Exemplo n.º 1
0
/** Create a GNUTLS session.
 * Initialises the cyphers and the session database for a new TLS
 * session.
 *
 * @returns The newly created TLS session.
 */
static gnutls_session_t
_crywrap_tls_session_create(const crywrap_config_t * config)
{
	gnutls_session_t session;
	int ret;

	gnutls_init(&session, GNUTLS_SERVER);

	if (config->anon) {
		gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred);
	} else {
		gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
				       cred);
	}

	ret = gnutls_priority_set(session, config->priority);
	if (ret < 0) {
		cry_error("Error setting priority %s: ",
			  gnutls_strerror(ret));
		exit(4);
	}

	if (config->verify == 1)
		gnutls_certificate_server_set_request(session,
						      GNUTLS_CERT_REQUEST);
	else if (config->verify == 2)
		gnutls_certificate_server_set_request(session,
						      GNUTLS_CERT_REQUIRE);

	return session;
}
Exemplo n.º 2
0
         bool gtlsServerData::initSession(gnutls_session_t & _session)
         {
            bool status = true;

            int ret = 0;

            // Create a session.
            ret = gnutls_init (&_session, GNUTLS_SERVER);
            if (ret < 0) { initialized_ = false; }
            // printerror("gnutls_init", ret);

            // Set the default priority.
            ret = gnutls_set_default_priority(_session);
            if (ret < 0) { initialized_ = false; }
            // printerror("gnutls_set_default_priority", ret);

            ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, gtlsglobalserverdata_->cert_cred);
            if (ret < 0) { initialized_ = false; }
            // printerror("gnutls_credentials_set", ret);

            gnutls_certificate_server_set_request(_session, GNUTLS_CERT_REQUEST);

            gnutls_dh_set_prime_bits(_session, gtlsGeneric::GNUTLSIF_DH_BITS);
            // GNUTLS_NOTICE("Created new TLS session with id = " << _session);

            return status;
         }
Exemplo n.º 3
0
void
rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = F->accept->callback;
	new_F->accept->data = F->accept->data;
	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	memcpy(&new_F->accept->S, st, addrlen);
	new_F->accept->addrlen = addrlen;

	gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
	gnutls_set_default_priority(SSL_P(new_F));
	gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
	gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
	gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
	gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
	if(do_ssl_handshake(F, rb_ssl_tryaccept))
	{
		struct acceptdata *ad = F->accept;
		F->accept = NULL;
		ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
		rb_free(ad);
	}
}
Exemplo n.º 4
0
static
void test_failure_server(void)
{
	/* Server stuff. */
	gnutls_certificate_credentials_t serverx509cred;
	gnutls_session_t server;
	int sret = GNUTLS_E_AGAIN;
	/* Client stuff. */
	gnutls_certificate_credentials_t clientx509cred;
	gnutls_session_t client;
	int cret = GNUTLS_E_AGAIN;

	/* General init. */

	to_server_len = 0;
	to_client_len = 0;
	client_ret_val = 0;
	server_ret_val = GNUTLS_E_CERTIFICATE_ERROR;
	server_ok = 0;
	client_ok = 0;

	/* Init server */
	gnutls_certificate_allocate_credentials(&serverx509cred);
	gnutls_certificate_set_x509_key_mem(serverx509cred,
					    &server_cert, &server_key,
					    GNUTLS_X509_FMT_PEM);
	gnutls_init(&server, GNUTLS_SERVER);
	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
			       serverx509cred);
	gnutls_priority_set_direct(server, "NORMAL", NULL);
	gnutls_transport_set_push_function(server, server_push);
	gnutls_transport_set_pull_function(server, server_pull);
	gnutls_transport_set_ptr(server, server);
	gnutls_session_set_verify_function(server,
					       server_callback);
	gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);

	/* Init client */
	gnutls_certificate_allocate_credentials(&clientx509cred);
	gnutls_init(&client, GNUTLS_CLIENT);
	gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
			       clientx509cred);
	gnutls_priority_set_direct(client, "NORMAL", NULL);
	gnutls_transport_set_push_function(client, client_push);
	gnutls_transport_set_pull_function(client, client_pull);
	gnutls_transport_set_ptr(client, client);
	gnutls_session_set_verify_function(client,
					       client_callback);

	HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_CERTIFICATE_ERROR);

	gnutls_deinit(client);
	gnutls_deinit(server);

	gnutls_certificate_free_credentials(serverx509cred);
	gnutls_certificate_free_credentials(clientx509cred);

	if (server_ok == 0)
		fail("%s: certificate verify callback wasn't called\n", __func__);
}
Exemplo n.º 5
0
/// Initializes GNUTLS session on the given socket.
static gnutls_session_t onion_prepare_gnutls_session(onion *o, int clientfd){
	gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);
  gnutls_priority_set (session, o->priority_cache);
  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, o->x509_cred);
  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
  /* Set maximum compatibility mode. This is only suggested on public webservers
   * that need to trade security for compatibility
   */
  gnutls_session_enable_compatibility_mode (session);

	gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t)(long) clientfd);
	int ret;
	int n_tries=0;
	do{
		ret = gnutls_handshake (session);
		if (n_tries++>10) // Ok, dont abuse the system. Maybe trying to DoS me?
			break;
	}while (ret<0 && gnutls_error_is_fatal(ret)==0);
	if (ret<0){ // could not handshake. assume an error.
	  ONION_ERROR("Handshake has failed (%s)", gnutls_strerror (ret));
		gnutls_deinit (session);
		return NULL;
	}
	return session;
}
Exemplo n.º 6
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

gnutls_init (&session, GNUTLS_CLIENT);
int data_length=0;//hard-coding this length assuming 4 proxies already exist in the connection.
void *data=malloc(80);
/*printf("Existing Proxy_Info retrived by proxy from outgoing TLS connection\n");
for(int i=0;i<data_length;i+=4){
int random_num=rand()%20;
printf("%u ",random_num);
if((i-1)%5==0&&i!=0)
printf("\n");
memcpy(data+i,&random_num,sizeof(int));
}
*/
gnutls_proxyinfo_set (session, GNUTLS_NAME_DNS, "karthikmihir",strlen("karthikmihir"),data,data_length,0);
gnutls_priority_set (session, priority_cache);

  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);

  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

  /* Set maximum compatibility mode. This is only suggested on public webservers
   * that need to trade security for compatibility
   */
  gnutls_session_enable_compatibility_mode (session);

  return session;
}
Exemplo n.º 7
0
static void session_init(int sock, int server)
{
	gnutls_init(&session, GNUTLS_DATAGRAM | (server ? GNUTLS_SERVER : GNUTLS_CLIENT)
			| GNUTLS_NONBLOCK * nonblock);
	gnutls_priority_set_direct(session, "+CTYPE-OPENPGP:+CIPHER-ALL:+MAC-ALL:+ECDHE-RSA:+ANON-ECDH", 0);
	gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) (intptr_t) sock);

	if (full) {
		gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
		if (server) {
			gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE);
		}
	} else if (server) {
		gnutls_anon_server_credentials_t cred;
		gnutls_anon_allocate_server_credentials(&cred);
		gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred);
	} else {
		gnutls_anon_client_credentials_t cred;
		gnutls_anon_allocate_client_credentials(&cred);
		gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred);
	}

	gnutls_transport_set_push_function(session, writefn);

	gnutls_dtls_set_mtu(session, 1400);
	gnutls_dtls_set_timeouts(session, retransmit_milliseconds, timeout_seconds * 1000);
}
Exemplo n.º 8
0
static tls_session *
tlsg_session_new ( tls_ctx * ctx, int is_server )
{
	tlsg_ctx *c = (tlsg_ctx *)ctx;
	tlsg_session *session;

	session = ber_memcalloc ( 1, sizeof (*session) );
	if ( !session )
		return NULL;

	session->ctx = c;
	gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
	gnutls_priority_set( session->session, c->prios );
	if ( c->cred )
		gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
	
	if ( is_server ) {
		int flag = 0;
		if ( c->lo->ldo_tls_require_cert ) {
			flag = GNUTLS_CERT_REQUEST;
			if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
				c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
				flag = GNUTLS_CERT_REQUIRE;
			gnutls_certificate_server_set_request( session->session, flag );
		}
	}
	return (tls_session *)session;
}
Exemplo n.º 9
0
static gnutls_session new_tls_session(int sock)
{
        int ret;
        gnutls_session session;
        const int kx_priority[] = {
                GNUTLS_KX_ANON_DH,
#ifdef GNUTLS_SRP_ENABLED
                GNUTLS_KX_SRP, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA,
#endif
                0 };

        gnutls_init(&session, GNUTLS_SERVER);

        gnutls_set_default_priority(session);
        gnutls_kx_set_priority(session, kx_priority);

#ifdef GNUTLS_SRP_ENABLED
        gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred);
        gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE);
#endif
        gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);

        gnutls_transport_set_ptr(session, fd_to_ptr(sock));
        gnutls_transport_set_pull_function(session, tls_pull);
        gnutls_transport_set_push_function(session, tls_push);

        ret = gnutls_handshake(session);
        if ( ret < 0 ) {
                fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret));
                gnutls_alert_send_appropriate(session, ret);
                return NULL;
        }

        return session;
}
Exemplo n.º 10
0
SslSocket::SslSocket(SslDriver *driver, struct ev_loop *loop, int fd, int af) :
	x0::Socket(loop, fd, af),
#ifndef XZERO_NDEBUG
	ctime_(ev_now(loop)),
#endif
	driver_(driver),
	context_(nullptr),
	session_()
{
	TRACE("SslSocket()");

	setSecure(true);
	setState(Handshake);

	GNUTLS_CHECK( gnutls_init(&session_, GNUTLS_SERVER) );

	gnutls_handshake_set_post_client_hello_function(session_, &SslSocket::onClientHello);

	gnutls_certificate_server_set_request(session_, GNUTLS_CERT_REQUEST);
	gnutls_dh_set_prime_bits(session_, 1024);

	gnutls_session_enable_compatibility_mode(session_);

	gnutls_session_set_ptr(session_, this);
	gnutls_transport_set_ptr(session_, reinterpret_cast<gnutls_transport_ptr_t>(handle()));

	driver_->initialize(this);
}
Exemplo n.º 11
0
void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
	gnutls_session_t *ssl;
	new_F->type |= RB_FD_SSL;
	ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = cb;
	new_F->accept->data = data;
	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);

	new_F->accept->addrlen = 0;

	gnutls_init(ssl, GNUTLS_SERVER);
	gnutls_set_default_priority(*ssl);
	gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
	gnutls_dh_set_prime_bits(*ssl, 1024);
	gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
	gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
	if(do_ssl_handshake(new_F, rb_ssl_tryaccept))
	{
		struct acceptdata *ad = new_F->accept;
		new_F->accept = NULL;
		ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
		rb_free(ad);
	}

}
Exemplo n.º 12
0
gnutls_session
initialize_tls_session (int sd, char* CN)
{
	int ret;
	gnutls_session session;

	gnutls_init (&session, GNUTLS_SERVER);
	gnutls_set_default_priority (session);
	gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
	gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
	gnutls_dh_set_prime_bits (session, DH_BITS);
	gnutls_transport_set_ptr (session, (gnutls_transport_ptr) GINT_TO_POINTER(sd));
	ret = gnutls_handshake (session);
	if (ret < 0)
	{
		close (sd);
		gnutls_deinit (session);
		quorum_log(LOG_WARNING,"handshake failed");
		return NULL;
	}
	if (verify_certificate(session,CN) < 0) {
		return NULL;
	}
	return session;
}
Exemplo n.º 13
0
		/** Set up the given session with the settings in this profile
		 */
		void SetupSession(gnutls_session_t sess)
		{
			priority.SetupSession(sess);
			x509cred.SetupSession(sess);
			gnutls_dh_set_prime_bits(sess, min_dh_bits);

			// Request client certificate if we are a server, no-op if we're a client
			gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
		}
Exemplo n.º 14
0
void TLSTransaction::init (TLSServer& server)
{
  gnutls_init (&_session, GNUTLS_SERVER);
  gnutls_priority_set (_session, server._priorities);
  gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, server._credentials);

  // Require client certificate.
  gnutls_certificate_server_set_request (_session, GNUTLS_CERT_REQUIRE);

/*
  // Set maximum compatibility mode. This is only suggested on public
  // webservers that need to trade security for compatibility
  gnutls_session_enable_compatibility_mode (_session);
*/

  struct sockaddr_in sa_cli = {0};
  socklen_t client_len = sizeof sa_cli;
  do
  {
    _socket = accept (server._socket, (struct sockaddr *) &sa_cli, &client_len);
  }
  while (errno == EINTR);

  if (_socket < 0)
    throw std::string (::strerror (errno));

  // Obtain client info.
  char topbuf[512];
  _address = inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf));
  _port    = ntohs (sa_cli.sin_port);
  if (_debug)
    std::cout << "s: INFO connection from "
              << _address
              << " port "
              << _port
              << "\n";

#if GNUTLS_VERSION_NUMBER >= 0x030109
  gnutls_transport_set_int (_session, _socket);
#else
  gnutls_transport_set_ptr (_session, (gnutls_transport_ptr_t) (long) _socket);
#endif

  // Key exchange.
  int ret;
  do
  {
    ret = gnutls_handshake (_session);
  }
  while (ret < 0 && gnutls_error_is_fatal (ret) == 0);

  if (ret < 0)
    throw std::string ("Handshake has failed (") + gnutls_strerror (ret) + ")";

  if (_debug)
    std::cout << "s: INFO Handshake was completed\n";
}
Exemplo n.º 15
0
	void InitSession(StreamSocket* user, bool me_server)
	{
		gnutls_init(&sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);

		profile->SetupSession(sess);
		gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(user));
		gnutls_transport_set_push_function(sess, gnutls_push_wrapper);
		gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper);

		if (me_server)
			gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.
	}
Exemplo n.º 16
0
void SslContext::bind(SslSocket *socket)
{
	TRACE("bind() (cn=\"%s\")", commonName().c_str());

	socket->context_ = this;
	gnutls_certificate_server_set_request(socket->session_, clientVerifyMode_);
	gnutls_credentials_set(socket->session_, GNUTLS_CRD_CERTIFICATE, certs_);
	gnutls_credentials_set(socket->session_, GNUTLS_CRD_ANON, anonCreds_);

	// XXX following function is marked deprecated and has no replacement API it seems.
	//const int cprio[] = { GNUTLS_CRT_X509, 0 };
	//gnutls_certificate_type_set_priority(socket->session_, cprio);
}
Exemplo n.º 17
0
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
			      int verify_peer)
{
	if (conn == NULL || conn->session == NULL)
		return -1;

	conn->verify_peer = verify_peer;
	gnutls_certificate_server_set_request(conn->session,
					      verify_peer ? GNUTLS_CERT_REQUIRE
					      : GNUTLS_CERT_REQUEST);

	return 0;
}
Exemplo n.º 18
0
/*
 * Starts a standard gnutls session
 * on a server port.
 */
static gnutls_session_t initialize_tls_session (void)
{
   gnutls_session_t session;

   gnutls_init (&session, GNUTLS_SERVER);

   gnutls_priority_set (session, priority_cache);

   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
   gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);

   gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

   return session;
}
Exemplo n.º 19
0
void ssl_init(struct sockifo* ifo, const char* key, const char* cert, const char* ca, int server) {
	int rv;
	rv = gnutls_certificate_allocate_credentials(&ifo->xcred);
	if (rv < 0) goto out_err;
	if (cert && *cert) {
		rv = gnutls_certificate_set_x509_key_file(ifo->xcred, cert, key, GNUTLS_X509_FMT_PEM);
		if (rv < 0) goto out_err_cred;
	}
	if (ca && *ca) {
		if (!access(ca, R_OK)) {
			ifo->state.ssl_verify_type = VERIFY_CA;
			rv = gnutls_certificate_set_x509_trust_file(ifo->xcred, ca, GNUTLS_X509_FMT_PEM);
			if (rv < 0) goto out_err_cred;
		} else {
			ifo->state.ssl_verify_type = VERIFY_FP;
			ifo->fingerprint = strdup(ca);
		}
	}
	gnutls_certificate_set_dh_params(ifo->xcred, dh_params);
	rv = gnutls_init(&ifo->ssl, server ? GNUTLS_SERVER : GNUTLS_CLIENT);
	if (rv < 0) goto out_err_cred;
	rv = gnutls_set_default_priority(ifo->ssl);
	if (rv < 0) goto out_err_all;
	rv = gnutls_credentials_set(ifo->ssl, GNUTLS_CRD_CERTIFICATE, ifo->xcred);
	if (rv < 0) goto out_err_all;

	if (server) {
		gnutls_dh_set_prime_bits(ifo->ssl, 1024);
		gnutls_certificate_server_set_request(ifo->ssl, GNUTLS_CERT_REQUEST);
	}

	gnutls_transport_set_ptr(ifo->ssl, (gnutls_transport_ptr_t)(long) ifo->fd);

	ifo->state.ssl = SSL_HSHK;
	if (!ifo->state.connpend)
		ssl_handshake(ifo);
	return;

out_err_all:
	gnutls_deinit(ifo->ssl);
out_err_cred:
	gnutls_certificate_free_credentials(ifo->xcred);
	if (ifo->fingerprint)
		free(ifo->fingerprint);
out_err:
	esock(ifo, gnutls_strerror(rv));
}
Exemplo n.º 20
0
SSL_handle_t * SSLi_newconnection( int * fileDescriptor, bool_t * isSSLReady )
{
	gnutls_session_t * session = calloc(1, sizeof(gnutls_session_t));

	gnutls_init(session, GNUTLS_SERVER);
	gnutls_priority_set(*session, cipherCache);
	gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, certificate);

	gnutls_certificate_server_set_request(*session, GNUTLS_CERT_REQUIRE);

	gnutls_transport_set_int(*session, *fileDescriptor);

	if(isSSLReady && SSLi_nonblockaccept(session, isSSLReady))
		*isSSLReady = true;

	return session;
}
Exemplo n.º 21
0
static gnutls_session_t new_tls_session(int sock)
{
        int ret;
        gnutls_session_t session;
        const char *err;

#if defined LIBGNUTLS_VERSION_MAJOR && LIBGNUTLS_VERSION_MAJOR >= 3
# define TLS_DH_STR "+ANON-ECDH:+ANON-DH"
#else
# define TLS_DH_STR "+ANON-DH"
#endif

#ifdef GNUTLS_SRP_ENABLED
        const char *pstring = "NORMAL:+SRP:+SRP-DSS:+SRP-RSA:" TLS_DH_STR;
#else
        const char *pstring = "NORMAL:" TLS_DH_STR;
#endif

        gnutls_init(&session, GNUTLS_SERVER);
        gnutls_set_default_priority(session);

        ret = gnutls_priority_set_direct(session, pstring, &err);
        if (ret < 0) {
                fprintf(stderr, "TLS priority syntax error at: %s\n", err);
                return NULL;
        }

#ifdef GNUTLS_SRP_ENABLED
        gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred);
        gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE);
#endif
        gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);

        gnutls_transport_set_ptr(session, fd_to_ptr(sock));
        gnutls_transport_set_pull_function(session, tls_pull);
        gnutls_transport_set_push_function(session, tls_push);

        ret = gnutls_handshake(session);
        if ( ret < 0 ) {
                fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret));
                gnutls_alert_send_appropriate(session, ret);
                return NULL;
        }

        return session;
}
Exemplo n.º 22
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  gnutls_priority_set_direct (session, "NORMAL", NULL);

  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  return session;
}
Exemplo n.º 23
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  gnutls_priority_set (session, priority_cache);

  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);

  /* We don't request any certificate from the client.
   * If we did we would need to verify it.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);

  return session;
}
Exemplo n.º 24
0
int ne_sock_accept_ssl(ne_socket *sock, ne_ssl_context *ctx)
{
    int ret;
    ne_ssl_socket ssl;

#if defined(HAVE_OPENSSL)
    ssl = SSL_new(ctx->ctx);
    
    SSL_set_fd(ssl, sock->fd);

    sock->ssl = ssl;
    ret = SSL_accept(ssl);
    if (ret != 1) {
        return error_ossl(sock, ret);
    }
#elif defined(HAVE_GNUTLS)
    gnutls_init(&ssl, GNUTLS_SERVER);
    gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
    gnutls_set_default_priority(ssl);

    /* Set up dummy session cache. */
    gnutls_db_set_store_function(ssl, store_sess);
    gnutls_db_set_retrieve_function(ssl, retrieve_sess);    
    gnutls_db_set_remove_function(ssl, remove_sess);    
    gnutls_db_set_ptr(ssl, ctx);

    if (ctx->verify)
        gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);

    sock->ssl = ssl;
    gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr) sock->fd);
    ret = gnutls_handshake(ssl);
    if (ret < 0) {
        return error_gnutls(sock, ret);
    }
    if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
        set_error(sock, _("Client certificate verification failed"));
        return NE_SOCK_ERROR;
    }
#endif
    sock->ops = &iofns_ssl;
    return 0;
}
Exemplo n.º 25
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  gnutls_priority_set_direct (session, "NORMAL:+SRP:+SRP-DSS:+SRP-RSA", NULL);

  gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
  /* for the certificate authenticated ciphersuites.
   */
  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);

  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_IGNORE);

  return session;
}
Exemplo n.º 26
0
gnutls_session_t context::session(context *ctx)
{
    SSL ssl = NULL;
    if(ctx && ctx->xcred && ctx->err() == secure::OK) {
        gnutls_init(&ssl, ctx->connect);
        switch(ctx->connect) {
        case GNUTLS_CLIENT:
            gnutls_priority_set_direct(ssl, "PERFORMANCE", NULL);
            break;
        case GNUTLS_SERVER:
            gnutls_priority_set(ssl, context::priority_cache);
            gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
            gnutls_session_enable_compatibility_mode(ssl);
        default:
            break;
        }
        gnutls_credentials_set(ssl, ctx->xtype, ctx->xcred);
    }
    return ssl;
}
Exemplo n.º 27
0
	void InitSession(StreamSocket* user, bool me_server)
	{
		issl_session* session = &sessions[user->GetFd()];

		gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
		session->socket = user;

		#ifdef GNUTLS_NEW_PRIO_API
		gnutls_priority_set(session->sess, priority);
		#endif
		gnutls_credentials_set(session->sess, GNUTLS_CRD_CERTIFICATE, x509_cred);
		gnutls_dh_set_prime_bits(session->sess, dh_bits);
		gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session));
		gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper);
		gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper);

		if (me_server)
			gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.

		Handshake(session, user);
	}
Exemplo n.º 28
0
static gnutls_session_t initialize_tls_session(void)
{
	gnutls_session_t session;

	gnutls_init(&session, GNUTLS_SERVER);

	/* avoid calling all the priority functions, since the defaults
	 * are adequate.
	 */
	gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL);

	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, pgp_cred);

	/* request client certificate if any.
	 */
	gnutls_certificate_server_set_request(session,
					      GNUTLS_CERT_REQUEST);

	gnutls_dh_set_prime_bits(session, DH_BITS);

	return session;
}
Exemplo n.º 29
0
gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_set_default_priority (session);

  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);

  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  return session;
}
Exemplo n.º 30
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  gnutls_priority_set (session, priority_cache);

  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);

  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

  /* Set maximum compatibility mode. This is only suggested on public webservers
   * that need to trade security for compatibility
   */
  gnutls_session_enable_compatibility_mode (session);

  return session;
}