int
manos_tls_regenerate_dhparams (int bits)
{
gnutls_dh_params_t params, oldparams;
int err;
err = gnutls_dh_params_init (¶ms);
if (err != 0) {
return err;
}
err = gnutls_dh_params_generate2 (params, bits);
if (err != 0) {
gnutls_dh_params_deinit (params);
return err;
}
oldparams = dh_params;
dh_params = params;
if (oldparams != NULL) {
gnutls_dh_params_deinit (oldparams);
}
return 0;
}
void
manos_tls_global_end ()
{
gnutls_priority_deinit (priority_cache);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
bool generate_dh_params(gnutls_dh_params_t *const dh_params)
{
/* int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW); */
int bits = 1248; /* Equivalent, gnutls_sec_param_to_pk_bits is available since 2.12 */
int ret;
assert(dh_params != NULL);
/* Generate Diffie-Hellman parameters - for use with DHE
* kx algorithms. When short bit length is used, it might
* be wise to regenerate parameters often. */
ret = gnutls_dh_params_init(dh_params);
if(ret != GNUTLS_E_SUCCESS)
{
trace(LOG_ERR, "failed to initialize Diffie-Hellman parameters");
goto error;
}
ret = gnutls_dh_params_generate2(*dh_params, bits);
if(ret != GNUTLS_E_SUCCESS)
{
trace(LOG_ERR, "failed to generate Diffie-Hellman parameters");
goto free_dh;
}
return true;
free_dh:
gnutls_dh_params_deinit(*dh_params);
error:
return false;
}
void tls_server_destroy(tls_server_t *server)
{
lock_destroy(&server->lock);
gnutls_dh_params_deinit(server->dh_params);
gnutls_certificate_free_credentials(server->cred);
tls_server_cache_destroy(&server->cache);
memset(server, 0, sizeof(tls_server_t));
}
void dh_info(FILE * infile, FILE * outfile, common_info_st * ci)
{
gnutls_datum_t params;
size_t size;
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
unsigned int q_bits = 0;
if (gnutls_dh_params_init(&dh_params) < 0) {
fprintf(stderr, "Error in dh parameter initialization\n");
exit(1);
}
params.data = (void *) fread_file(infile, &size);
params.size = size;
ret =
gnutls_dh_params_import_pkcs3(dh_params, ¶ms,
ci->incert_format);
if (ret < 0) {
fprintf(stderr, "Error parsing dh params: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_dh_params_export_raw(dh_params, &p, &g, &q_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (ci->outcert_format == GNUTLS_X509_FMT_PEM)
print_dh_info(outfile, &p, &g, q_bits, ci->cprint);
if (!ci->cprint) { /* generate a PKCS#3 structure */
size_t len = buffer_size;
ret =
gnutls_dh_params_export_pkcs3(dh_params,
ci->outcert_format,
buffer, &len);
if (ret == 0) {
if (ci->outcert_format == GNUTLS_X509_FMT_PEM) {
fprintf(outfile, "\n%s", buffer);
} else {
fwrite(buffer, 1, len, outfile);
}
} else {
fprintf(stderr, "Error: %s\n",
gnutls_strerror(ret));
}
}
gnutls_dh_params_deinit(dh_params);
}
static void global_stop(void)
{
if (debug)
success("global stop\n");
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
}
void doit(void)
{
generate_dh_params();
run_test("NORMAL:-KX-ALL:+PSK");
run_test("NORMAL:-KX-ALL:+ECDHE-PSK");
run_test("NORMAL:-KX-ALL:+DHE-PSK");
gnutls_dh_params_deinit(dh_params);
}
/* this function deinitializes all the internal parameters stored
* in a session struct.
*/
inline static void
deinit_internal_params (gnutls_session_t session)
{
if (session->internals.params.free_dh_params)
gnutls_dh_params_deinit (session->internals.params.dh_params);
if (session->internals.params.free_rsa_params)
gnutls_rsa_params_deinit (session->internals.params.rsa_params);
memset (&session->internals.params, 0, sizeof (session->internals.params));
}
/**
* @short Frees the user data
* @memberof onion_https_t
*
* @param op
*/
static void onion_https_free_user_data(onion_listen_point *op){
ONION_DEBUG("Free HTTPS %s:%s", op->hostname, op->port);
onion_https *https=(onion_https*)op->user_data;
gnutls_certificate_free_credentials (https->x509_cred);
gnutls_dh_params_deinit(https->dh_params);
gnutls_priority_deinit (https->priority_cache);
//if (op->server->flags&O_SSL_NO_DEINIT)
gnutls_global_deinit(); // This may cause problems if several characters use the gnutls on the same binary.
onion_low_free(https);
}
gtlsGlobalServerData::~gtlsGlobalServerData()
{
// Free the structures used to keep certificates in.
gnutls_certificate_free_credentials(cert_cred);
// Free the dh params used.
gnutls_dh_params_deinit(dh_params);
// Shutdown Gnu TLS.
gnutls_global_deinit();
}
void
global_stop (void)
{
success ("global stop\n");
gnutls_anon_free_server_credentials (anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
}
static void
qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
{
if (creds->data) {
gnutls_certificate_free_credentials(creds->data);
creds->data = NULL;
}
if (creds->parent_obj.dh_params) {
gnutls_dh_params_deinit(creds->parent_obj.dh_params);
creds->parent_obj.dh_params = NULL;
}
}
/* this function deinitializes all the internal parameters stored
* in a session struct.
*/
inline static void
deinit_internal_params (gnutls_session_t session)
{
if (session->internals.params.free_dh_params)
gnutls_dh_params_deinit (session->internals.params.dh_params);
if (session->internals.params.free_rsa_params)
gnutls_rsa_params_deinit (session->internals.params.rsa_params);
_gnutls_handshake_hash_buffers_clear (session);
memset (&session->internals.params, 0, sizeof (session->internals.params));
}
Gobby::CertificateManager::~CertificateManager()
{
if(m_credentials != NULL)
inf_certificate_credentials_unref(m_credentials);
for(unsigned int i = 0; i < m_trust.size(); ++i)
gnutls_x509_crt_deinit(m_trust[i]);
if(m_certificates != NULL)
inf_certificate_chain_unref(m_certificates);
if(m_key != NULL)
gnutls_x509_privkey_deinit(m_key);
if(m_dh_params != NULL)
gnutls_dh_params_deinit(m_dh_params);
}
/* this function deinitializes all the internal parameters stored
* in a session struct.
*/
inline static void deinit_internal_params(gnutls_session_t session)
{
#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
if (session->internals.params.free_dh_params)
gnutls_dh_params_deinit(session->internals.params.
dh_params);
#endif
_gnutls_handshake_hash_buffers_clear(session);
memset(&session->internals.params, 0,
sizeof(session->internals.params));
}
void tls_client_destroy(tls_client_t *client)
{
lock_destroy(&client->lock);
tls_client_cache_destroy(&client->cache);
#ifdef TLS_CLIENT_AUTH
if (client->dh_params != NULL)
{
gnutls_dh_params_deinit(client->dh_params);
}
#endif
gnutls_certificate_free_credentials(client->cred);
memset(client, 0, sizeof(tls_client_t));
}
static void
global_stop (void)
{
if (debug)
success ("global stop\n");
gnutls_anon_free_server_credentials (anoncred);
gnutls_dh_params_deinit (dh_params);
gnutls_global_deinit ();
shutdown (listen_sd, SHUT_RDWR);
}
void ufwissl_ssl_context_destroy(ufwissl_ssl_context * ctx)
{
gnutls_certificate_free_credentials(ctx->cred);
gnutls_dh_params_deinit(ctx->dh);
if (ctx->cache.client.data) {
ufwissl_free(ctx->cache.client.data);
} else if (ctx->cache.server.key.data) {
gnutls_free(ctx->cache.server.key.data);
gnutls_free(ctx->cache.server.data.data);
}
if (ctx->ciphers)
ufwissl_free(ctx->ciphers);
ufwissl_free(ctx);
}
void Plugin::_deinit()
{
if (this->init.contains("priority"))
gnutls_priority_deinit(this->priority);
if (this->init.contains("credentials"))
gnutls_certificate_free_credentials(this->x509_cred);
if (this->init.contains("dh_params"))
gnutls_dh_params_deinit(this->dhParams);
if (this->init.contains("crt"))
gnutls_x509_crt_deinit(this->crt);
if (this->init.contains("privkey"))
gnutls_x509_privkey_deinit(this->key);
if (this->init.contains("global"))
gnutls_global_deinit();
this->init.clear();
}
void doit(void)
{
gnutls_dh_params_t dh_params;
gnutls_x509_privkey_t privkey;
gnutls_datum_t p1, g1, p2, g2, q;
unsigned bits = 0;
int ret;
/* import DH parameters from DSA key and verify they are the same */
gnutls_dh_params_init(&dh_params);
gnutls_x509_privkey_init(&privkey);
ret = gnutls_x509_privkey_import(privkey, &dsa_key, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_dh_params_import_dsa(dh_params, privkey);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_dh_params_export_raw(dh_params, &p1, &g1, &bits);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_x509_privkey_export_dsa_raw(privkey, &p2, &q, &g2, NULL, NULL);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (bits > q.size*8 || bits < q.size*8-8)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (compare(&p1, &p2) != 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (compare(&g1, &g2) != 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
gnutls_free(p1.data);
gnutls_free(g1.data);
gnutls_free(p2.data);
gnutls_free(g2.data);
gnutls_free(q.data);
gnutls_dh_params_deinit(dh_params);
gnutls_x509_privkey_deinit(privkey);
success("all ok\n");
}
static Ecore_Con_Ssl_Error
_ecore_con_ssl_server_shutdown_gnutls(Ecore_Con_Server *svr)
{
if (svr->session)
{
gnutls_bye(svr->session, GNUTLS_SHUT_RDWR);
gnutls_deinit(svr->session);
}
if (svr->cert_file)
free(svr->cert_file);
svr->cert_file = NULL;
if (svr->cert)
gnutls_certificate_free_credentials(svr->cert);
svr->cert = NULL;
if ((svr->type & ECORE_CON_SSL) && svr->created)
{
if (svr->dh_params)
{
gnutls_dh_params_deinit(svr->dh_params);
svr->dh_params = NULL;
}
if (svr->anoncred_s)
gnutls_anon_free_server_credentials(svr->anoncred_s);
// if (svr->pskcred_s)
// gnutls_psk_free_server_credentials(svr->pskcred_s);
svr->anoncred_s = NULL;
svr->pskcred_s = NULL;
}
else if (svr->type & ECORE_CON_SSL)
{
if (svr->anoncred_c)
gnutls_anon_free_client_credentials(svr->anoncred_c);
// if (svr->pskcred_c)
// gnutls_psk_free_client_credentials(svr->pskcred_c);
svr->anoncred_c = NULL;
svr->pskcred_c = NULL;
}
svr->session = NULL;
return ECORE_CON_SSL_ERROR_NONE;
}
static void mod_gnutls_context_release(mod_context *ctx) {
if (!ctx) return;
LI_FORCE_ASSERT(g_atomic_int_get(&ctx->refcount) > 0);
if (g_atomic_int_dec_and_test(&ctx->refcount)) {
gnutls_priority_deinit(ctx->server_priority_beast);
gnutls_priority_deinit(ctx->server_priority);
gnutls_certificate_free_credentials(ctx->server_cert);
#ifdef HAVE_SESSION_TICKET
/* wtf. why is there no function in gnutls for this... */
if (NULL != ctx->ticket_key.data) {
gnutls_free(ctx->ticket_key.data);
ctx->ticket_key.data = NULL;
ctx->ticket_key.size = 0;
}
#endif
li_ssl_session_db_free(ctx->session_db);
ctx->session_db = NULL;
#ifdef USE_SNI
if (NULL != ctx->sni_db) {
li_fetch_database_release(ctx->sni_db);
ctx->sni_db = NULL;
}
if (NULL != ctx->sni_backend_db) {
li_fetch_database_release(ctx->sni_backend_db);
ctx->sni_backend_db = NULL;
}
if (NULL != ctx->sni_fallback_cert) {
gnutls_certificate_free_credentials(ctx->sni_fallback_cert);
ctx->sni_fallback_cert = NULL;
}
#endif
gnutls_dh_params_deinit(ctx->dh_params);
if (NULL != ctx->pin) {
g_string_free(ctx->pin, TRUE);
ctx->pin = NULL;
}
li_gnutls_ocsp_free(ctx->ocsp);
g_slice_free(mod_context, ctx);
}
}
static void
qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds)
{
if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
if (creds->data.client) {
gnutls_anon_free_client_credentials(creds->data.client);
creds->data.client = NULL;
}
} else {
if (creds->data.server) {
gnutls_anon_free_server_credentials(creds->data.server);
creds->data.server = NULL;
}
}
if (creds->parent_obj.dh_params) {
gnutls_dh_params_deinit(creds->parent_obj.dh_params);
creds->parent_obj.dh_params = NULL;
}
}
static void
tlsg_ctx_free ( tls_ctx *ctx )
{
tlsg_ctx *c = (tlsg_ctx *)ctx;
int refcount;
if ( !c ) return;
LDAP_MUTEX_LOCK( &c->ref_mutex );
refcount = --c->refcount;
LDAP_MUTEX_UNLOCK( &c->ref_mutex );
if ( refcount )
return;
gnutls_priority_deinit( c->prios );
gnutls_certificate_free_credentials( c->cred );
if ( c->dh_params )
gnutls_dh_params_deinit( c->dh_params );
ber_memfree ( c );
}
context::~context()
{
if(dh)
gnutls_dh_params_deinit(dh);
if(!xcred)
return;
switch(xtype) {
case GNUTLS_CRD_ANON:
gnutls_anon_free_client_credentials((gnutls_anon_client_credentials_t)xcred);
break;
case GNUTLS_CRD_CERTIFICATE:
gnutls_certificate_free_credentials(xcred);
break;
default:
break;
}
}
/**
* @short Removes the allocated data
* @memberof onion_t
*/
void onion_free(onion *onion){
ONION_DEBUG("Onion free");
#ifdef HAVE_PTHREADS
if (onion->flags&O_THREADS_ENABLED){
int ntries=5;
int c;
for(;ntries--;){
sem_getvalue(&onion->thread_count,&c);
if (c==onion->max_threads){
break;
}
ONION_INFO("Still some petitions on process (%d). Wait a little bit (%d).",c,ntries);
sleep(1);
}
}
#endif
close(onion->listenfd);
if (onion->poller)
onion_poller_free(onion->poller);
if (onion->username)
free(onion->username);
#ifdef HAVE_GNUTLS
if (onion->flags&O_SSL_ENABLED){
gnutls_certificate_free_credentials (onion->x509_cred);
gnutls_dh_params_deinit(onion->dh_params);
gnutls_priority_deinit (onion->priority_cache);
if (!(onion->flags&O_SSL_NO_DEINIT))
gnutls_global_deinit(); // This may cause problems if several characters use the gnutls on the same binary.
}
#endif
if (onion->port)
free(onion->port);
if (onion->hostname)
free(onion->hostname);
onion_server_free(onion->server);
free(onion);
}
void doit(void)
{
gnutls_dh_params_t dh_params = NULL;
int rc;
rc = global_init();
if (rc)
fail("global_init\n");
if (gnutls_dh_params_init(&dh_params) < 0)
fail("Error in dh parameter initialization\n");
if (gnutls_dh_params_generate2(dh_params, 1024) < 0)
fail("Error in prime generation\n");
gnutls_dh_params_deinit(dh_params);
gnutls_global_deinit();
if (debug)
success("generated DH params OK\n");
}
static void
tlsg_ctx_free ( tls_ctx *ctx )
{
tlsg_ctx *c = (tlsg_ctx *)ctx;
int refcount;
if ( !c ) return;
LDAP_MUTEX_LOCK( &c->ref_mutex );
refcount = --c->refcount;
LDAP_MUTEX_UNLOCK( &c->ref_mutex );
if ( refcount )
return;
#ifdef HAVE_CIPHERSUITES
gnutls_priority_deinit( c->prios );
#else
LDAP_FREE( c->kx_list );
#endif
gnutls_certificate_free_credentials( c->cred );
if ( c->dh_params )
gnutls_dh_params_deinit( c->dh_params );
ber_memfree ( c );
}
void
relay_network_end ()
{
if (relay_network_init_ok)
{
#ifdef HAVE_GNUTLS
if (relay_gnutls_priority_cache)
{
gnutls_priority_deinit (*relay_gnutls_priority_cache);
free (relay_gnutls_priority_cache);
relay_gnutls_priority_cache = NULL;
}
if (relay_gnutls_dh_params)
{
gnutls_dh_params_deinit (*relay_gnutls_dh_params);
free (relay_gnutls_dh_params);
relay_gnutls_dh_params = NULL;
}
gnutls_certificate_free_credentials (relay_gnutls_x509_cred);
#endif
relay_network_init_ok = 0;
}
}
/* If how is zero then the included parameters are used.
*/
int generate_prime(FILE * outfile, int how, common_info_st * info)
{
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
int bits = get_bits(GNUTLS_PK_DH, info->bits, info->sec_param, 1);
unsigned int q_bits = 0;
gnutls_dh_params_init(&dh_params);
if (how != 0) {
fprintf(stderr, "Generating DH parameters (%d bits)...\n",
bits);
fprintf(stderr, "(might take long time)\n");
} else
fprintf(stderr, "Retrieving DH parameters...\n");
if (how != 0) {
ret = gnutls_dh_params_generate2(dh_params, bits);
if (ret < 0) {
fprintf(stderr,
"Error generating parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_dh_params_export_raw(dh_params, &p, &g,
&q_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
} else {
#ifdef ENABLE_SRP
if (bits <= 1024) {
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
bits = 1024;
} else if (bits <= 1536) {
p = gnutls_srp_1536_group_prime;
g = gnutls_srp_1536_group_generator;
bits = 1536;
} else if (bits <= 2048) {
p = gnutls_srp_2048_group_prime;
g = gnutls_srp_2048_group_generator;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_srp_3072_group_prime;
g = gnutls_srp_3072_group_generator;
bits = 3072;
} else {
p = gnutls_srp_4096_group_prime;
g = gnutls_srp_4096_group_generator;
bits = 4096;
}
ret = gnutls_dh_params_import_raw(dh_params, &p, &g);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#else
fprintf(stderr,
"Parameters unavailable as SRP is disabled.\n");
exit(1);
#endif
}
print_dh_info(outfile, &p, &g, q_bits, info->cprint);
if (!info->cprint) { /* generate a PKCS#3 structure */
size_t len = buffer_size;
ret =
gnutls_dh_params_export_pkcs3(dh_params,
GNUTLS_X509_FMT_PEM,
buffer, &len);
if (ret == 0) {
fprintf(outfile, "\n%s", buffer);
} else {
fprintf(stderr, "Error: %s\n",
gnutls_strerror(ret));
}
}
gnutls_dh_params_deinit(dh_params);
return 0;
}
