void doit(void) { int exit_code = EXIT_SUCCESS; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (2); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); HANDSHAKE(client, server); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); gnutls_certificate_free_credentials (serverx509cred); gnutls_certificate_free_credentials (clientx509cred); gnutls_global_deinit (); if (debug > 0) { if (exit_code == 0) puts ("Self-test successful"); else puts ("Self-test failed"); } }
static void test_failure_server(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ to_server_len = 0; to_client_len = 0; client_ret_val = 0; server_ret_val = GNUTLS_E_CERTIFICATE_ERROR; server_ok = 0; client_ok = 0; /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_session_set_verify_function(server, server_callback); gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); gnutls_session_set_verify_function(client, client_callback); HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_CERTIFICATE_ERROR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); if (server_ok == 0) fail("%s: certificate verify callback wasn't called\n", __func__); }
int test_cli_serv_psk(gnutls_psk_server_credentials_t server_cred, gnutls_psk_client_credentials_t client_cred, const char *prio) { int exit_code = EXIT_SUCCESS; int ret; /* Server stuff. */ gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ reset_buffers(); /* Init server */ gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_PSK, server_cred); gnutls_priority_set_direct(server, prio, NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); ret = gnutls_credentials_set(client, GNUTLS_CRD_PSK, client_cred); if (ret < 0) exit(1); gnutls_priority_set_direct(client, prio, NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); HANDSHAKE(client, server); ret = 0; gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); if (debug > 0) { if (exit_code == 0) puts("Self-test successful"); else puts("Self-test failed"); } return ret; }
//general tls stuff------------------------------------------------------------- static gnutls_session_t initialize_tls_session(bool sServer, gnutls_srp_client_credentials_t &cClient, const struct sockaddr *aAddress, socklen_t lLength, const char *aActual) { gnutls_session_t session; gnutls_init(&session, sServer? GNUTLS_SERVER : GNUTLS_CLIENT); if (use_srp_auth) { gnutls_priority_set_direct(session, sServer? "NORMAL:+SRP" : "PERFORMANCE:+SRP", NULL); if (!sServer) set_client_passwd(cClient, aAddress, lLength, aActual); gnutls_credentials_set(session, GNUTLS_CRD_SRP, sServer? (void*) srp_server : (void*) cClient); } else { gnutls_priority_set_direct(session, sServer? "NORMAL:+ANON-DH" : "PERFORMANCE:+ANON-DH", NULL); gnutls_credentials_set(session, GNUTLS_CRD_ANON, credentials); } gnutls_dh_set_prime_bits(session, 1024); gnutls_transport_set_push_function(session, (gnutls_push_func) &write_wrapper); gnutls_transport_set_pull_function(session, (gnutls_pull_func) &read_wrapper); return session; }
gnutls_session_t session(int sock, int server) { gnutls_session_t r; gnutls_init(&r, GNUTLS_DATAGRAM | (server ? GNUTLS_SERVER : GNUTLS_CLIENT) | GNUTLS_NONBLOCK * nonblock); gnutls_priority_set_direct(r, "NORMAL:+ANON-ECDH", 0); gnutls_transport_set_ptr(r, (gnutls_transport_ptr_t) sock); if (server) { gnutls_anon_server_credentials_t cred; gnutls_anon_allocate_server_credentials(&cred); gnutls_credentials_set(r, GNUTLS_CRD_ANON, cred); } else { gnutls_anon_client_credentials_t cred; gnutls_anon_allocate_client_credentials(&cred); gnutls_credentials_set(r, GNUTLS_CRD_ANON, cred); } gnutls_transport_set_push_function(r, writefn); gnutls_dtls_set_mtu(r, 1400); gnutls_dtls_set_timeouts(r, 100, 60000); return r; }
struct tls_connection * tls_connection_init(void *ssl_ctx) { struct tls_connection *conn; const int cert_types[2] = { GNUTLS_CRT_X509, 0 }; const int protos[2] = { GNUTLS_TLS1, 0 }; conn = malloc(sizeof(*conn)); if (conn == NULL) return NULL; memset(conn, 0, sizeof(*conn)); if (gnutls_init(&conn->session, GNUTLS_CLIENT) < 0) { wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS " "connection"); free(conn); return NULL; } gnutls_set_default_priority(conn->session); gnutls_certificate_type_set_priority(conn->session, cert_types); gnutls_protocol_set_priority(conn->session, protos); gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn); gnutls_certificate_allocate_credentials(&conn->xcred); return conn; }
static rfbBool InitializeTLSSession(rfbClient* client, rfbBool anonTLS) { int ret; const char *p; if (client->tlsSession) return TRUE; if ((ret = gnutls_init((gnutls_session_t*)&client->tlsSession, GNUTLS_CLIENT)) < 0) { rfbClientLog("Failed to initialized TLS session: %s.\n", gnutls_strerror(ret)); return FALSE; } if ((ret = gnutls_priority_set_direct((gnutls_session_t)client->tlsSession, anonTLS ? rfbAnonTLSPriority : rfbTLSPriority, &p)) < 0) { rfbClientLog("Warning: Failed to set TLS priority: %s (%s).\n", gnutls_strerror(ret), p); } gnutls_transport_set_ptr((gnutls_session_t)client->tlsSession, (gnutls_transport_ptr_t)client); gnutls_transport_set_push_function((gnutls_session_t)client->tlsSession, PushTLS); gnutls_transport_set_pull_function((gnutls_session_t)client->tlsSession, PullTLS); rfbClientLog("TLS session initialized.\n"); return TRUE; }
static void server(int fd, int packet) { int ret; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_server_credentials(&anoncred); session = initialize_tls_session(); counter = 0; packet_to_lose = packet; gnutls_transport_set_int(session, fd); gnutls_transport_set_push_function(session, push); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); gnutls_deinit(session); gnutls_global_deinit(); if (ret < 0) { return; } }
static void session_init(int sock, int server) { gnutls_init(&session, GNUTLS_DATAGRAM | (server ? GNUTLS_SERVER : GNUTLS_CLIENT) | GNUTLS_NONBLOCK * nonblock); gnutls_priority_set_direct(session, "+CTYPE-OPENPGP:+CIPHER-ALL:+MAC-ALL:+ECDHE-RSA:+ANON-ECDH", 0); gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) (intptr_t) sock); if (full) { gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred); if (server) { gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE); } } else if (server) { gnutls_anon_server_credentials_t cred; gnutls_anon_allocate_server_credentials(&cred); gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred); } else { gnutls_anon_client_credentials_t cred; gnutls_anon_allocate_client_credentials(&cred); gnutls_credentials_set(session, GNUTLS_CRD_ANON, cred); } gnutls_transport_set_push_function(session, writefn); gnutls_dtls_set_mtu(session, 1400); gnutls_dtls_set_timeouts(session, retransmit_milliseconds, timeout_seconds * 1000); }
static gnutls_session new_tls_session(int sock) { int ret; gnutls_session session; const int kx_priority[] = { GNUTLS_KX_ANON_DH, #ifdef GNUTLS_SRP_ENABLED GNUTLS_KX_SRP, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP_RSA, #endif 0 }; gnutls_init(&session, GNUTLS_SERVER); gnutls_set_default_priority(session); gnutls_kx_set_priority(session, kx_priority); #ifdef GNUTLS_SRP_ENABLED gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred); gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); #endif gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_ptr(session, fd_to_ptr(sock)); gnutls_transport_set_pull_function(session, tls_pull); gnutls_transport_set_push_function(session, tls_push); ret = gnutls_handshake(session); if ( ret < 0 ) { fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret)); gnutls_alert_send_appropriate(session, ret); return NULL; } return session; }
void SslSocket::setupSession() { qDebug() << "Initialise client session"; // Setup the trust store gnutls_certificate_allocate_credentials(&d->x509cred); gnutls_certificate_set_x509_trust_file(d->x509cred, "/etc/ssl/ca-bundle.pem", GNUTLS_X509_FMT_PEM); // Configure the session gnutls_init(&d->session, GNUTLS_CLIENT); gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509cred); const char *err; gnutls_priority_init(&d->priority_cache, "NORMAL", &err); gnutls_priority_set(d->session, d->priority_cache); // Setup the transport functions to use QTcpSocket gnutls_transport_set_ptr(d->session, this); gnutls_transport_set_pull_function(d->session, read_callback); #ifdef NO_VECTOR_WRITES gnutls_transport_set_push_function(d->session, write_callback); #else gnutls_transport_set_vec_push_function(d->session, write_vector_callback); #endif }
bool CTlsSocket::InitSession() { int res = gnutls_init(&m_session, GNUTLS_CLIENT); if (res) { LogError(res, _T("gnutls_init")); Uninit(); return false; } // Even though the name gnutls_db_set_cache_expiration // implies expiration of some cache, it also governs // the actual session lifetime, independend whether the // session is cached or not. gnutls_db_set_cache_expiration(m_session, 100000000); res = gnutls_priority_set_direct(m_session, ciphers, 0); if (res) { LogError(res, _T("gnutls_priority_set_direct")); Uninit(); return false; } gnutls_dh_set_prime_bits(m_session, 512); gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials); // Setup transport functions gnutls_transport_set_push_function(m_session, PushFunction); gnutls_transport_set_pull_function(m_session, PullFunction); gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this); return true; }
bool CTlsSocket::Init() { // This function initializes GnuTLS int res = gnutls_global_init(); if (res) { LogError(res); return false; } m_initialized = true; res = gnutls_certificate_allocate_credentials(&m_certCredentials); if (res < 0) { LogError(res); Uninit(); return false; } res = gnutls_init(&m_session, GNUTLS_CLIENT); if (res) { LogError(res); Uninit(); return false; } res = gnutls_set_default_priority(m_session); if (res) { LogError(res); Uninit(); return false; } // Set which type of certificates we accept const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; gnutls_certificate_type_set_priority(m_session, cert_type_priority); if (res) { LogError(res); Uninit(); return false; } gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials); // Setup transport functions gnutls_transport_set_push_function(m_session, PushFunction); gnutls_transport_set_pull_function(m_session, PullFunction); gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this); gnutls_transport_set_lowat(m_session, 0); m_shutdown_requested = false; // At this point, we can start shaking hands. return true; }
static void client(int fd, int packet) { int ret; gnutls_anon_client_credentials_t anoncred; /* Need to enable anonymous KX specifically. */ global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_client_credentials(&anoncred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM); gnutls_dtls_set_mtu(session, 1500); /* Use default priorities */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); counter = 0; packet_to_lose = packet; gnutls_transport_set_int(session, fd); gnutls_transport_set_push_function(session, push); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); gnutls_deinit(session); gnutls_global_deinit(); if (ret < 0) { if (ret == GNUTLS_E_TIMEDOUT) return; fail("client: Handshake failed\n"); gnutls_perror(ret); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } exit(1); }
static int tls_handshake (struct ikstls_data **datap, ikstransport *trans, void *sock) { const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; struct ikstls_data *data; int ret; *datap = NULL; data = iks_malloc (sizeof(*data)); if (!data) return IKS_NOMEM; memset (data, 0, sizeof(*data)); data->trans = trans; data->sock = sock; data->timeout = -1; if (gnutls_global_init () != 0) { iks_free (data); return IKS_NOMEM; } if (gnutls_certificate_allocate_credentials (&data->cred) < 0) { iks_free (data); return IKS_NOMEM; } if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); iks_free (data); return IKS_NOMEM; } gnutls_protocol_set_priority (data->sess, protocol_priority); gnutls_cipher_set_priority(data->sess, cipher_priority); gnutls_compression_set_priority(data->sess, comp_priority); gnutls_kx_set_priority(data->sess, kx_priority); gnutls_mac_set_priority(data->sess, mac_priority); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); gnutls_transport_set_ptr (data->sess, data); ret = gnutls_handshake (data->sess); if (ret != 0) { gnutls_deinit (data->sess); gnutls_certificate_free_credentials (data->cred); iks_free (data); return IKS_NET_TLSFAIL; } *datap = data; return IKS_OK; }
liGnuTLSFilter* li_gnutls_filter_new( liServer *srv, liWorker *wrk, const liGnuTLSFilterCallbacks *callbacks, gpointer data, gnutls_session_t session, liStream *crypt_source, liStream *crypt_drain ) { liEventLoop *loop = crypt_source->loop; liGnuTLSFilter *f; liCQLimit *out_limit; f = g_slice_new0(liGnuTLSFilter); f->refcount = 5; /* 1 + 4 streams */ f->callbacks = callbacks; f->callback_data = data; f->srv = srv; f->wrk = wrk; f->session = session; gnutls_transport_set_ptr(f->session, (gnutls_transport_ptr_t) f); gnutls_transport_set_push_function(f->session, stream_push); #ifdef HAVE_GIOVEC gnutls_transport_set_vec_push_function(f->session, stream_pushv); #endif gnutls_transport_set_pull_function(f->session, stream_pull); gnutls_session_set_ptr(f->session, f); gnutls_handshake_set_post_client_hello_function(f->session, post_client_hello_cb); f->initial_handshaked_finished = 0; f->closing = f->aborted = 0; f->write_wants_read = 0; li_stream_init(&f->crypt_source, loop, stream_crypt_source_cb); li_stream_init(&f->crypt_drain, loop, stream_crypt_drain_cb); li_stream_init(&f->plain_source, loop, stream_plain_source_cb); li_stream_init(&f->plain_drain, loop, stream_plain_drain_cb); /* "virtual" connections - the content goes through SSL */ li_stream_connect(&f->plain_drain, &f->crypt_source); li_stream_connect(&f->crypt_drain, &f->plain_source); li_stream_connect(crypt_source, &f->crypt_drain); li_stream_connect(&f->crypt_source, crypt_drain); /* separate limit for buffer of encrypted data * * f->plain_drain is already connected to f->crypt_source, * so they won't share the same limit */ out_limit = li_cqlimit_new(); out_limit->notify = stream_crypt_source_limit_notify_cb; out_limit->context = f; li_cqlimit_set_limit(out_limit, 32*1024); li_chunkqueue_set_limit(crypt_drain->out, out_limit); li_chunkqueue_set_limit(f->crypt_source.out, out_limit); li_cqlimit_release(out_limit); return f; }
TLSSocket::TLSSocket(std::shared_ptr<TLSSession> session, std::shared_ptr<socket> sok) : m_session(session), m_wrapped(sok), m_connected(false), m_handshaking(false), m_ex(NULL) { gnutls_transport_set_ptr(*m_session->m_gnutlsSession, this); gnutls_transport_set_push_function(*m_session->m_gnutlsSession, gnutlsPushFunc); gnutls_transport_set_pull_function(*m_session->m_gnutlsSession, gnutlsPullFunc); }
static void client(int fd) { int ret; gnutls_anon_client_credentials_t anoncred; gnutls_session_t session; /* Need to enable anonymous KX specifically. */ global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_client_credentials(&anoncred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM); gnutls_dtls_set_mtu(session, 1500); gnutls_handshake_set_timeout(session, 20 * 1000); /* Use default priorities */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); gnutls_transport_set_push_function(session, push); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { success("client: Handshake failed as expected\n"); gnutls_perror(ret); goto exit; } else { fail("client: Handshake completed unexpectedly\n"); goto exit; } exit: gnutls_deinit(session); gnutls_anon_free_client_credentials(anoncred); gnutls_global_deinit(); }
bool DTLS_Encrypt(NetworkAddress * destAddress, uint8_t * plainText, int plainTextLength, uint8_t * encryptedBuffer, int encryptedBufferLength, int * encryptedLength, void *context) { bool result = false; DTLS_Session * session = GetSession(destAddress); if (session) { if (session->SessionEstablished) { gnutls_transport_set_push_function(session->Session, EncryptCallBack); session->Buffer = encryptedBuffer; session->BufferLength = encryptedBufferLength; int written = gnutls_write(session->Session, plainText, plainTextLength); if (written >= 0) { *encryptedLength = encryptedBufferLength - session->BufferLength; result = (*encryptedLength > 0); } } else { session->UserContext = context; gnutls_transport_set_push_function(session->Session, SSLSendCallBack); session->SessionEstablished = (gnutls_handshake(session->Session) == GNUTLS_E_SUCCESS); if (session->SessionEstablished) Lwm2m_Info("DTLS Session established\n"); } } else { int index; for (index = 0;index < MAX_DTLS_SESSIONS; index++) { if (!sessions[index].Session) { SetupNewSession(index, destAddress, true); sessions[index].UserContext = context; gnutls_transport_set_push_function(sessions[index].Session, SSLSendCallBack); sessions[index].SessionEstablished = (gnutls_handshake(sessions[index].Session) == GNUTLS_E_SUCCESS); break; } } } return result; }
/** * Enables SSL for the given connection. * * @param connection The connection to enable SSL for. * * @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection * is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when * SSL initialization, setup, or handshake fails. */ idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection) { if (!connection || connection->ssl_data) return IDEVICE_E_INVALID_ARG; idevice_error_t ret = IDEVICE_E_SSL_ERROR; uint32_t return_me = 0; ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); /* Set up GnuTLS... */ debug_info("enabling SSL mode"); errno = 0; gnutls_global_init(); gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate); gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback); gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT); gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL); gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate); gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc); gnutls_x509_crt_init(&ssl_data_loc->root_cert); gnutls_x509_crt_init(&ssl_data_loc->host_cert); gnutls_x509_privkey_init(&ssl_data_loc->root_privkey); gnutls_x509_privkey_init(&ssl_data_loc->host_privkey); userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert); if (uerr != USERPREF_E_SUCCESS) { debug_info("Error %d when loading keys and certificates! %d", uerr); } debug_info("GnuTLS step 1..."); gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection); debug_info("GnuTLS step 2..."); gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write); debug_info("GnuTLS step 3..."); gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read); debug_info("GnuTLS step 4 -- now handshaking..."); if (errno) debug_info("WARN: errno says %s before handshake!", strerror(errno)); return_me = gnutls_handshake(ssl_data_loc->session); debug_info("GnuTLS handshake done..."); if (return_me != GNUTLS_E_SUCCESS) { internal_ssl_cleanup(ssl_data_loc); free(ssl_data_loc); debug_info("GnuTLS reported something wrong."); gnutls_perror(return_me); debug_info("oh.. errno says %s", strerror(errno)); } else { connection->ssl_data = ssl_data_loc; ret = IDEVICE_E_SUCCESS; debug_info("SSL mode enabled"); } return ret; }
GIOChannel *g_io_channel_gnutls_new(int fd) { GIOGnuTLSChannel *gnutls_channel; GIOChannel *channel; int err; DBG(""); gnutls_channel = g_new(GIOGnuTLSChannel, 1); channel = (GIOChannel *) gnutls_channel; g_io_channel_init(channel); channel->funcs = &gnutls_channel_funcs; gnutls_channel->fd = fd; channel->is_seekable = FALSE; channel->is_readable = TRUE; channel->is_writeable = TRUE; channel->do_encode = FALSE; g_io_gnutls_global_init(); err = gnutls_init(&gnutls_channel->session, GNUTLS_CLIENT); if (err < 0) { g_free(gnutls_channel); return NULL; } gnutls_transport_set_ptr(gnutls_channel->session, gnutls_channel); gnutls_transport_set_push_function(gnutls_channel->session, g_io_gnutls_push_func); gnutls_transport_set_pull_function(gnutls_channel->session, g_io_gnutls_pull_func); #if GNUTLS_VERSION_NUMBER < 0x020c00 gnutls_transport_set_lowat(gnutls_channel->session, 0); gnutls_priority_set_direct(gnutls_channel->session, "NORMAL:%COMPAT", NULL); #else gnutls_priority_set_direct(gnutls_channel->session, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL); #endif gnutls_certificate_allocate_credentials(&gnutls_channel->cred); gnutls_credentials_set(gnutls_channel->session, GNUTLS_CRD_CERTIFICATE, gnutls_channel->cred); DBG("channel %p", channel); return channel; }
static int tls_gnutls_init_session(struct tls_global *global, struct tls_connection *conn) { #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 const char *err; #else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */ const int cert_types[2] = { GNUTLS_CRT_X509, 0 }; const int protos[2] = { GNUTLS_TLS1, 0 }; #endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */ int ret; ret = gnutls_init(&conn->session, global->server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (ret < 0) { wpa_printf(MSG_INFO, "TLS: Failed to initialize new TLS " "connection: %s", gnutls_strerror(ret)); return -1; } ret = gnutls_set_default_priority(conn->session); if (ret < 0) goto fail; #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0", &err); if (ret < 0) { wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at " "'%s'", err); goto fail; } #else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */ ret = gnutls_certificate_type_set_priority(conn->session, cert_types); if (ret < 0) goto fail; ret = gnutls_protocol_set_priority(conn->session, protos); if (ret < 0) goto fail; #endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */ gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn); return 0; fail: wpa_printf(MSG_INFO, "TLS: Failed to setup new TLS connection: %s", gnutls_strerror(ret)); gnutls_deinit(conn->session); return -1; }
void InitSession(StreamSocket* user, bool me_server) { gnutls_init(&sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT); profile->SetupSession(sess); gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(user)); gnutls_transport_set_push_function(sess, gnutls_push_wrapper); gnutls_transport_set_pull_function(sess, gnutls_pull_wrapper); if (me_server) gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); // Request client certificate if any. }
static int handshake (struct stream_data *data) { const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; int ret; #ifndef WIN32 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); #endif if (gnutls_global_init () != 0) return IKS_NOMEM; if (gnutls_certificate_allocate_credentials (&data->cred) < 0) return IKS_NOMEM; if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); return IKS_NOMEM; } gnutls_protocol_set_priority (data->sess, protocol_priority); gnutls_cipher_set_priority(data->sess, cipher_priority); gnutls_compression_set_priority(data->sess, comp_priority); gnutls_kx_set_priority(data->sess, kx_priority); gnutls_mac_set_priority(data->sess, mac_priority); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); gnutls_transport_set_ptr (data->sess, data->prs); ret = gnutls_handshake (data->sess); if (ret != 0) { gnutls_deinit (data->sess); gnutls_certificate_free_credentials (data->cred); return IKS_NET_TLSFAIL; } data->flags &= (~SF_TRY_SECURE); data->flags |= SF_SECURE; iks_send_header (data->prs, data->server); return IKS_OK; } // HAVE_GNUTLS
static void client(int fd) { int ret; gnutls_certificate_credentials_t xcred; gnutls_session_t session; global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&xcred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); gnutls_handshake_set_timeout(session, 20 * 1000); /* Use default priorities */ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA:%COMPAT", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_transport_set_int(session, fd); gnutls_transport_set_push_function(session, odd_push); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret >= 0) { fail("client: Handshake succeeded!\n"); exit(1); } close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); }
void GnuTlsStream::handshake(const GnuTlsServer& server) { log_debug("gnutls_init(session, GNUTLS_SERVER)"); int ret = gnutls_init(&_session, GNUTLS_SERVER); if (ret != 0) throw GnuTlsException("gnutls_init", ret); log_debug("gnutls_set_default_priority"); ret = gnutls_set_default_priority(_session); if (ret != 0) throw GnuTlsException("gnutls_set_default_priority", ret); log_debug("gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, " << server.getCred() << ')'); ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, server.getCred()); if (ret != 0) throw GnuTlsException("gnutls_credentials_set", ret); log_debug("gnutls_dh_set_prime_bits(session, 1024)"); gnutls_dh_set_prime_bits(_session, 1024); _fdInfo.fd = getFd(); _fdInfo.timeout = getTimeout(); log_debug("gnutls_transport_set_ptr(ptr)"); gnutls_transport_set_ptr(_session, static_cast<gnutls_transport_ptr_t>(&_fdInfo)); log_debug("gnutls_transport_set_pull_function()"); gnutls_transport_set_pull_function(_session, pull_func); log_debug("gnutls_transport_set_push_function()"); gnutls_transport_set_push_function(_session, push_func); // non-blocking/with timeout _fdInfo.timeout = 10000; log_debug("gnutls_handshake"); ret = gnutls_handshake(_session); log_debug("gnutls_handshake => " << ret); if (ret != 0) throw GnuTlsException("gnutls_handshake", ret); _connected = true; _fdInfo.timeout = getTimeout(); log_debug("ssl-handshake was completed"); }
void evcom_stream_assign_fds (evcom_stream *stream, int recvfd, int sendfd) { assert(recvfd >= 0); assert(sendfd >= 0); if (recvfd == sendfd) stream->flags |= EVCOM_DUPLEX; if (set_nonblock(recvfd) != 0) { evcom_perror("set_nonblock(recvfd)", errno); } if (set_nonblock(sendfd) != 0) { evcom_perror("set_nonblock(sendfd)", errno); } #ifdef SO_NOSIGPIPE if (DUPLEX(stream)) { int flags = 1; int r = setsockopt(sendfd, SOL_SOCKET, SO_NOSIGPIPE, &flags, sizeof(flags)); if (r < 0) { evcom_perror("setsockopt(SO_NOSIGPIPE)", errno); } } #endif ev_io_set(&stream->read_watcher, recvfd, EV_READ); ev_io_set(&stream->write_watcher, sendfd, EV_WRITE); stream->recvfd = recvfd; stream->sendfd = sendfd; stream->send_action = stream__connection_established; stream->recv_action = stream__connection_established; stream->flags |= EVCOM_READABLE; stream->flags |= EVCOM_WRITABLE; #if EVCOM_HAVE_GNUTLS if (SECURE(stream)) { gnutls_transport_set_lowat(stream->session, 0); gnutls_transport_set_push_function(stream->session, nosigpipe_push); gnutls_transport_set_pull_function(stream->session, pull); gnutls_transport_set_ptr2(stream->session, stream, stream); } #endif }
bool DTLS_Decrypt(NetworkAddress * sourceAddress, uint8_t * encrypted, int encryptedLength, uint8_t * decryptBuffer, int decryptBufferLength, int * decryptedLength, void *context) { bool result = false; DTLS_Session * session = GetSession(sourceAddress); if (session) { session->Buffer = encrypted; session->BufferLength = encryptedLength; if (session->SessionEstablished) { *decryptedLength = gnutls_read(session->Session, decryptBuffer, decryptBufferLength); result = (*decryptedLength > 0); if (!result) { FreeSession(session); session = NULL; } } else { *decryptedLength = 0; session->SessionEstablished = (gnutls_handshake(session->Session) == GNUTLS_E_SUCCESS); if (session->SessionEstablished) Lwm2m_Info("Session established"); } } if (!session) { int index; for (index = 0;index < MAX_DTLS_SESSIONS; index++) { if (!sessions[index].Session) { SetupNewSession(index, sourceAddress, false); sessions[index].UserContext = context; gnutls_transport_set_push_function(sessions[index].Session, SSLSendCallBack); sessions[index].Buffer = encrypted; sessions[index].BufferLength = encryptedLength; sessions[index].SessionEstablished = (gnutls_handshake(sessions[index].Session) == GNUTLS_E_SUCCESS); break; } } } return result; }
static gnutls_session_t new_tls_session(int sock) { int ret; gnutls_session_t session; const char *err; #if defined LIBGNUTLS_VERSION_MAJOR && LIBGNUTLS_VERSION_MAJOR >= 3 # define TLS_DH_STR "+ANON-ECDH:+ANON-DH" #else # define TLS_DH_STR "+ANON-DH" #endif #ifdef GNUTLS_SRP_ENABLED const char *pstring = "NORMAL:+SRP:+SRP-DSS:+SRP-RSA:" TLS_DH_STR; #else const char *pstring = "NORMAL:" TLS_DH_STR; #endif gnutls_init(&session, GNUTLS_SERVER); gnutls_set_default_priority(session); ret = gnutls_priority_set_direct(session, pstring, &err); if (ret < 0) { fprintf(stderr, "TLS priority syntax error at: %s\n", err); return NULL; } #ifdef GNUTLS_SRP_ENABLED gnutls_credentials_set(session, GNUTLS_CRD_SRP, srpcred); gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); #endif gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_ptr(session, fd_to_ptr(sock)); gnutls_transport_set_pull_function(session, tls_pull); gnutls_transport_set_push_function(session, tls_push); ret = gnutls_handshake(session); if ( ret < 0 ) { fprintf(stderr, "GnuTLS handshake failed: %s.\n", gnutls_strerror(ret)); gnutls_alert_send_appropriate(session, ret); return NULL; } return session; }
/** \brief Start the action */ crypto_err_t tls_full_t::start(tls_privctx_t * p_tls_privctx , const pkt_t &p_lower_buf_l2u) throw() { // log to debug KLOG_DBG("enter"); // copy the parameters this->m_tls_privctx = p_tls_privctx; this->m_lower_buf_l2u = p_lower_buf_l2u; // set all the custom read/write function gnutls_session_t gnutls_sess = m_tls_privctx->session(); gnutls_transport_set_ptr(gnutls_sess, (gnutls_transport_ptr_t) this); gnutls_transport_set_pull_function(gnutls_sess, tls_full_c_read_cb); gnutls_transport_set_push_function(gnutls_sess, tls_full_c_write_cb); // return no error return crypto_err_t::OK; }