}
/* Use default priorities */
ret = gnutls_priority_set_direct(session,
"NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA",
&err);
if (ret < 0) {
fail("client: priority set failed (%s): %s\n",
gnutls_strerror(ret), err);
exit(1);
}
ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
gnutls_handshake_set_random(session, &hrnd);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed: %s\n", strerror(ret));
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
ret = gnutls_cipher_get(session);
if (ret != GNUTLS_CIPHER_AES_128_CBC) {
fprintf(stderr, "negotiated unexpected cipher: %s\n", gnutls_cipher_get_name(ret));
exit(1);
}
ret = gnutls_mac_get(session);
if (ret != GNUTLS_MAC_SHA1) {
fprintf(stderr, "negotiated unexpected mac: %s\n", gnutls_mac_get_name(ret));
exit(1);
}
check_prfs(session);
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
}
static void client(int sd, const char *prio)
{
int ret, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_psk_client_credentials_t pskcred;
/* Need to enable anonymous KX specifically. */
const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
const char *hint;
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
side = "client";
gnutls_psk_allocate_client_credentials(&pskcred);
gnutls_psk_set_client_credentials(pskcred, "test", &key,
GNUTLS_PSK_KEY_HEX);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, prio, NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred);
gnutls_transport_set_int(session, sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake(session);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
if (debug)
success("client: Handshake was completed\n");
}
/* check the hint */
hint = gnutls_psk_client_get_hint(session);
if (hint == NULL || strcmp(hint, "hint") != 0) {
fail("client: hint is not the expected: %s\n", gnutls_psk_client_get_hint(session));
goto end;
}
gnutls_record_send(session, MSG, strlen(MSG));
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (debug) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
close(sd);
gnutls_deinit(session);
gnutls_psk_free_client_credentials(pskcred);
gnutls_global_deinit();
}
static void
server (void)
{
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&pgp_cred);
ret = gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &server_crt,
&server_key, "auto",
GNUTLS_OPENPGP_FMT_BASE64);
if (err < 0)
{
fail ("Could not set server key files...\n");
}
if (debug)
success ("Launched, setting DH parameters...\n");
generate_dh_params ();
gnutls_certificate_set_dh_params (pgp_cred, dh_params);
client_len = sizeof (sa_cli);
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
if (debug)
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
return;
}
if (debug)
success ("server: Handshake was completed\n");
if (debug)
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
/* see the Getting peer's information example */
if (debug)
print_info (session);
i = 0;
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("server: Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
close (listen_sd);
gnutls_certificate_free_credentials (pgp_cred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
if (debug)
success ("server: finished\n");
}
int
main (void)
{
int err, listen_sd;
int sd, ret;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
int client_len;
char topbuf[512];
gnutls_session_t session;
char buffer[MAX_BUF + 1];
int optval = 1;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE,
GNUTLS_X509_FMT_PEM);
generate_dh_params ();
gnutls_priority_init (&priority_cache, "NORMAL", NULL);
gnutls_certificate_set_dh_params (x509_cred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
SOCKET_ERR (listen_sd, "socket");
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
SOCKET_ERR (err, "bind");
err = listen (listen_sd, 1024);
SOCKET_ERR (err, "listen");
printf ("Server ready. Listening to port '%d'.\n\n", PORT);
client_len = sizeof (sa_cli);
for (;;)
{
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
printf ("- connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
continue;
}
printf ("- Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("\n- Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fprintf (stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
printf ("\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_priority_deinit (priority_cache);
gnutls_global_deinit ();
return 0;
}
static
void test_success(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
to_server_len = 0;
to_client_len = 0;
client_ret_val = 0;
server_ret_val = 0;
server_ok = 0;
client_ok = 0;
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server, "NORMAL", NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_session_set_verify_function(server,
server_callback);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
gnutls_session_set_verify_function(client,
client_callback);
HANDSHAKE(client, server);
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
if (server_ok == 0)
fail("Server certificate verify callback wasn't called\n");
if (client_ok == 0)
fail("Client certificate verify callback wasn't called\n");
}
static void
server (struct params_res *params)
{
size_t t;
/* this must be called once in the program, it is mostly for the server.
*/
if (debug)
{
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (2);
}
gnutls_global_init ();
gnutls_anon_allocate_server_credentials (&anoncred);
if (debug)
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_anon_set_server_dh_params (anoncred, dh_params);
if (params->enable_db)
{
wrap_db_init ();
}
if (params->enable_session_ticket_server)
gnutls_session_ticket_key_generate (&session_ticket_key);
for (t = 0; t < 2; t++)
{
client_len = sizeof (sa_cli);
session = initialize_tls_session (params);
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
if (debug)
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n",
gnutls_strerror (ret));
return;
}
if (debug)
success ("server: Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
i = 0;
for (;;)
{
memset (buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("server: Peer has closed the GnuTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
}
close (listen_sd);
if (params->enable_db)
{
wrap_db_deinit ();
}
gnutls_free (session_ticket_key.data);
session_ticket_key.data = NULL;
if (debug)
success ("server: finished\n");
}
static void client(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
ret = disable_system_calls();
if (ret < 0) {
fprintf(stderr, "could not enable seccomp\n");
exit(2);
}
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* Use default priorities */
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
exit(1);
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
ret = gnutls_record_recv(session, buffer, sizeof(buffer)-1);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret == 0) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
if (ret < 0) {
fail("server: error in closing session: %s\n", gnutls_strerror(ret));
}
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
}
static void
client (struct params_res *params)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_anon_client_credentials_t anoncred;
/* Need to enable anonymous KX specifically. */
/* variables used in session resuming
*/
int t;
gnutls_datum_t session_data;
if (debug)
{
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (2);
}
gnutls_global_init ();
gnutls_anon_allocate_client_credentials (&anoncred);
for (t = 0; t < 2; t++)
{ /* connect 2 times to the server */
/* connect to the peer
*/
sd = tcp_connect ();
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NO_EXTENSIONS);
/* Use default priorities */
gnutls_priority_set_direct (session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
if (params->enable_session_ticket_client)
gnutls_session_ticket_enable_client (session);
if (t > 0)
{
/* if this is not the first time we connect */
gnutls_session_set_data (session, session_data.data,
session_data.size);
gnutls_free (session_data.data);
}
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
if (debug)
success ("client: Handshake was completed\n");
}
if (t == 0)
{ /* the first time we connect */
/* get the session data size */
ret = gnutls_session_get_data2 (session, &session_data);
if (ret < 0)
fail ("Getting resume data failed\n");
}
else
{ /* the second time we connect */
/* check if we actually resumed the previous session */
if (gnutls_session_is_resumed (session) != 0)
{
if (params->expect_resume)
{
if (debug)
success ("- Previous session was resumed\n");
}
else
fail ("- Previous session was resumed\n");
}
else
{
if (params->expect_resume)
{
fail ("*** Previous session was NOT resumed\n");
}
else
{
if (debug)
success
("*** Previous session was NOT resumed (expected)\n");
}
}
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
goto end;
}
if (debug )
{
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
}
gnutls_bye (session, GNUTLS_SHUT_RDWR);
tcp_close (sd);
gnutls_deinit (session);
}
end:
gnutls_anon_free_client_credentials (anoncred);
}
/** Handles one client.
* This one connects to the remote server, and proxies every traffic
* between our client and the server.
*
* @param config is the main CryWrap configuration structure.
* @param insock is the socket through which the client sends input.
* @param outsock is the socket through which we send output.
*
* @note Exits on error.
*/
static int
_crywrap_do_one (const crywrap_config_t *config, int insock, int outsock)
{
int sock, ret, tls_pending;
gnutls_session_t session;
char buffer[_CRYWRAP_MAXBUF + 2];
fd_set fdset;
unsigned int status = 0;
struct sockaddr_storage faddr;
socklen_t socklen = sizeof (struct sockaddr_storage);
char peer_name[NI_MAXHOST];
/* Log the connection */
if (getpeername (insock, (struct sockaddr *)&faddr, &socklen) != 0)
cry_error ("getpeername(): %s", strerror (errno));
else
{
getnameinfo ((struct sockaddr *)&faddr,
sizeof (struct sockaddr_storage), peer_name,
sizeof (peer_name), NULL, 0, NI_NUMERICHOST);
cry_log ("Accepted connection from %s on %d to %s/%d",
peer_name, insock, config->dest.host,
config->dest.port);
}
/* Do the handshake with our peer */
session = _crywrap_tls_session_create (config);
gnutls_transport_set_ptr2 (session,
(gnutls_transport_ptr_t)insock,
(gnutls_transport_ptr_t)outsock);
do
{
ret = gnutls_handshake(session);
}
while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0)
{
cry_error ("Handshake failed: %s", gnutls_strerror (ret));
gnutls_alert_send_appropriate(session, ret);
goto error;
}
/* Verify the client's certificate, if any. */
if (config->verify)
{
ret = gnutls_certificate_verify_peers2 (session, &status);
if (ret < 0)
cry_log ("Error getting certificate from client: %s",
gnutls_strerror (ret));
if (ret == 0 && status != 0)
{
if (status & GNUTLS_CERT_INVALID)
cry_log ("%s", "Client certificate not trusted or invalid");
}
if (config->verify > 0 && status != 0)
{
ret = -1;
gnutls_alert_send( session, GNUTLS_AL_FATAL, GNUTLS_A_INSUFFICIENT_SECURITY);
goto error;
}
}
/* Connect to the remote host */
sock = _crywrap_remote_connect (config->dest.addr,
htons (config->dest.port));
for (;;)
{
FD_ZERO (&fdset);
FD_SET (insock, &fdset);
FD_SET (sock, &fdset);
memset (buffer, 0, _CRYWRAP_MAXBUF + 1);
tls_pending = 0;
if (gnutls_record_check_pending(session) > 0)
tls_pending = 1;
else
{
select (sock + 1, &fdset, NULL, NULL, NULL);
if (FD_ISSET (insock, &fdset))
tls_pending = 1;
}
/* TLS client */
if (tls_pending != 0)
{
ret = gnutls_record_recv (session, buffer, _CRYWRAP_MAXBUF);
if (ret == 0)
{
cry_log ("%s", "Peer has closed the GNUTLS connection");
break;
}
else if (ret < 0)
{
cry_log ("Received corrupted data: %s.",
gnutls_strerror (ret));
break;
}
else
send (sock, buffer, ret, 0);
}
/* Remote server */
if (FD_ISSET (sock, &fdset))
{
ret = recv (sock, buffer, _CRYWRAP_MAXBUF, 0);
if (ret == 0)
{
cry_log ("%s", "Server has closed the connection");
break;
}
else if (ret < 0)
{
cry_log ("Received corrupted data: %s.", strerror (errno));
break;
}
else
{
int r, o = 0;
do
{
r = gnutls_record_send (session, &buffer[o], ret - o);
o += r;
} while (r > 0 && ret > o);
if (r < 0)
cry_log ("Received corrupt data: %s", gnutls_strerror (r));
}
}
}
error:
gnutls_bye (session, GNUTLS_SHUT_WR);
gnutls_deinit (session);
close (insock);
close (outsock);
return (ret == 0) ? 0 : 1;
}
int main(void)
{
int listen_sd;
int sd, ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_priority_t priority_cache;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
socklen_t client_len;
char topbuf[512];
gnutls_session_t session;
char buffer[MAX_BUF + 1];
int optval = 1;
/* for backwards compatibility with gnutls < 3.3.0 */
CHECK(gnutls_global_init());
CHECK(gnutls_certificate_allocate_credentials(&x509_cred));
CHECK(gnutls_certificate_set_x509_trust_file(x509_cred, CAFILE,
GNUTLS_X509_FMT_PEM));
CHECK(gnutls_certificate_set_x509_crl_file(x509_cred, CRLFILE,
GNUTLS_X509_FMT_PEM));
/* The following code sets the certificate key pair as well as,
* an OCSP response which corresponds to it. It is possible
* to set multiple key-pairs and multiple OCSP status responses
* (the latter since 3.5.6). See the manual pages of the individual
* functions for more information.
*/
CHECK(gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE,
KEYFILE,
GNUTLS_X509_FMT_PEM));
CHECK(gnutls_certificate_set_ocsp_status_request_file(x509_cred,
OCSP_STATUS_FILE,
0));
CHECK(gnutls_priority_init(&priority_cache, NULL, NULL));
/* Instead of the default options as shown above one could specify
* additional options such as server precedence in ciphersuite selection
* as follows:
* gnutls_priority_init2(&priority_cache,
* "%SERVER_PRECEDENCE",
* NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND);
*/
#if GNUTLS_VERSION_NUMBER >= 0x030506
/* only available since GnuTLS 3.5.6, on previous versions see
* gnutls_certificate_set_dh_params(). */
gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM);
#endif
/* Socket operations
*/
listen_sd = socket(AF_INET, SOCK_STREAM, 0);
memset(&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons(PORT); /* Server Port number */
setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
sizeof(int));
bind(listen_sd, (struct sockaddr *) &sa_serv, sizeof(sa_serv));
listen(listen_sd, 1024);
printf("Server ready. Listening to port '%d'.\n\n", PORT);
client_len = sizeof(sa_cli);
for (;;) {
CHECK(gnutls_init(&session, GNUTLS_SERVER));
CHECK(gnutls_priority_set(session, priority_cache));
CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
x509_cred));
/* We don't request any certificate from the client.
* If we did we would need to verify it. One way of
* doing that is shown in the "Verifying a certificate"
* example.
*/
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_IGNORE);
gnutls_handshake_set_timeout(session,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
sd = accept(listen_sd, (struct sockaddr *) &sa_cli,
&client_len);
printf("- connection from %s, port %d\n",
inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf,
sizeof(topbuf)), ntohs(sa_cli.sin_port));
gnutls_transport_set_int(session, sd);
LOOP_CHECK(ret, gnutls_handshake(session));
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fprintf(stderr,
"*** Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
continue;
}
printf("- Handshake was completed\n");
/* see the Getting peer's information example */
/* print_info(session); */
for (;;) {
LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF));
if (ret == 0) {
printf
("\n- Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0
&& gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n",
gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "\n*** Received corrupted "
"data(%d). Closing the connection.\n\n",
ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
CHECK(gnutls_record_send(session, buffer, ret));
}
}
printf("\n");
/* do not wait for the peer to close the connection.
*/
LOOP_CHECK(ret, gnutls_bye(session, GNUTLS_SHUT_WR));
close(sd);
gnutls_deinit(session);
}
close(listen_sd);
gnutls_certificate_free_credentials(x509_cred);
gnutls_priority_deinit(priority_cache);
gnutls_global_deinit();
return 0;
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
gnutls_dh_params_t dh_params;
char buf[128];
const gnutls_datum_t p3 =
{ (unsigned char *) pkcs3, strlen(pkcs3) };
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(anoncred, dh_params);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
ret = gnutls_priority_set_direct(session,
"NORMAL:+ANON-DH:+ANON-ECDH", NULL);
if (ret < 0) {
fail("server: priority set failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
do {
ret = gnutls_record_recv(session, buf, sizeof(buf));
} while(ret > 0);
if (ret < 0) {
fail("error: %s\n", gnutls_strerror(ret));
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
int main(void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
if (gnutls_check_version("3.1.4") == NULL) {
fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n");
exit(1);
}
/* for backwards compatibility with gnutls < 3.3.0 */
CHECK(gnutls_global_init());
/* X509 stuff */
CHECK(gnutls_certificate_allocate_credentials(&xcred));
/* sets the system trusted CAs for Internet PKI */
CHECK(gnutls_certificate_set_x509_system_trust(xcred));
/* Initialize TLS session */
CHECK(gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM));
/* Use default priorities */
CHECK(gnutls_set_default_priority(session));
/* put the x509 credentials to the current session */
CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred));
CHECK(gnutls_server_name_set(session, GNUTLS_NAME_DNS, "www.example.com",
strlen("www.example.com")));
gnutls_session_set_verify_cert(session, "www.example.com", 0);
/* connect to the peer */
sd = udp_connect();
gnutls_transport_set_int(session, sd);
/* set the connection MTU */
gnutls_dtls_set_mtu(session, 1000);
/* gnutls_dtls_set_timeouts(session, 1000, 60000); */
/* Perform the TLS handshake */
do {
ret = gnutls_handshake(session);
}
while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
/* Note that DTLS may also receive GNUTLS_E_LARGE_PACKET */
if (ret < 0) {
fprintf(stderr, "*** Handshake failed\n");
gnutls_perror(ret);
goto end;
} else {
char *desc;
desc = gnutls_session_get_desc(session);
printf("- Session info: %s\n", desc);
gnutls_free(desc);
}
LOOP_CHECK(ret, gnutls_record_send(session, MSG, strlen(MSG)));
LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF));
if (ret == 0) {
printf("- Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) {
fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret));
} else if (ret < 0) {
fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (ret > 0) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
/* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS
* connections because the peer's closure message might
* be lost */
CHECK(gnutls_bye(session, GNUTLS_SHUT_WR));
end:
udp_close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
return 0;
}
void doit(void)
{
global_init();
int ret;
char buf[1024];
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server2_cert, &server2_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server,
"NORMAL",
NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_pull_timeout_function(server,
server_pull_timeout_func);
gnutls_transport_set_ptr(server, server);
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_priority_set_direct(client, "NORMAL", NULL);
if (ret < 0)
exit(1);
gnutls_record_set_max_size(client, 512);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_pull_timeout_function(client,
client_pull_timeout_func);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
memset(buf, 1, sizeof(buf));
ret = gnutls_record_send(server, buf, 513);
if (ret != 512 || ret < 0) {
gnutls_perror(ret);
exit(1);
}
success("did not send a 513-byte packet\n");
ret = gnutls_record_send(server, buf, 512);
if (ret < 0) {
gnutls_perror(ret);
exit(1);
}
success("did send a 512-byte packet\n");
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
}
void SSLi_shutdown(SSL_handle_t *session)
{
gnutls_bye(*session, GNUTLS_SHUT_WR);
}
void
client (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_psk_client_credentials_t pskcred;
/* Need to enable anonymous KX specifically. */
const int kx_prio[] = { GNUTLS_KX_DHE_PSK, 0 };
const gnutls_datum_t key = { "DEADBEEF", 8 };
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
// gnutls_global_set_log_level (99);
gnutls_psk_allocate_client_credentials (&pskcred);
gnutls_psk_set_client_credentials (pskcred, "test", &key,
GNUTLS_PSK_KEY_HEX);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_set_default_priority (session);
gnutls_kx_set_priority (session, kx_prio);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
success ("client: Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
goto end;
}
if (debug)
{
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
}
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_psk_free_client_credentials (pskcred);
gnutls_global_deinit ();
}
static void
client (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (2);
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file
*/
if (debug)
success ("Setting key files...\n");
ret = gnutls_certificate_set_openpgp_key_mem (xcred, &cert, &key,
GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
{
fail ("Could not set key files...\n");
}
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_set_default_priority (session);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
if (debug)
success ("Connecting...\n");
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else if (debug)
{
success ("client: Handshake was completed\n");
}
if (debug)
success ("client: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
/* see the Getting peer's information example */
if (debug)
print_info (session);
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
if (debug)
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
goto end;
}
if (debug)
{
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
}
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
}
static void server(int fd)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_anon_allocate_server_credentials(&anoncred);
gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM);
gnutls_dtls_set_mtu(session, 1500);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
terminate();
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
/* avoid uninitialized warnings */
memset(buffer, 1, sizeof(buffer));
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 12);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 5048);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
gnutls_dtls_set_mtu(session, MAX_MTU);
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 12);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) + 5048);
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret > 16384 || ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
/* test cork and uncork */
gnutls_record_cork(session);
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret = gnutls_record_uncork(session, 0);
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
gnutls_record_cork(session);
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session) - 16);
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret =
gnutls_record_send(session, buffer,
gnutls_dtls_get_data_mtu(session));
if (ret != GNUTLS_E_LARGE_PACKET) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
ret = gnutls_record_uncork(session, GNUTLS_RECORD_WAIT);
if (ret < 0) {
terminate();
fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret));
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(fd);
gnutls_deinit(session);
gnutls_anon_free_server_credentials(anoncred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
int
main (void)
{
int ret, sd, ii;
gnutls_session_t session;
gnutls_priority_t priorities_cache;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
/* Allow connections to servers that have OpenPGP keys as well.
*/
gnutls_global_init ();
load_keys ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
/* priorities */
gnutls_priority_init (&priorities_cache, "NORMAL", NULL);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_retrieve_function2 (xcred, cert_callback);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set (session, priorities_cache);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_priority_deinit (priorities_cache);
gnutls_global_deinit ();
return 0;
}
