/**
* @short Initializes a connection on a request
* @memberof onion_https_t
*
* Do the accept of the request, and the SSL handshake.
*
* @param req The request
* @returns <0 in case of error.
*/
static int onion_https_request_init(onion_request *req){
onion_listen_point_request_init_from_socket(req);
onion_https *https=(onion_https*)req->connection.listen_point->user_data;
ONION_DEBUG("Accept new request, fd %d",req->connection.fd);
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, https->priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, https->x509_cred);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t)(long) req->connection.fd);
int ret;
do{
ret = gnutls_handshake (session);
}while (ret < 0 && gnutls_error_is_fatal (ret) == 0);
if (ret<0){ // could not handshake. assume an error.
ONION_ERROR("Handshake has failed (%s)", gnutls_strerror (ret));
gnutls_bye (session, GNUTLS_SHUT_WR);
gnutls_deinit(session);
onion_listen_point_request_close_socket(req);
return -1;
}
req->connection.user_data=(void*)session;
return 0;
}
/// Initializes GNUTLS session on the given socket.
static gnutls_session_t onion_prepare_gnutls_session(onion *o, int clientfd){
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, o->priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, o->x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t)(long) clientfd);
int ret;
int n_tries=0;
do{
ret = gnutls_handshake (session);
if (n_tries++>10) // Ok, dont abuse the system. Maybe trying to DoS me?
break;
}while (ret<0 && gnutls_error_is_fatal(ret)==0);
if (ret<0){ // could not handshake. assume an error.
ONION_ERROR("Handshake has failed (%s)", gnutls_strerror (ret));
gnutls_deinit (session);
return NULL;
}
return session;
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_CLIENT);
int data_length=0;//hard-coding this length assuming 4 proxies already exist in the connection.
void *data=malloc(80);
/*printf("Existing Proxy_Info retrived by proxy from outgoing TLS connection\n");
for(int i=0;i<data_length;i+=4){
int random_num=rand()%20;
printf("%u ",random_num);
if((i-1)%5==0&&i!=0)
printf("\n");
memcpy(data+i,&random_num,sizeof(int));
}
*/
gnutls_proxyinfo_set (session, GNUTLS_NAME_DNS, "karthikmihir",strlen("karthikmihir"),data,data_length,0);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
return session;
}
SslSocket::SslSocket(SslDriver *driver, struct ev_loop *loop, int fd, int af) :
x0::Socket(loop, fd, af),
#ifndef XZERO_NDEBUG
ctime_(ev_now(loop)),
#endif
driver_(driver),
context_(nullptr),
session_()
{
TRACE("SslSocket()");
setSecure(true);
setState(Handshake);
GNUTLS_CHECK( gnutls_init(&session_, GNUTLS_SERVER) );
gnutls_handshake_set_post_client_hello_function(session_, &SslSocket::onClientHello);
gnutls_certificate_server_set_request(session_, GNUTLS_CERT_REQUEST);
gnutls_dh_set_prime_bits(session_, 1024);
gnutls_session_enable_compatibility_mode(session_);
gnutls_session_set_ptr(session_, this);
gnutls_transport_set_ptr(session_, reinterpret_cast<gnutls_transport_ptr_t>(handle()));
driver_->initialize(this);
}
static int rfbssl_init_session(struct rfbssl_ctx *ctx, int fd)
{
gnutls_session_t session;
int ret;
if (!GNUTLS_E_SUCCESS == (ret = gnutls_init(&session, GNUTLS_SERVER))) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_priority_set_direct(session, "EXPORT", NULL))) {
/* */
} else if (!GNUTLS_E_SUCCESS == (ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred))) {
/* */
} else {
gnutls_session_enable_compatibility_mode(session);
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)fd);
ctx->session = session;
}
return ret;
}
gnutls_session_t context::session(context *ctx)
{
SSL ssl = NULL;
if(ctx && ctx->xcred && ctx->err() == secure::OK) {
gnutls_init(&ssl, ctx->connect);
switch(ctx->connect) {
case GNUTLS_CLIENT:
gnutls_priority_set_direct(ssl, "PERFORMANCE", NULL);
break;
case GNUTLS_SERVER:
gnutls_priority_set(ssl, context::priority_cache);
gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
gnutls_session_enable_compatibility_mode(ssl);
default:
break;
}
gnutls_credentials_set(ssl, ctx->xtype, ctx->xcred);
}
return ssl;
}
static gnutls_session_t
initialize_tls_session (void)
{
gnutls_session_t session;
gnutls_init (&session, GNUTLS_SERVER);
gnutls_priority_set (session, priority_cache);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
/* request client certificate if any.
*/
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
/* Set maximum compatibility mode. This is only suggested on public webservers
* that need to trade security for compatibility
*/
gnutls_session_enable_compatibility_mode (session);
return session;
}
static gnutls_session
tls_session_init(int side, uschar *expciphers, uschar *expmac, uschar *expkx,
uschar *expproto)
{
gnutls_session session;
gnutls_init(&session, side);
/* Initialize the lists of permitted protocols, key-exchange methods, ciphers,
and MACs. */
memcpy(cipher_priority, default_cipher_priority, sizeof(cipher_priority));
memcpy(mac_priority, default_mac_priority, sizeof(mac_priority));
memcpy(kx_priority, default_kx_priority, sizeof(kx_priority));
memcpy(proto_priority, default_proto_priority, sizeof(proto_priority));
/* The names OpenSSL uses in tls_require_ciphers are of the form DES-CBC3-SHA,
using hyphen separators. GnuTLS uses underscore separators. So that I can use
either form for tls_require_ciphers in my tests, and also for general
convenience, we turn hyphens into underscores before scanning the list. */
if (expciphers != NULL)
{
uschar *s = expciphers;
while (*s != 0) { if (*s == '-') *s = '_'; s++; }
}
if ((expciphers != NULL &&
!set_priority(cipher_priority, sizeof(cipher_priority)/sizeof(int),
expciphers, cipher_index, sizeof(cipher_index)/sizeof(pri_item),
US"cipher")) ||
(expmac != NULL &&
!set_priority(mac_priority, sizeof(mac_priority)/sizeof(int),
expmac, mac_index, sizeof(mac_index)/sizeof(pri_item),
US"MAC")) ||
(expkx != NULL &&
!set_priority(kx_priority, sizeof(kx_priority)/sizeof(int),
expkx, kx_index, sizeof(kx_index)/sizeof(pri_item),
US"key-exchange")) ||
(expproto != NULL &&
!set_priority(proto_priority, sizeof(proto_priority)/sizeof(int),
expproto, proto_index, sizeof(proto_index)/sizeof(pri_item),
US"protocol")))
{
gnutls_deinit(session);
return NULL;
}
/* Define the various priorities */
gnutls_cipher_set_priority(session, cipher_priority);
gnutls_compression_set_priority(session, comp_priority);
gnutls_kx_set_priority(session, kx_priority);
gnutls_protocol_set_priority(session, proto_priority);
gnutls_mac_set_priority(session, mac_priority);
gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_dh_set_prime_bits(session, DH_BITS);
/* Request or demand a certificate of the peer, as configured. This will
happen only in a server. */
if (verify_requirement != VERIFY_NONE)
gnutls_certificate_server_set_request(session,
(verify_requirement == VERIFY_OPTIONAL)?
GNUTLS_CERT_REQUEST : GNUTLS_CERT_REQUIRE);
gnutls_db_set_cache_expiration(session, ssl_session_timeout);
/* Reduce security in favour of increased compatibility, if the admin
decides to make that trade-off. */
if (gnutls_compat_mode)
{
#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
gnutls_session_enable_compatibility_mode(session);
#else
DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
#endif
}
DEBUG(D_tls) debug_printf("initialized GnuTLS session\n");
return session;
}
