Пример #1
0
//general tls stuff-------------------------------------------------------------
static gnutls_session_t initialize_tls_session(bool sServer,
gnutls_srp_client_credentials_t &cClient, const struct sockaddr *aAddress,
socklen_t lLength, const char *aActual)
{
	gnutls_session_t session;

	gnutls_init(&session, sServer? GNUTLS_SERVER : GNUTLS_CLIENT);

	if (use_srp_auth)
	{
	gnutls_priority_set_direct(session, sServer?
	  "NORMAL:+SRP" : "PERFORMANCE:+SRP", NULL);

	if (!sServer)
	set_client_passwd(cClient, aAddress, lLength, aActual);

	gnutls_credentials_set(session, GNUTLS_CRD_SRP, sServer?
	  (void*) srp_server : (void*) cClient);
	}

	else
	{
	gnutls_priority_set_direct(session, sServer?
	  "NORMAL:+ANON-DH" : "PERFORMANCE:+ANON-DH", NULL);
	gnutls_credentials_set(session, GNUTLS_CRD_ANON, credentials);
	}

	gnutls_dh_set_prime_bits(session, 1024);

	gnutls_transport_set_push_function(session, (gnutls_push_func) &write_wrapper);
	gnutls_transport_set_pull_function(session, (gnutls_pull_func) &read_wrapper);

	return session;
}
Пример #2
0
static gnutls_session_t
initialize_tls_session (struct params_res *params)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_priority_set_direct (session, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  if (params->enable_db)
    {
      gnutls_db_set_retrieve_function (session, wrap_db_fetch);
      gnutls_db_set_remove_function (session, wrap_db_delete);
      gnutls_db_set_store_function (session, wrap_db_store);
      gnutls_db_set_ptr (session, NULL);
    }

  if (params->enable_session_ticket_server)
    gnutls_session_ticket_enable_server (session, &session_ticket_key);

  return session;
}
Пример #3
0
bool CTlsSocket::InitSession()
{
	int res = gnutls_init(&m_session, GNUTLS_CLIENT);
	if (res) {
		LogError(res, _T("gnutls_init"));
		Uninit();
		return false;
	}

	// Even though the name gnutls_db_set_cache_expiration
	// implies expiration of some cache, it also governs
	// the actual session lifetime, independend whether the
	// session is cached or not.
	gnutls_db_set_cache_expiration(m_session, 100000000);

	res = gnutls_priority_set_direct(m_session, ciphers, 0);
	if (res) {
		LogError(res, _T("gnutls_priority_set_direct"));
		Uninit();
		return false;
	}

	gnutls_dh_set_prime_bits(m_session, 512);

	gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials);

	// Setup transport functions
	gnutls_transport_set_push_function(m_session, PushFunction);
	gnutls_transport_set_pull_function(m_session, PullFunction);
	gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);

	return true;
}
Пример #4
0
gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;
  const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_set_default_priority (session);
  gnutls_kx_set_priority (session, kx_prio);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  if (TLS_SESSION_CACHE != 0)
    {
      gnutls_db_set_retrieve_function (session, wrap_db_fetch);
      gnutls_db_set_remove_function (session, wrap_db_delete);
      gnutls_db_set_store_function (session, wrap_db_store);
      gnutls_db_set_ptr (session, NULL);
    }

  return session;
}
Пример #5
0
void
rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
{
    new_F->type |= RB_FD_SSL;
    new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
    new_F->accept = rb_malloc(sizeof(struct acceptdata));

    new_F->accept->callback = F->accept->callback;
    new_F->accept->data = F->accept->data;
    rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
    memcpy(&new_F->accept->S, st, addrlen);
    new_F->accept->addrlen = addrlen;

    gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
    gnutls_set_default_priority(SSL_P(new_F));
    gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
    gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
    gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
    if (do_ssl_handshake(F, rb_ssl_tryaccept))
    {
        struct acceptdata *ad = F->accept;
        F->accept = NULL;
        ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
        rb_free(ad);
    }
}
Пример #6
0
void
rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
{
    struct ssl_connect *sconn;
    if (F == NULL)
        return;

    sconn = rb_malloc(sizeof(struct ssl_connect));
    sconn->data = data;
    sconn->callback = callback;
    sconn->timeout = timeout;
    F->connect = rb_malloc(sizeof(struct conndata));
    F->connect->callback = callback;
    F->connect->data = data;
    F->type |= RB_FD_SSL;
    F->ssl = rb_malloc(sizeof(gnutls_session_t));

    gnutls_init(F->ssl, GNUTLS_CLIENT);
    gnutls_set_default_priority(SSL_P(F));
    gnutls_dh_set_prime_bits(SSL_P(F), 1024);
    gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);

    rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);

    if (do_ssl_handshake(F, rb_ssl_tryconn_cb))
    {
        rb_ssl_connect_realcb(F, RB_OK, sconn);
    }
}
Пример #7
0
static void
rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
{
    struct ssl_connect *sconn = data;
    if (status != RB_OK)
    {
        rb_ssl_connect_realcb(F, status, sconn);
        return;
    }

    F->type |= RB_FD_SSL;


    rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
    F->ssl = rb_malloc(sizeof(gnutls_session_t));
    gnutls_init(F->ssl, GNUTLS_CLIENT);
    gnutls_set_default_priority(SSL_P(F));
    gnutls_dh_set_prime_bits(SSL_P(F), 1024);
    gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);

    if (do_ssl_handshake(F, rb_ssl_tryconn_cb))
    {
        rb_ssl_connect_realcb(F, RB_OK, sconn);
    }
}
Пример #8
0
         bool gtlsServerData::initSession(gnutls_session_t & _session)
         {
            bool status = true;

            int ret = 0;

            // Create a session.
            ret = gnutls_init (&_session, GNUTLS_SERVER);
            if (ret < 0) { initialized_ = false; }
            // printerror("gnutls_init", ret);

            // Set the default priority.
            ret = gnutls_set_default_priority(_session);
            if (ret < 0) { initialized_ = false; }
            // printerror("gnutls_set_default_priority", ret);

            ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, gtlsglobalserverdata_->cert_cred);
            if (ret < 0) { initialized_ = false; }
            // printerror("gnutls_credentials_set", ret);

            gnutls_certificate_server_set_request(_session, GNUTLS_CERT_REQUEST);

            gnutls_dh_set_prime_bits(_session, gtlsGeneric::GNUTLSIF_DH_BITS);
            // GNUTLS_NOTICE("Created new TLS session with id = " << _session);

            return status;
         }
Пример #9
0
SslSocket::SslSocket(SslDriver *driver, struct ev_loop *loop, int fd, int af) :
	x0::Socket(loop, fd, af),
#ifndef XZERO_NDEBUG
	ctime_(ev_now(loop)),
#endif
	driver_(driver),
	context_(nullptr),
	session_()
{
	TRACE("SslSocket()");

	setSecure(true);
	setState(Handshake);

	GNUTLS_CHECK( gnutls_init(&session_, GNUTLS_SERVER) );

	gnutls_handshake_set_post_client_hello_function(session_, &SslSocket::onClientHello);

	gnutls_certificate_server_set_request(session_, GNUTLS_CERT_REQUEST);
	gnutls_dh_set_prime_bits(session_, 1024);

	gnutls_session_enable_compatibility_mode(session_);

	gnutls_session_set_ptr(session_, this);
	gnutls_transport_set_ptr(session_, reinterpret_cast<gnutls_transport_ptr_t>(handle()));

	driver_->initialize(this);
}
Пример #10
0
static gnutls_session_t
initialize_tls_session (struct params_res *params)
{
  gnutls_session_t session;
  const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_set_default_priority (session);
  gnutls_kx_set_priority (session, kx_prio);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  if (params->enable_db)
    {
      gnutls_db_set_retrieve_function (session, wrap_db_fetch);
      gnutls_db_set_remove_function (session, wrap_db_delete);
      gnutls_db_set_store_function (session, wrap_db_store);
      gnutls_db_set_ptr (session, NULL);
    }
#ifdef ENABLE_SESSION_TICKET
  if (params->enable_session_ticket_server)
    gnutls_session_ticket_enable_server (session, &session_ticket_key);
#endif

  return session;
}
Пример #11
0
void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
    gnutls_session_t *ssl;
    new_F->type |= RB_FD_SSL;
    ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
    new_F->accept = rb_malloc(sizeof(struct acceptdata));

    new_F->accept->callback = cb;
    new_F->accept->data = data;
    rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);

    new_F->accept->addrlen = 0;

    gnutls_init(ssl, GNUTLS_SERVER);
    gnutls_set_default_priority(*ssl);
    gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
    gnutls_dh_set_prime_bits(*ssl, 1024);
    gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
    if (do_ssl_handshake(new_F, rb_ssl_tryaccept))
    {
        struct acceptdata *ad = new_F->accept;
        new_F->accept = NULL;
        ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
        rb_free(ad);
    }

}
Пример #12
0
gnutls_session
initialize_tls_session (int sd, char* CN)
{
	int ret;
	gnutls_session session;

	gnutls_init (&session, GNUTLS_SERVER);
	gnutls_set_default_priority (session);
	gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
	gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
	gnutls_dh_set_prime_bits (session, DH_BITS);
	gnutls_transport_set_ptr (session, (gnutls_transport_ptr) GINT_TO_POINTER(sd));
	ret = gnutls_handshake (session);
	if (ret < 0)
	{
		close (sd);
		gnutls_deinit (session);
		quorum_log(LOG_WARNING,"handshake failed");
		return NULL;
	}
	if (verify_certificate(session,CN) < 0) {
		return NULL;
	}
	return session;
}
Пример #13
0
		/** Set up the given session with the settings in this profile
		 */
		void SetupSession(gnutls_session_t sess)
		{
			priority.SetupSession(sess);
			x509cred.SetupSession(sess);
			gnutls_dh_set_prime_bits(sess, min_dh_bits);

			// Request client certificate if we are a server, no-op if we're a client
			gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
		}
Пример #14
0
static gpointer
server_thread (gpointer user_data)
{
	int listener = GPOINTER_TO_INT (user_data), client;
	gnutls_certificate_credentials creds;
	gnutls_session_t session;
	struct sockaddr_in sin;
	int len;
	char buf[BUFSIZE];
	int status;

	gnutls_certificate_allocate_credentials (&creds);
	if (gnutls_certificate_set_x509_key_file (creds,
						  ssl_cert_file, ssl_key_file,
						  GNUTLS_X509_FMT_PEM) != 0) {
		g_error ("Failed to set SSL certificate and key files "
			 "(%s, %s).", ssl_cert_file, ssl_key_file);
	}
	gnutls_certificate_set_dh_params (creds, dh_params);

	/* Create a new session */
	gnutls_init (&session, GNUTLS_SERVER);
	gnutls_set_default_priority (session);
	gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, creds);
	gnutls_dh_set_prime_bits (session, DH_BITS);

	/* Wait for client thread to connect */
	len = sizeof (sin);
	client = accept (listener, (struct sockaddr *) &sin, (void *)&len);
	gnutls_transport_set_ptr (session, GINT_TO_POINTER (client));

	/* Initial handshake */
	status = gnutls_handshake (session);
	if (status < 0)
		g_error ("initial handshake failed: %d", status);

	/* Synchronous client test. */
	server_read (session, buf, BUFSIZE);
	server_write (session, buf, BUFSIZE);

	/* Async client test. */
	server_read (session, buf, BUFSIZE);
	server_write (session, buf, BUFSIZE);

	/* That's all, folks. */
	gnutls_bye (session, GNUTLS_SHUT_WR);
	gnutls_deinit (session);
	close (client);
	gnutls_certificate_free_credentials (creds);

	return NULL;
}
Пример #15
0
/* initializes a gnutls_session with some defaults.
 */
static gnutls_session
init_tls_session (const char *hostname)
{
  gnutls_session session;

  gnutls_init (&session, GNUTLS_CLIENT);

  /* allow the use of private ciphersuites.
   */
  if (disable_extensions == 0)
    {
      gnutls_handshake_set_private_extensions (session, 1);
      gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
			      strlen (hostname));
      gnutls_certificate_type_set_priority (session, cert_type_priority);
    }

  gnutls_cipher_set_priority (session, cipher_priority);
  gnutls_compression_set_priority (session, comp_priority);
  gnutls_kx_set_priority (session, kx_priority);
  gnutls_protocol_set_priority (session, protocol_priority);
  gnutls_mac_set_priority (session, mac_priority);


  gnutls_dh_set_prime_bits (session, 512);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
  gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
  gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);

  gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);

  /* send the fingerprint */
  if (fingerprint != 0)
    gnutls_openpgp_send_key (session, GNUTLS_OPENPGP_KEY_FINGERPRINT);

  /* use the max record size extension */
  if (record_max_size > 0 && disable_extensions == 0)
    {
      if (gnutls_record_set_max_size (session, record_max_size) < 0)
	{
	  fprintf (stderr,
		   "Cannot set the maximum record size to %d.\n",
		   record_max_size);
	  fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
	  exit (1);
	}
    }

  return session;
}
Пример #16
0
void anon_tls_server (evcom_stream *stream)
{
  gnutls_session_t session;
  stream->data = session;

  int r = gnutls_init(&session, GNUTLS_SERVER);
  assert(r == 0);
  gnutls_set_default_priority(session);
  gnutls_kx_set_priority (session, kx_prio);
  gnutls_credentials_set(session, GNUTLS_CRD_ANON, server_credentials);
  gnutls_dh_set_prime_bits(session, DH_BITS);

  evcom_stream_set_secure_session(stream, session);
}
Пример #17
0
static bool
ConnSSL_Init_SSL(CONNECTION *c)
{
	int ret;
	assert(c != NULL);
#ifdef HAVE_LIBSSL
	if (!ssl_ctx) {
		Log(LOG_ERR, "Cannot init ssl_ctx: OpenSSL initialization failed at startup");
		return false;
	}
	assert(c->ssl_state.ssl == NULL);

	c->ssl_state.ssl = SSL_new(ssl_ctx);
	if (!c->ssl_state.ssl) {
		LogOpenSSLError("SSL_new()", NULL);
		return false;
	}

	ret = SSL_set_fd(c->ssl_state.ssl, c->sock);
	if (ret != 1) {
		LogOpenSSLError("SSL_set_fd()", NULL);
		ConnSSL_Free(c);
		return false;
	}
#endif
#ifdef HAVE_LIBGNUTLS
	ret = gnutls_set_default_priority(c->ssl_state.gnutls_session);
	if (ret < 0) {
		Log(LOG_ERR, "gnutls_set_default_priority: %s", gnutls_strerror(ret));
		ConnSSL_Free(c);
		return false;
	}
	/*
	 * The intermediate (long) cast is here to avoid a warning like:
	 * "cast to pointer from integer of different size" on 64-bit platforms.
	 * There doesn't seem to be an alternate GNUTLS API we could use instead, see e.g.
	 * http://www.mail-archive.com/[email protected]/msg00286.html
	 */
	gnutls_transport_set_ptr(c->ssl_state.gnutls_session, (gnutls_transport_ptr_t) (long) c->sock);
	ret = gnutls_credentials_set(c->ssl_state.gnutls_session, GNUTLS_CRD_CERTIFICATE, x509_cred);
	if (ret < 0) {
		Log(LOG_ERR, "gnutls_credentials_set: %s", gnutls_strerror(ret));
		ConnSSL_Free(c);
		return false;
	}
	gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN);
#endif
	Conn_OPTION_ADD(c, CONN_SSL);
	return true;
}
Пример #18
0
  void GnuTlsStream::handshake(const GnuTlsServer& server)
  {
    log_debug("gnutls_init(session, GNUTLS_SERVER)");
    int ret = gnutls_init(&_session, GNUTLS_SERVER);
    if (ret != 0)
      throw GnuTlsException("gnutls_init", ret);

    log_debug("gnutls_set_default_priority");
    ret = gnutls_set_default_priority(_session);
    if (ret != 0)
      throw GnuTlsException("gnutls_set_default_priority", ret);

    log_debug("gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, "
      << server.getCred() << ')');
    ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, server.getCred());
    if (ret != 0)
      throw GnuTlsException("gnutls_credentials_set", ret);

    log_debug("gnutls_dh_set_prime_bits(session, 1024)");
    gnutls_dh_set_prime_bits(_session, 1024);

    _fdInfo.fd = getFd();
    _fdInfo.timeout = getTimeout();

    log_debug("gnutls_transport_set_ptr(ptr)");
    gnutls_transport_set_ptr(_session, static_cast<gnutls_transport_ptr_t>(&_fdInfo));

    log_debug("gnutls_transport_set_pull_function()");
    gnutls_transport_set_pull_function(_session, pull_func);

    log_debug("gnutls_transport_set_push_function()");
    gnutls_transport_set_push_function(_session, push_func);

    // non-blocking/with timeout

    _fdInfo.timeout = 10000;

    log_debug("gnutls_handshake");
    ret = gnutls_handshake(_session);
    log_debug("gnutls_handshake => " << ret);

    if (ret != 0)
      throw GnuTlsException("gnutls_handshake", ret);

    _connected = true;
    _fdInfo.timeout = getTimeout();

    log_debug("ssl-handshake was completed");
  }
Пример #19
0
         gtlsClientData::gtlsClientData(std::string const& _caFile,
                                        std::string const& _certFile,
                                        std::string const& _keyFile)
         {
            int ret = 0;

            gnutls_global_set_log_level(loglevel);
            gnutls_global_set_log_function(gtlsGeneric::logCallback);

            gnutls_certificate_allocate_credentials(&cred_);
            // GNUTLS_NOTICE("Allocted credentials");
            // Add the certificate authority used.
            // GNUTLS_NOTICE("Setting CA, file='" << _caFile << "'");
            ret = gnutls_certificate_set_x509_trust_file(cred_, _caFile.c_str(), GNUTLS_X509_FMT_PEM);
            // printerror("gnutls_certificate_set_x509_trust_file", ret);
            // GNUTLS_NOTICE("Processed " << ret << " certificates.");

            // Set the cert and private key.
            // Set the certificate and priate key pair.
            // GNUTLS_NOTICE("Setting certificate, file='" << _certFile << "'");
            // GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'");

            ret = gnutls_certificate_set_x509_key_file(cred_,
                                                       _certFile.c_str(),
                                                       _keyFile.c_str(),
                                                       GNUTLS_X509_FMT_PEM);
            // printerror("gnutls_certificate_set_x509_key_file", ret);

            // GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s).");

            ret = gnutls_init(&session_, GNUTLS_CLIENT);
            // printerror("gnutls_init", ret);

            ret = gnutls_set_default_priority(session_);
            // printerror("gnutls_set_default_priority", ret);

            gnutls_dh_set_prime_bits(session_, gtlsGeneric::GNUTLSIF_DH_BITS);

            const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 };
            ret = gnutls_certificate_type_set_priority(session_,
                                                       cert_type_priority);
            // printerror("gnutls_certificate_type_set_priority", ret);

            ret = gnutls_credentials_set(session_,
                                         GNUTLS_CRD_CERTIFICATE,
                                         cred_);

            // printerror("gnutls_credentials_set", ret);
         }
Пример #20
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  gnutls_priority_set_direct (session, "NORMAL:+ANON-DH", NULL);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  return session;
}
Пример #21
0
void ssl_init(struct sockifo* ifo, const char* key, const char* cert, const char* ca, int server) {
	int rv;
	rv = gnutls_certificate_allocate_credentials(&ifo->xcred);
	if (rv < 0) goto out_err;
	if (cert && *cert) {
		rv = gnutls_certificate_set_x509_key_file(ifo->xcred, cert, key, GNUTLS_X509_FMT_PEM);
		if (rv < 0) goto out_err_cred;
	}
	if (ca && *ca) {
		if (!access(ca, R_OK)) {
			ifo->state.ssl_verify_type = VERIFY_CA;
			rv = gnutls_certificate_set_x509_trust_file(ifo->xcred, ca, GNUTLS_X509_FMT_PEM);
			if (rv < 0) goto out_err_cred;
		} else {
			ifo->state.ssl_verify_type = VERIFY_FP;
			ifo->fingerprint = strdup(ca);
		}
	}
	gnutls_certificate_set_dh_params(ifo->xcred, dh_params);
	rv = gnutls_init(&ifo->ssl, server ? GNUTLS_SERVER : GNUTLS_CLIENT);
	if (rv < 0) goto out_err_cred;
	rv = gnutls_set_default_priority(ifo->ssl);
	if (rv < 0) goto out_err_all;
	rv = gnutls_credentials_set(ifo->ssl, GNUTLS_CRD_CERTIFICATE, ifo->xcred);
	if (rv < 0) goto out_err_all;

	if (server) {
		gnutls_dh_set_prime_bits(ifo->ssl, 1024);
		gnutls_certificate_server_set_request(ifo->ssl, GNUTLS_CERT_REQUEST);
	}

	gnutls_transport_set_ptr(ifo->ssl, (gnutls_transport_ptr_t)(long) ifo->fd);

	ifo->state.ssl = SSL_HSHK;
	if (!ifo->state.connpend)
		ssl_handshake(ifo);
	return;

out_err_all:
	gnutls_deinit(ifo->ssl);
out_err_cred:
	gnutls_certificate_free_credentials(ifo->xcred);
	if (ifo->fingerprint)
		free(ifo->fingerprint);
out_err:
	esock(ifo, gnutls_strerror(rv));
}
Пример #22
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  gnutls_priority_set_direct (session, "NORMAL", NULL);

  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  return session;
}
Пример #23
0
static gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;
  const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_set_default_priority (session);
  gnutls_kx_set_priority (session, kx_prio);

  gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  return session;
}
Пример #24
0
	void InitSession(StreamSocket* user, bool me_server)
	{
		issl_session* session = &sessions[user->GetFd()];

		gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT);
		session->socket = user;

		#ifdef GNUTLS_NEW_PRIO_API
		gnutls_priority_set(session->sess, priority);
		#endif
		gnutls_credentials_set(session->sess, GNUTLS_CRD_CERTIFICATE, x509_cred);
		gnutls_dh_set_prime_bits(session->sess, dh_bits);
		gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session));
		gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper);
		gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper);

		if (me_server)
			gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any.

		Handshake(session, user);
	}
Пример #25
0
gnutls_session_t
initialize_tls_session (void)
{
  gnutls_session_t session;

  gnutls_init (&session, GNUTLS_SERVER);

  /* avoid calling all the priority functions, since the defaults
   * are adequate.
   */
  gnutls_set_default_priority (session);

  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);

  /* request client certificate if any.
   */
  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

  gnutls_dh_set_prime_bits (session, DH_BITS);

  return session;
}
Пример #26
0
static gnutls_session_t initialize_tls_session(void)
{
	gnutls_session_t session;

	gnutls_init(&session, GNUTLS_SERVER);

	/* avoid calling all the priority functions, since the defaults
	 * are adequate.
	 */
	gnutls_priority_set_direct(session, "NORMAL", NULL);

	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);

	/* request client certificate if any.
	   Moved to later on to be able to test re-handshakes.
	   gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
	 */

	gnutls_dh_set_prime_bits(session, DH_BITS);

	return session;
}
Пример #27
0
static gnutls_session_t initialize_tls_session(void)
{
	gnutls_session_t session;

	gnutls_init(&session, GNUTLS_SERVER);

	/* avoid calling all the priority functions, since the defaults
	 * are adequate.
	 */
	gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL);

	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, pgp_cred);

	/* request client certificate if any.
	 */
	gnutls_certificate_server_set_request(session,
					      GNUTLS_CERT_REQUEST);

	gnutls_dh_set_prime_bits(session, DH_BITS);

	return session;
}
Пример #28
0
  bool GnuTLSServerAnon::init( const std::string&,
                               const std::string&,
                               const StringList& )
  {
    const int protocolPriority[] = { GNUTLS_TLS1, 0 };
    const int kxPriority[]       = { GNUTLS_KX_ANON_DH, 0 };
    const int cipherPriority[]   = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
                                     GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
    const int compPriority[]     = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
    const int macPriority[]      = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };

    if( m_initLib && gnutls_global_init() != 0 )
      return false;

    if( gnutls_anon_allocate_server_credentials( &m_anoncred ) < 0 )
      return false;

    generateDH();
    gnutls_anon_set_server_dh_params( m_anoncred, m_dhParams );

    if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 )
      return false;

    gnutls_protocol_set_priority( *m_session, protocolPriority );
    gnutls_cipher_set_priority( *m_session, cipherPriority );
    gnutls_compression_set_priority( *m_session, compPriority );
    gnutls_kx_set_priority( *m_session, kxPriority );
    gnutls_mac_set_priority( *m_session, macPriority );
    gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred );

    gnutls_dh_set_prime_bits( *m_session, m_dhBits );

    gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this );
    gnutls_transport_set_push_function( *m_session, pushFunc );
    gnutls_transport_set_pull_function( *m_session, pullFunc );

    m_valid = true;
    return true;
  }
Пример #29
0
void
doit (void)
{
  /* Server stuff. */
  gnutls_anon_server_credentials_t s_anoncred;
  const gnutls_datum_t p3 = { (void *) pkcs3, strlen (pkcs3) };
  static gnutls_dh_params_t dh_params;
  gnutls_session_t server;
  int sret, cret;
  /* Client stuff. */
  gnutls_anon_client_credentials_t c_anoncred;
  gnutls_session_t client;
  /* Need to enable anonymous KX specifically. */
  char buffer[MAX_BUF + 1];
  ssize_t ns;
  int ret, transferred = 0, msglen;

  /* General init. */
  gnutls_global_init ();
  gnutls_global_set_log_function (tls_log_func);
  if (debug)
    gnutls_global_set_log_level (99);

  /* Init server */
  gnutls_anon_allocate_server_credentials (&s_anoncred);
  gnutls_dh_params_init (&dh_params);
  gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
  gnutls_anon_set_server_dh_params (s_anoncred, dh_params);
  gnutls_init (&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK);
  ret = gnutls_priority_set_direct (server, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
  if (ret < 0)
    exit(1);
  gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred);
  gnutls_dh_set_prime_bits (server, 1024);
  gnutls_transport_set_push_function (server, server_push);
  gnutls_transport_set_pull_function (server, server_pull);
  gnutls_transport_set_pull_timeout_function (server, server_pull_timeout_func);
  gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server);

  /* Init client */
  gnutls_anon_allocate_client_credentials (&c_anoncred);
  gnutls_init (&client, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK);
  cret = gnutls_priority_set_direct (client, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL);
  if (cret < 0)
    exit(1);
  gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred);
  gnutls_transport_set_push_function (client, client_push);
  gnutls_transport_set_pull_function (client, client_pull);
  gnutls_transport_set_pull_timeout_function (client, client_pull_timeout_func);
  gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client);

  handshake = 1;
  HANDSHAKE(client, server);

  handshake = 0;
  if (debug)
    success ("Handshake established\n");

  do
    {
      ret = gnutls_record_send (client, MSG, strlen (MSG));
    }
  while(ret == GNUTLS_E_AGAIN);
  //success ("client: sent %d\n", ns);

  msglen = strlen(MSG);
  TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF);

  if (debug)
    fputs ("\n", stdout);

  gnutls_bye (client, GNUTLS_SHUT_WR);
  gnutls_bye (server, GNUTLS_SHUT_WR);

  gnutls_deinit (client);
  gnutls_deinit (server);

  gnutls_anon_free_client_credentials (c_anoncred);
  gnutls_anon_free_server_credentials (s_anoncred);

  gnutls_dh_params_deinit (dh_params);

  gnutls_global_deinit ();
}
Пример #30
0
/* tls_negotiate: After TLS state has been initialised, attempt to negotiate
 *   TLS over the wire, including certificate checks. */
static int tls_negotiate (CONNECTION * conn)
{
  tlssockdata *data;
  int err;
  size_t nproto = 0; /* number of tls/ssl protocols */

  data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata));
  conn->sockdata = data;
  err = gnutls_certificate_allocate_credentials (&data->xcred);
  if (err < 0)
  {
    FREE(&conn->sockdata);
    mutt_error ("gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err));
    mutt_sleep (2);
    return -1;
  }

  gnutls_certificate_set_x509_trust_file (data->xcred, SslCertFile,
					  GNUTLS_X509_FMT_PEM);
  /* ignore errors, maybe file doesn't exist yet */

  if (SslCACertFile)
  {
    gnutls_certificate_set_x509_trust_file (data->xcred, SslCACertFile,
                                            GNUTLS_X509_FMT_PEM);
  }

  if (SslClientCert)
  {
    dprint (2, (debugfile, "Using client certificate %s\n", SslClientCert));
    gnutls_certificate_set_x509_key_file (data->xcred, SslClientCert,
                                          SslClientCert, GNUTLS_X509_FMT_PEM);
  }

#if HAVE_DECL_GNUTLS_VERIFY_DISABLE_TIME_CHECKS
  /* disable checking certificate activation/expiration times
     in gnutls, we do the checks ourselves */
  gnutls_certificate_set_verify_flags(data->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
#endif

  if ((err = gnutls_init(&data->state, GNUTLS_CLIENT)))
  {
    mutt_error ("gnutls_handshake: %s", gnutls_strerror(err));
    mutt_sleep (2);
    goto fail;
  }

  /* set socket */
  gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd);

  if (option(OPTTLSV1_2))
    protocol_priority[nproto++] = GNUTLS_TLS1_2;
  if (option(OPTTLSV1_1))
    protocol_priority[nproto++] = GNUTLS_TLS1_1;
  if (option(OPTTLSV1))
    protocol_priority[nproto++] = GNUTLS_TLS1;
  if (option(OPTSSLV3))
    protocol_priority[nproto++] = GNUTLS_SSL3;
  protocol_priority[nproto] = 0;

  /* disable TLS/SSL protocols as needed */
  if (nproto == 0)
  {
    mutt_error (_("All available protocols for TLS/SSL connection disabled"));
    goto fail;
  }
  /*
  else
    use the list set above
  */

  /* We use default priorities (see gnutls documentation),
     except for protocol version */
  gnutls_set_default_priority (data->state);
  gnutls_protocol_set_priority (data->state, protocol_priority);

  if (SslDHPrimeBits > 0)
  {
    gnutls_dh_set_prime_bits (data->state, SslDHPrimeBits);
  }

/*
  gnutls_set_cred (data->state, GNUTLS_ANON, NULL);
*/

  gnutls_credentials_set (data->state, GNUTLS_CRD_CERTIFICATE, data->xcred);

  err = gnutls_handshake(data->state);

  while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED)
  {
    err = gnutls_handshake(data->state);
  }
  if (err < 0) {
    if (err == GNUTLS_E_FATAL_ALERT_RECEIVED)
    {
      mutt_error("gnutls_handshake: %s(%s)", gnutls_strerror(err),
		 gnutls_alert_get_name(gnutls_alert_get(data->state)));
    }
    else
    {
      mutt_error("gnutls_handshake: %s", gnutls_strerror(err));
    }
    mutt_sleep (2);
    goto fail;
  }

  if (!tls_check_certificate(conn))
    goto fail;

  /* set Security Strength Factor (SSF) for SASL */
  /* NB: gnutls_cipher_get_key_size() returns key length in bytes */
  conn->ssf = gnutls_cipher_get_key_size (gnutls_cipher_get (data->state)) * 8;

  tls_get_client_cert (conn);

  if (!option(OPTNOCURSES)) {
    mutt_message (_("SSL/TLS connection using %s (%s/%s/%s)"),
                  gnutls_protocol_get_name (gnutls_protocol_get_version (data->state)),
                  gnutls_kx_get_name (gnutls_kx_get (data->state)),
                  gnutls_cipher_get_name (gnutls_cipher_get (data->state)),
                  gnutls_mac_get_name (gnutls_mac_get (data->state)));
    mutt_sleep (0);
  }

  return 0;

 fail:
  gnutls_certificate_free_credentials (data->xcred);
  gnutls_deinit (data->state);
  FREE(&conn->sockdata);
  return -1;
}