void doit(void)
{
gnutls_certificate_credentials_t serv_cred;
gnutls_certificate_credentials_t cli_cred;
int ret;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&cli_cred) >= 0);
ret = gnutls_certificate_set_x509_trust_mem(cli_cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_key_mem(cli_cred, &clidsa_ca3_cert,
&clidsa_ca3_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in error code: %s\n", gnutls_strerror(ret));
exit(1);
}
/* test gnutls_certificate_flags() */
gnutls_certificate_allocate_credentials(&serv_cred);
gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH);
ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_key_mem(serv_cred, &server_ca3_localhost_cert_chain,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in error code\n");
exit(1);
}
test_cli_serv_cert(serv_cred, cli_cred, "NORMAL:+DHE-DSS:+SIGN-DSA-SHA1", "NORMAL:-DHE-DSS:-SIGN-DSA-SHA1", "localhost");
gnutls_certificate_free_credentials(serv_cred);
gnutls_certificate_free_credentials(cli_cred);
gnutls_global_deinit();
if (debug)
success("success");
}
static void run(const char *env, const char *filename)
{
gnutls_certificate_credentials_t x509_cred;
gnutls_certificate_credentials_t clicred;
int ret;
remove(filename);
#ifdef _WIN32
{
char buf[512];
snprintf(buf, sizeof(buf), "%s=%s", env, filename);
_putenv(buf);
}
#else
setenv(env, filename, 1);
#endif
global_init();
if (debug) {
gnutls_global_set_log_level(6);
gnutls_global_set_log_function(tls_log_func);
}
/* test gnutls_certificate_flags() */
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert_chain,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in error code\n");
exit(1);
}
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL);
if (access(filename, R_OK) != 0) {
fail("keylog file was not created\n");
exit(1);
}
search_for_str(filename);
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
remove(filename);
if (debug)
success("success");
}
void doit(void)
{
int exit_code = EXIT_SUCCESS;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (2);
/* Init server */
gnutls_certificate_allocate_credentials (&serverx509cred);
gnutls_certificate_set_x509_key_mem (serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
gnutls_priority_set_direct (server, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);
/* Init client */
gnutls_certificate_allocate_credentials (&clientx509cred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
gnutls_priority_set_direct (client, "NORMAL", NULL);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);
HANDSHAKE(client, server);
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
gnutls_certificate_free_credentials (serverx509cred);
gnutls_certificate_free_credentials (clientx509cred);
gnutls_global_deinit ();
if (debug > 0)
{
if (exit_code == 0)
puts ("Self-test successful");
else
puts ("Self-test failed");
}
}
static
void test_failure_server(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
to_server_len = 0;
to_client_len = 0;
client_ret_val = 0;
server_ret_val = GNUTLS_E_CERTIFICATE_ERROR;
server_ok = 0;
client_ok = 0;
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server, "NORMAL", NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_session_set_verify_function(server,
server_callback);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
gnutls_session_set_verify_function(client,
client_callback);
HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_CERTIFICATE_ERROR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
if (server_ok == 0)
fail("%s: certificate verify callback wasn't called\n", __func__);
}
int
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
{
int ret;
gnutls_datum_t *d_cert, *d_key;
if(cert == NULL)
{
rb_lib_log("rb_setup_ssl_server: No certificate file");
return 0;
}
if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
{
rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
return 0;
}
if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
{
rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
return 0;
}
if((ret =
gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
{
rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
gnutls_strerror(ret));
return 0;
}
rb_free_datum_t(d_cert);
rb_free_datum_t(d_key);
if(dhfile != NULL)
{
if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
{
gnutls_datum_t *data;
int xret;
data = rb_load_file_into_datum_t(dhfile);
if(data != NULL)
{
xret = gnutls_dh_params_import_pkcs3(dh_params, data,
GNUTLS_X509_FMT_PEM);
if(xret < 0)
rb_lib_log
("rb_setup_ssl_server: Error parsing DH file: %s\n",
gnutls_strerror(xret));
rb_free_datum_t(data);
}
gnutls_certificate_set_dh_params(x509, dh_params);
}
else
rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
}
return 1;
}
static void
server (int fd, const char* prio)
{
int ret;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
/* this must be called once in the program
*/
gnutls_global_init ();
memset(buffer, 0, sizeof(buffer));
if (debug)
{
gnutls_global_set_log_function (server_log_func);
gnutls_global_set_log_level (4711);
}
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_anon_allocate_server_credentials (&anoncred);
session = initialize_tls_session (prio);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) fd);
do
{
ret = gnutls_handshake (session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0)
{
close (fd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
terminate();
}
if (debug)
success ("server: Handshake was completed\n");
if (debug)
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
close(fd);
gnutls_deinit (session);
gnutls_anon_free_server_credentials (anoncred);
gnutls_certificate_free_credentials (x509_cred);
gnutls_global_deinit ();
if (debug)
success ("server: finished\n");
}
static void server(int sd)
{
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
int ret;
unsigned loops;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success("Launched, generating DH parameters...\n");
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, sd);
loops = 0;
do {
ret = gnutls_handshake(session);
loops++;
if (loops > 64)
fail("Too many loops in the handshake!\n");
} while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_WARNING_ALERT_RECEIVED);
if (ret >= 0) {
fail("server: Handshake succeeded unexpectedly\n");
}
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
void
server_start (void)
{
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_certificate_set_dh_params (x509_cred, dh_params);
/* Socket operations
*/
listen_sd = socket (AF_INET, SOCK_STREAM, 0);
if (err == -1)
{
perror ("socket");
fail ("server: socket failed\n");
return;
}
memset (&sa_serv, '\0', sizeof (sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (PORT); /* Server Port number */
setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
if (err == -1)
{
perror ("bind");
fail ("server: bind failed\n");
return;
}
err = listen (listen_sd, 1024);
if (err == -1)
{
perror ("listen");
fail ("server: listen failed\n");
return;
}
success ("server: ready. Listening to port '%d'.\n", PORT);
}
void
doit (void)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
unsigned int i;
gnutls_x509_crt_t issuer;
gnutls_x509_crt_t list[LIST_SIZE];
char dn[128];
size_t dn_size;
unsigned int list_size;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
/* test for gnutls_certificate_get_issuer() */
list_size = LIST_SIZE;
ret = gnutls_x509_crt_list_import(list, &list_size, &cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0)
fail("gnutls_x509_crt_list_import");
ret = gnutls_certificate_get_issuer(x509_cred, list[0], &issuer, 0);
if (ret < 0)
fail("gnutls_certificate_get_isser");
dn_size = sizeof(dn);
ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size);
if (ret < 0)
fail("gnutls_certificate_get_isser");
if (debug)
fprintf(stderr, "Issuer's DN: %s\n", dn);
for (i=0;i<list_size;i++)
gnutls_x509_crt_deinit(list[i]);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug) success("success");
}
int
setup_session (gnutls_session_t * session,
gnutls_datum_t * key,
gnutls_datum_t * cert,
gnutls_certificate_credentials_t * xcred)
{
int ret;
const char *err_pos;
gnutls_certificate_allocate_credentials (xcred);
key->size = strlen (srv_key_pem) + 1;
key->data = malloc (key->size);
if (NULL == key->data)
{
gnutls_certificate_free_credentials (*xcred);
return -1;
}
memcpy (key->data, srv_key_pem, key->size);
cert->size = strlen (srv_self_signed_cert_pem) + 1;
cert->data = malloc (cert->size);
if (NULL == cert->data)
{
gnutls_certificate_free_credentials (*xcred);
free (key->data);
return -1;
}
memcpy (cert->data, srv_self_signed_cert_pem, cert->size);
gnutls_certificate_set_x509_key_mem (*xcred, cert, key,
GNUTLS_X509_FMT_PEM);
gnutls_init (session, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct (*session,
"NORMAL", &err_pos);
if (ret < 0)
{
gnutls_deinit (*session);
gnutls_certificate_free_credentials (*xcred);
free (key->data);
return -1;
}
gnutls_credentials_set (*session,
GNUTLS_CRD_CERTIFICATE,
*xcred);
return 0;
}
static sni_cert_data* creds_from_gstring(mod_context *ctx, GString *str) {
sni_cert_data* data = NULL;
gnutls_certificate_credentials_t creds = NULL;
liGnuTLSOCSP* ocsp = NULL;
gnutls_datum_t pemfile;
int r;
if (NULL == str) return NULL;
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&creds))) return NULL;
pemfile.data = (unsigned char*) str->str;
pemfile.size = str->len;
#if defined(HAVE_PIN)
gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin);
#endif
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) {
goto error;
}
gnutls_certificate_set_dh_params(creds, ctx->dh_params);
ocsp = li_gnutls_ocsp_new();
if (!li_gnutls_ocsp_search_datum(ctx->srv, ocsp, &pemfile)) {
goto error;
}
li_gnutls_ocsp_use(ocsp, creds);
data = g_slice_new0(sni_cert_data);
data->creds = creds;
data->ocsp = ocsp;
return data;
error:
if (NULL != creds) gnutls_certificate_free_credentials(creds);
if (NULL != ocsp) li_gnutls_ocsp_free(ocsp);
return NULL;
}
static void server(int fd)
{
int ret;
gnutls_certificate_credentials_t xcred;
char buffer[MAX_BUF + 1];
gnutls_session_t session;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&xcred);
ret = gnutls_certificate_set_x509_key_mem(xcred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
gnutls_init(&session, GNUTLS_SERVER);
gnutls_handshake_set_timeout(session, 20 * 1000);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session,
"NORMAL:-KX-ALL:+ECDHE-RSA",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
/* print_info(session); */
memset(buffer, 1, sizeof(buffer));
do {
ret = gnutls_record_send(session, buffer, sizeof(buffer)-1);
} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
if (ret < 0) {
close(fd);
gnutls_deinit(session);
fail("server: data sending has failed (%s)\n\n",
gnutls_strerror(ret));
terminate();
}
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
if (ret < 0) {
fail("server: error in closing session: %s\n", gnutls_strerror(ret));
}
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static void server(int fd)
{
int ret;
gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
/* this must be called once in the program
*/
global_init();
if (debug) {
gnutls_global_set_log_function(server_log_func);
gnutls_global_set_log_level(4711);
}
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&session, GNUTLS_SERVER|GNUTLS_DATAGRAM);
gnutls_handshake_set_timeout(session, 20 * 1000);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO,
GNUTLS_HOOK_POST,
handshake_callback);
assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-DTLS1.2", NULL)>= 0);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret < 0) {
/* failure is expected here */
goto end;
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
assert(found_server_name != 0);
assert(found_status_req != 0);
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static
void server_initiated_handshake(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
unsigned char buffer[64];
int cret = GNUTLS_E_AGAIN;
size_t transferred = 0;
success("testing server initiated re-handshake\n");
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(2);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL:+VERS-TLS1.3", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
if (gnutls_protocol_get_version(client) != GNUTLS_TLS1_3)
fail("TLS1.3 was not negotiated\n");
sret = gnutls_rehandshake(server);
if (debug) {
tls_log_func(0, "gnutls_rehandshake (server)...\n");
tls_log_func(0, gnutls_strerror(sret));
tls_log_func(0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv(client, b, 1);
/* in TLS1.2 we get REHANDSHAKE error, here nothing */
if (n != GNUTLS_E_AGAIN) {
fail("error msg: %s\n", gnutls_strerror(n));
}
}
TRANSFER(client, server, "xxxx", 4, buffer, sizeof(buffer));
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
reset_buffers();
}
static void server(int sd)
{
gnutls_certificate_credentials_t serverx509cred;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
side = "server";
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "PERFORMANCE:+ANON-ECDH:+ANON-DH",
NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_supplemental_recv(session, 1);
gnutls_supplemental_send(session, 1);
gnutls_session_supplemental_register(session, "supplemental_server", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_server_recv_func, supp_server_send_func, 0);
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
if (TLS_SUPPLEMENTALDATA_server_sent != 1 || TLS_SUPPLEMENTALDATA_server_received != 1)
fail("server: extension not properly sent/received\n");
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
void
client (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (xcred, &cert, &key,
GNUTLS_X509_FMT_PEM);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_set_default_priority (session);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
success ("client: Handshake was completed\n");
}
success ("client: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version (session)));
/* see the Getting peer's information example */
print_info(session);
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
}
static
void test_failure(const char *name, const char *prio)
{
int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
gnutls_x509_crt_t *crts;
unsigned int crts_size;
unsigned i;
gnutls_typed_vdata_st vdata[2];
gnutls_x509_privkey_t pkey;
unsigned status;
success("testing cert verification failure for %s\n", name);
to_server_len = 0;
to_client_len = 0;
ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_cert, GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_privkey_init(&pkey);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_privkey_import(pkey, &server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key(serverx509cred, crts, crts_size, pkey);
gnutls_x509_privkey_deinit(pkey);
for (i=0;i<crts_size;i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
assert(gnutls_priority_set_direct(server,
prio,
NULL) >= 0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
/* Init client */
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_key_mem(clientx509cred,
&cli_cert, &cli_key,
GNUTLS_X509_FMT_PEM);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
assert(gnutls_priority_set_direct(client, prio, NULL) >= 0);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
memset(vdata, 0, sizeof(vdata));
/* check with wrong hostname */
vdata[0].type = GNUTLS_DT_DNS_HOSTNAME;
vdata[0].data = (void*)"localhost1";
vdata[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
vdata[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
gnutls_session_set_verify_cert2(client, vdata, 2, 0);
HANDSHAKE_EXPECT(client, server, GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR, GNUTLS_E_AGAIN);
status = gnutls_session_get_verify_cert_status(client);
if (status == 0) {
fail("should not have accepted!\n");
exit(1);
}
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
}
void doit(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug) gnutls_global_set_log_level (2);
/* Init server */
gnutls_certificate_allocate_credentials (&serverx509cred);
gnutls_certificate_set_x509_key_mem (serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
gnutls_priority_set_direct (server, "NORMAL", NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);
/* Init client */
gnutls_certificate_allocate_credentials (&clientx509cred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
gnutls_priority_set_direct (client, "NORMAL", NULL);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);
/* Check that initially no session use the extension. */
if (gnutls_safe_renegotiation_status (server)
|| gnutls_safe_renegotiation_status (client))
{
puts ("Client or server using extension before handshake?");
abort ();
}
HANDSHAKE(client, server);
/* Check that both sessions use the extension. */
if (!gnutls_safe_renegotiation_status (server)
|| !gnutls_safe_renegotiation_status (client))
{
puts ("Client or server not using safe renegotiation extension?");
abort ();
}
sret = gnutls_rehandshake (server);
if (debug)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
HANDSHAKE(client, server);
/* Check that session still use the extension. */
if (!gnutls_safe_renegotiation_status (server)
|| !gnutls_safe_renegotiation_status (client))
{
puts ("Client or server not using safe renegotiation extension?");
abort ();
}
/* Check that this API does not affect anything after first
handshake.
gnutls_safe_negotiation_set_initial (server, 0); */
sret = gnutls_rehandshake (server);
if (debug)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
HANDSHAKE(client, server);
/* Check that disabling the extension will break rehandshakes.
gnutls_safe_renegotiation_set (client, 0); */
sret = gnutls_rehandshake (server);
if (debug)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
HANDSHAKE(client, server);
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
gnutls_certificate_free_credentials (serverx509cred);
gnutls_certificate_free_credentials (clientx509cred);
gnutls_global_deinit ();
if (debug)
{
puts ("Self-test successful");
}
return;
}
void doit(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(2);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server, "NORMAL", NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_certificate_set_verify_function(serverx509cred,
server_callback);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
gnutls_handshake_set_post_client_hello_function(server,
post_client_hello_callback);
gnutls_handshake_set_hook_function(server, GNUTLS_HANDSHAKE_ANY,
GNUTLS_HOOK_POST,
handshake_callback);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
gnutls_certificate_set_verify_function(clientx509cred,
client_callback);
HANDSHAKE(client, server);
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
if (pch_ok == 0)
fail("Post client hello callback wasn't called\n");
if (server_ok == 0)
fail("Server certificate verify callback wasn't called\n");
if (client_ok == 0)
fail("Client certificate verify callback wasn't called\n");
}
void
doit (void)
{
int exit_code = EXIT_SUCCESS;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (2);
/* Init server */
gnutls_certificate_allocate_credentials (&serverx509cred);
gnutls_certificate_set_x509_key_mem (serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
gnutls_priority_set_direct (server, "NORMAL", NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);
/* Init client */
gnutls_certificate_allocate_credentials (&clientx509cred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
gnutls_priority_set_direct (client, "NORMAL", NULL);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);
HANDSHAKE(client, server);
sret = gnutls_rehandshake (server);
if (debug)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
HANDSHAKE(client, server);
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
gnutls_certificate_free_credentials (serverx509cred);
gnutls_certificate_free_credentials (clientx509cred);
gnutls_global_deinit ();
if (debug)
{
if (exit_code == 0)
puts ("Self-test successful");
else
puts ("Self-test failed");
}
}
void doit(void)
{
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(2);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server, "NORMAL", NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
gnutls_certificate_allocate_credentials(&clientx509cred);
gnutls_init(&client, GNUTLS_CLIENT);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
gnutls_priority_set_direct(client, "NORMAL", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE(client, server);
if (!gnutls_safe_renegotiation_status(client) ||
!gnutls_safe_renegotiation_status(server)) {
tls_log_func(0, "Session not using safe renegotiation!\n");
exit(1);
}
if (!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION) ||
!(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION)) {
tls_log_func(0, "Session not using safe renegotiation!\n");
exit(1);
}
sret = gnutls_rehandshake(server);
if (debug) {
tls_log_func(0, "gnutls_rehandshake (server)...\n");
tls_log_func(0, gnutls_strerror(sret));
tls_log_func(0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv(client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort();
}
HANDSHAKE(client, server);
if (!gnutls_safe_renegotiation_status(client) ||
!gnutls_safe_renegotiation_status(server)) {
tls_log_func(0,
"Rehandshaked session not using safe renegotiation!\n");
exit(1);
}
if (!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION) ||
!(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION)) {
tls_log_func(0,
"Rehandshaked session not using safe renegotiation!\n");
exit(1);
}
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
if (debug) {
puts("Self-test successful");
}
return;
}
void doit(void)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
unsigned int i;
gnutls_x509_crt_t issuer;
gnutls_x509_crt_t list[LIST_SIZE];
char dn[128];
size_t dn_size;
unsigned int list_size;
size_t buf_size;
gnutls_x509_privkey_t get_key;
gnutls_x509_crt_t *get_crts;
unsigned n_get_crts;
gnutls_datum_t get_datum, chain_datum[2] = {server_ca3_cert, subca3_cert};
gnutls_x509_trust_list_t trust_list;
gnutls_x509_trust_list_iter_t trust_iter;
gnutls_x509_crt_t get_ca_crt;
unsigned n_get_ca_crts;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_cert_chain,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
/* test for gnutls_certificate_get_issuer() */
/* check whether gnutls_x509_crt_list_import will fail if given a single
* certificate */
list_size = LIST_SIZE;
ret =
gnutls_x509_crt_list_import(list, &list_size, &ca3_cert,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0)
fail("gnutls_x509_crt_list_import (failed with a single cert)");
gnutls_x509_crt_deinit(list[0]);
list_size = LIST_SIZE;
ret =
gnutls_x509_crt_list_import(list, &list_size, &cli_ca3_cert_chain,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0)
fail("gnutls_x509_crt_list_import");
ret =
gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, 0);
if (ret < 0)
fail("gnutls_certificate_get_isser");
ret =
gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0)
fail("gnutls_certificate_get_isser");
dn_size = sizeof(dn);
ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size);
if (ret < 0)
fail("gnutls_certificate_get_dn");
gnutls_x509_crt_deinit(issuer);
if (dn_size != strlen(dn)) {
fail("gnutls_x509_crt_get_dn: lengths don't match\n");
exit(1);
}
if (debug)
fprintf(stderr, "Issuer's DN: %s\n", dn);
/* test the getter functions of gnutls_certificate_credentials_t */
ret =
gnutls_certificate_get_x509_key(x509_cred, 0, &get_key);
if (ret < 0)
fail("gnutls_certificate_get_x509_key");
ret =
gnutls_x509_privkey_export2(get_key,
GNUTLS_X509_FMT_PEM,
&get_datum);
if (ret < 0)
fail("gnutls_x509_privkey_export2");
if (get_datum.size != server_ca3_key.size ||
memcmp(get_datum.data, server_ca3_key.data, get_datum.size) != 0) {
fail(
"exported key %u vs. %u\n\n%s\n\nvs.\n\n%s",
get_datum.size, server_ca3_key.size,
get_datum.data, server_ca3_key.data);
}
if (strlen((char*)get_datum.data) != get_datum.size) {
fail("exported key %u vs. %u\n\n%s\n",
get_datum.size, (unsigned)strlen((char*)get_datum.data),
get_datum.data);
}
gnutls_free(get_datum.data);
buf_size = sizeof(buf);
ret =
gnutls_x509_privkey_export(get_key,
GNUTLS_X509_FMT_PEM,
buf, &buf_size);
if (ret < 0)
fail("gnutls_x509_privkey_export");
if (buf_size != get_datum.size ||
buf_size != strlen(buf) ||
memcmp(buf, server_ca3_key.data, buf_size) != 0) {
fail(
"exported key %u vs. %u\n\n%s\n\nvs.\n\n%s",
(int)buf_size, server_ca3_key.size,
buf, server_ca3_key.data);
}
ret =
gnutls_certificate_get_x509_crt(x509_cred, 0, &get_crts, &n_get_crts);
if (ret < 0)
fail("gnutls_certificate_get_x509_crt");
if (n_get_crts != 2)
fail("gnutls_certificate_get_x509_crt: n_crts != 2");
for (i = 0; i < n_get_crts; i++) {
ret =
gnutls_x509_crt_export2(get_crts[i],
GNUTLS_X509_FMT_PEM,
&get_datum);
if (ret < 0)
fail("gnutls_x509_crt_export2");
if (get_datum.size != chain_datum[i].size ||
memcmp(get_datum.data, chain_datum[i].data, get_datum.size) != 0) {
fail(
"exported certificate %u vs. %u\n\n%s\n\nvs.\n\n%s",
get_datum.size, chain_datum[i].size,
get_datum.data, chain_datum[i].data);
}
gnutls_free(get_datum.data);
}
gnutls_certificate_get_trust_list(x509_cred, &trust_list);
n_get_ca_crts = 0;
trust_iter = NULL;
while (gnutls_x509_trust_list_iter_get_ca(trust_list,
&trust_iter,
&get_ca_crt) !=
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
ret =
gnutls_x509_crt_export2(get_ca_crt,
GNUTLS_X509_FMT_PEM,
&get_datum);
if (ret < 0)
fail("gnutls_x509_crt_export2");
if (get_datum.size != ca3_cert.size ||
memcmp(get_datum.data, ca3_cert.data, get_datum.size) != 0) {
fail(
"exported CA certificate %u vs. %u\n\n%s\n\nvs.\n\n%s",
get_datum.size, ca3_cert.size,
get_datum.data, ca3_cert.data);
}
gnutls_x509_crt_deinit(get_ca_crt);
gnutls_free(get_datum.data);
++n_get_ca_crts;
}
if (n_get_ca_crts != 1)
fail("gnutls_x509_trust_list_iter_get_ca: n_cas != 1");
if (trust_iter != NULL)
fail("gnutls_x509_trust_list_iter_get_ca: iterator not NULL after iteration");
gnutls_x509_privkey_deinit(get_key);
for (i = 0; i < n_get_crts; i++)
gnutls_x509_crt_deinit(get_crts[i]);
gnutls_free(get_crts);
for (i = 0; i < list_size; i++)
gnutls_x509_crt_deinit(list[i]);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("success");
}
int
main (int argc, char *argv[])
{
int debug_level = argc - 1;
int exit_code = EXIT_SUCCESS;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug_level);
/* Init server */
gnutls_certificate_allocate_credentials (&serverx509cred);
gnutls_certificate_set_x509_key_mem (serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION",
NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
/* Init client */
gnutls_certificate_allocate_credentials (&clientx509cred);
gnutls_init (&client, GNUTLS_CLIENT);
gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
gnutls_priority_set_direct (client, "NORMAL", NULL);
gnutls_transport_set_push_function (client, client_push);
gnutls_transport_set_pull_function (client, client_pull);
/* Check that initially no session use the extension. */
if (gnutls_safe_renegotiation_status (server)
|| gnutls_safe_renegotiation_status (client))
{
puts ("Client or server using extension before handshake?");
abort ();
}
do
{
static int max_iter = 0;
if (max_iter++ > 10)
abort ();
if (cret == GNUTLS_E_AGAIN)
{
cret = gnutls_handshake (client);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_handshake (client)...\n");
tls_log_func (0, gnutls_strerror (cret));
tls_log_func (0, "\n");
}
}
if (sret == GNUTLS_E_AGAIN)
{
sret = gnutls_handshake (server);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_handshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
}
}
while (
/* Not done: */
!(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
/* No error: */
&& (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS)
exit_code = EXIT_FAILURE;
if (gnutls_safe_renegotiation_status (client) ||
gnutls_safe_renegotiation_status (server))
{
tls_log_func (0, "Session using safe renegotiation but shouldn't?!\n");
exit_code = EXIT_FAILURE;
}
sret = gnutls_rehandshake (server);
if (debug_level > 0)
{
tls_log_func (0, "gnutls_rehandshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
{
ssize_t n;
char b[1];
n = gnutls_record_recv (client, b, 1);
if (n != GNUTLS_E_REHANDSHAKE)
abort ();
}
cret = GNUTLS_E_AGAIN;
sret = GNUTLS_E_AGAIN;
do
{
static int max_iter = 0;
if (max_iter++ > 10)
abort ();
if (cret == GNUTLS_E_AGAIN)
{
cret = gnutls_handshake (client);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (client)...\n");
tls_log_func (0, gnutls_strerror (cret));
tls_log_func (0, "\n");
}
}
if (sret == GNUTLS_E_AGAIN)
{
sret = gnutls_handshake (server);
if (debug_level > 0)
{
tls_log_func (0, "second gnutls_handshake (server)...\n");
tls_log_func (0, gnutls_strerror (sret));
tls_log_func (0, "\n");
}
}
if (cret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED)
break;
}
while (
/* Not done: */
!(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS)
/* No error: */
&& (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN));
if (cret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED
&& sret != GNUTLS_E_SUCCESS)
exit_code = 1;
if (gnutls_safe_renegotiation_status (client) ||
gnutls_safe_renegotiation_status (server))
{
tls_log_func (0, "Rehandshaked worked and uses safe reneg?!\n");
exit_code = EXIT_FAILURE;
}
gnutls_bye (client, GNUTLS_SHUT_RDWR);
gnutls_bye (server, GNUTLS_SHUT_RDWR);
gnutls_deinit (client);
gnutls_deinit (server);
free (to_server);
free (to_client);
gnutls_certificate_free_credentials (serverx509cred);
gnutls_global_deinit ();
if (debug_level > 0)
{
if (exit_code == 0)
puts ("Self-test successful");
else
puts ("Self-test failed");
}
return exit_code;
}
void
server (void)
{
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
success ("Launched, generating DH parameters...\n");
generate_dh_params ();
gnutls_certificate_set_dh_params (x509_cred, dh_params);
client_len = sizeof (sa_cli);
session = initialize_tls_session ();
sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
success ("server: connection from %s, port %d\n",
inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
sizeof (topbuf)), ntohs (sa_cli.sin_port));
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
ret = gnutls_handshake (session);
if (ret < 0)
{
close (sd);
gnutls_deinit (session);
fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
return;
}
success ("server: Handshake was completed\n");
success ("server: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version (session)));
/* see the Getting peer's information example */
print_info (session);
i = 0;
for (;;)
{
bzero (buffer, MAX_BUF + 1);
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
success ("server: Peer has closed the GNUTLS connection\n");
break;
}
else if (ret < 0)
{
fail ("server: Received corrupted data(%d). Closing...\n", ret);
break;
}
else if (ret > 0)
{
/* echo data back to the client
*/
gnutls_record_send (session, buffer, strlen (buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye (session, GNUTLS_SHUT_WR);
close (sd);
gnutls_deinit (session);
close (listen_sd);
gnutls_certificate_free_credentials (x509_cred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
success ("server: finished\n");
}
static void client(int sd)
{
int ret, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_mem(xcred, &ca,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(xcred, &cert, &key,
GNUTLS_X509_FMT_PEM);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, "NORMAL", NULL);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_transport_set_int(session, sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake(session);
if (ret < 0) {
fail("client: Handshake failed\n");
gnutls_perror(ret);
goto end;
} else if (debug) {
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
if (debug)
print_info(session);
ret = gnutls_record_send(session, MSG, strlen(MSG));
if (ret == strlen(MSG)) {
if (debug)
success("client: sent record.\n");
} else {
fail("client: failed to send record.\n");
gnutls_perror(ret);
goto end;
}
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (debug)
success("client: recv returned %d.\n", ret);
if (ret == GNUTLS_E_REHANDSHAKE) {
if (debug)
success("client: doing handshake!\n");
ret = gnutls_handshake(session);
if (ret == 0) {
if (debug)
success
("client: handshake complete, reading again.\n");
ret = gnutls_record_recv(session, buffer, MAX_BUF);
} else {
fail("client: handshake failed.\n");
}
}
if (ret == 0) {
if (debug)
success
("client: Peer has closed the TLS connection\n");
goto end;
} else if (ret < 0) {
fail("client: Error: %s\n", gnutls_strerror(ret));
goto end;
}
if (debug) {
printf("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++) {
fputc(buffer[ii], stdout);
}
fputs("\n", stdout);
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
end:
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(xcred);
gnutls_global_deinit();
}
static void server(int sd)
{
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_mem(x509_cred, &ca,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success("Launched, generating DH parameters...\n");
generate_dh_params();
gnutls_certificate_set_dh_params(x509_cred, dh_params);
session = initialize_tls_session();
gnutls_transport_set_int(session, sd);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug) {
success("server: Handshake was completed\n");
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
}
/* see the Getting peer's information example */
if (debug)
print_info(session);
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
if (debug)
success
("server: got data, forcing rehandshake.\n");
ret = gnutls_rehandshake(session);
if (ret < 0) {
fail("server: rehandshake failed\n");
gnutls_perror(ret);
break;
}
ret = gnutls_handshake(session);
if (ret < 0) {
fail("server: (re)handshake failed\n");
gnutls_perror(ret);
break;
}
if (debug)
success("server: rehandshake complete.\n");
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static
void test_success2(const char *name, const char *prio)
{
int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
gnutls_x509_crt_t *crts;
unsigned int crts_size;
unsigned i;
gnutls_x509_privkey_t pkey;
unsigned status;
success("testing cert verification success2 for %s\n", name);
to_server_len = 0;
to_client_len = 0;
ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_cert, GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_privkey_init(&pkey);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_privkey_import(pkey, &server_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key(serverx509cred, crts, crts_size, pkey);
gnutls_x509_privkey_deinit(pkey);
for (i=0;i<crts_size;i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
assert(gnutls_priority_set_direct(server,
prio,
NULL)>=0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
/* Init client */
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_key_mem(clientx509cred,
&cli_cert, &cli_key,
GNUTLS_X509_FMT_PEM);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
assert(gnutls_priority_set_direct(client, prio, NULL)>=0);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
gnutls_session_set_verify_cert(client, "localhost", 0);
HANDSHAKE(client, server);
status = gnutls_session_get_verify_cert_status(client);
if (status != 0) {
fail("%s: should have accepted: %u!\n", __func__, status);
exit(1);
}
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
}
static void server(int sd)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
gnutls_certificate_allocate_credentials(&x509_cred);
ret = gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
if (ret == 0) {
fail("server: no CAs loaded\n");
}
gnutls_certificate_set_x509_key_mem(x509_cred,
&server_ca3_localhost_cert,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (debug)
success("Launched, generating DH parameters...\n");
generate_dh_params();
gnutls_certificate_set_dh_params(x509_cred, dh_params);
gnutls_init(&session, GNUTLS_SERVER);
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request(session,
GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits(session, DH_BITS);
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session, 20 * 1000);
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
gnutls_deinit(session);
fail("server: Handshake has failed (%s)\n\n",
gnutls_strerror(ret));
return;
}
if (debug)
success("server: Handshake was completed\n");
if (debug)
success("server: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
/* see the Getting peer's information example */
if (debug)
print_info(session);
for (;;) {
memset(buffer, 0, MAX_BUF + 1);
ret = gnutls_record_recv(session, buffer, MAX_BUF);
if (ret == 0) {
if (debug)
success
("server: Peer has closed the GnuTLS connection\n");
break;
} else if (ret < 0) {
fail("server: Received corrupted data(%d). Closing...\n", ret);
break;
} else if (ret > 0) {
/* echo data back to the client
*/
gnutls_record_send(session, buffer,
strlen(buffer));
}
}
/* do not wait for the peer to close the connection.
*/
gnutls_bye(session, GNUTLS_SHUT_WR);
close(sd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("server: finished\n");
}
static
void server_check(void)
{
int exit_code = EXIT_SUCCESS;
int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_priority_set_direct(server,
"NORMAL:-KX-ALL:+RSA",
NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
ret = gnutls_init(&client, GNUTLS_CLIENT);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
gnutls_priority_set_direct(client, "NORMAL:+RSA", NULL);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN, GNUTLS_E_NO_CIPHER_SUITES);
if (debug)
success("server returned the expected code\n");
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
if (debug > 0) {
if (exit_code == 0)
puts("Self-test successful");
else
puts("Self-test failed");
}
}
/* Returns true if resumed */
static unsigned handshake(const char *prio, unsigned t, const gnutls_datum_t *sdata,
gnutls_datum_t *ndata,
gnutls_datum_t *skey,
struct hsk_st *h)
{
int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
char buf[128];
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0);
assert(gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&server, GNUTLS_SERVER)>=0);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
assert(gnutls_priority_set_direct(server, prio, NULL)>=0);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
gnutls_session_set_ptr(server, h);
gnutls_db_set_cache_expiration(server, t);
assert(gnutls_session_ticket_enable_server(server, skey) >= 0);
gnutls_handshake_set_hook_function(server, -1,
GNUTLS_HOOK_POST,
handshake_callback);
assert(gnutls_certificate_allocate_credentials(&clientx509cred)>=0);
assert(gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM)>=0);
assert(gnutls_init(&client, GNUTLS_CLIENT)>=0);
assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred)>=0);
assert(gnutls_priority_set_direct(client, prio, NULL)>=0);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
if (sdata) {
assert(gnutls_session_set_data(client, sdata->data, sdata->size)>=0);
}
memset(buf, 0, sizeof(buf));
ret = gnutls_session_set_data(client, buf, sizeof(buf));
if (ret != GNUTLS_E_DB_ERROR) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
HANDSHAKE(client, server);
gnutls_record_recv(client, buf, sizeof(buf));
if (ndata) {
ret = gnutls_session_get_data2(client, ndata);
if (ret < 0) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
}
ret = gnutls_session_is_resumed(client);
gnutls_deinit(server);
gnutls_deinit(client);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
reset_buffers();
return ret;
}
