/** * @short Initializes a connection on a request * @memberof onion_https_t * * Do the accept of the request, and the SSL handshake. * * @param req The request * @returns <0 in case of error. */ static int onion_https_request_init(onion_request *req){ onion_listen_point_request_init_from_socket(req); onion_https *https=(onion_https*)req->connection.listen_point->user_data; ONION_DEBUG("Accept new request, fd %d",req->connection.fd); gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set (session, https->priority_cache); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, https->x509_cred); /* Set maximum compatibility mode. This is only suggested on public webservers * that need to trade security for compatibility */ gnutls_session_enable_compatibility_mode (session); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t)(long) req->connection.fd); int ret; do{ ret = gnutls_handshake (session); }while (ret < 0 && gnutls_error_is_fatal (ret) == 0); if (ret<0){ // could not handshake. assume an error. ONION_ERROR("Handshake has failed (%s)", gnutls_strerror (ret)); gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit(session); onion_listen_point_request_close_socket(req); return -1; } req->connection.user_data=(void*)session; return 0; }
/// Initializes GNUTLS session on the given socket. static gnutls_session_t onion_prepare_gnutls_session(onion *o, int clientfd){ gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set (session, o->priority_cache); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, o->x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); /* Set maximum compatibility mode. This is only suggested on public webservers * that need to trade security for compatibility */ gnutls_session_enable_compatibility_mode (session); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t)(long) clientfd); int ret; int n_tries=0; do{ ret = gnutls_handshake (session); if (n_tries++>10) // Ok, dont abuse the system. Maybe trying to DoS me? break; }while (ret<0 && gnutls_error_is_fatal(ret)==0); if (ret<0){ // could not handshake. assume an error. ONION_ERROR("Handshake has failed (%s)", gnutls_strerror (ret)); gnutls_deinit (session); return NULL; } return session; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_CLIENT); int data_length=0;//hard-coding this length assuming 4 proxies already exist in the connection. void *data=malloc(80); /*printf("Existing Proxy_Info retrived by proxy from outgoing TLS connection\n"); for(int i=0;i<data_length;i+=4){ int random_num=rand()%20; printf("%u ",random_num); if((i-1)%5==0&&i!=0) printf("\n"); memcpy(data+i,&random_num,sizeof(int)); } */ gnutls_proxyinfo_set (session, GNUTLS_NAME_DNS, "karthikmihir",strlen("karthikmihir"),data,data_length,0); gnutls_priority_set (session, priority_cache); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); /* Set maximum compatibility mode. This is only suggested on public webservers * that need to trade security for compatibility */ gnutls_session_enable_compatibility_mode (session); return session; }
SslSocket::SslSocket(SslDriver *driver, struct ev_loop *loop, int fd, int af) : x0::Socket(loop, fd, af), #ifndef XZERO_NDEBUG ctime_(ev_now(loop)), #endif driver_(driver), context_(nullptr), session_() { TRACE("SslSocket()"); setSecure(true); setState(Handshake); GNUTLS_CHECK( gnutls_init(&session_, GNUTLS_SERVER) ); gnutls_handshake_set_post_client_hello_function(session_, &SslSocket::onClientHello); gnutls_certificate_server_set_request(session_, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits(session_, 1024); gnutls_session_enable_compatibility_mode(session_); gnutls_session_set_ptr(session_, this); gnutls_transport_set_ptr(session_, reinterpret_cast<gnutls_transport_ptr_t>(handle())); driver_->initialize(this); }
static int rfbssl_init_session(struct rfbssl_ctx *ctx, int fd) { gnutls_session_t session; int ret; if (!GNUTLS_E_SUCCESS == (ret = gnutls_init(&session, GNUTLS_SERVER))) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_priority_set_direct(session, "EXPORT", NULL))) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred))) { /* */ } else { gnutls_session_enable_compatibility_mode(session); gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)fd); ctx->session = session; } return ret; }
gnutls_session_t context::session(context *ctx) { SSL ssl = NULL; if(ctx && ctx->xcred && ctx->err() == secure::OK) { gnutls_init(&ssl, ctx->connect); switch(ctx->connect) { case GNUTLS_CLIENT: gnutls_priority_set_direct(ssl, "PERFORMANCE", NULL); break; case GNUTLS_SERVER: gnutls_priority_set(ssl, context::priority_cache); gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST); gnutls_session_enable_compatibility_mode(ssl); default: break; } gnutls_credentials_set(ssl, ctx->xtype, ctx->xcred); } return ssl; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set (session, priority_cache); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); /* Set maximum compatibility mode. This is only suggested on public webservers * that need to trade security for compatibility */ gnutls_session_enable_compatibility_mode (session); return session; }
static gnutls_session tls_session_init(int side, uschar *expciphers, uschar *expmac, uschar *expkx, uschar *expproto) { gnutls_session session; gnutls_init(&session, side); /* Initialize the lists of permitted protocols, key-exchange methods, ciphers, and MACs. */ memcpy(cipher_priority, default_cipher_priority, sizeof(cipher_priority)); memcpy(mac_priority, default_mac_priority, sizeof(mac_priority)); memcpy(kx_priority, default_kx_priority, sizeof(kx_priority)); memcpy(proto_priority, default_proto_priority, sizeof(proto_priority)); /* The names OpenSSL uses in tls_require_ciphers are of the form DES-CBC3-SHA, using hyphen separators. GnuTLS uses underscore separators. So that I can use either form for tls_require_ciphers in my tests, and also for general convenience, we turn hyphens into underscores before scanning the list. */ if (expciphers != NULL) { uschar *s = expciphers; while (*s != 0) { if (*s == '-') *s = '_'; s++; } } if ((expciphers != NULL && !set_priority(cipher_priority, sizeof(cipher_priority)/sizeof(int), expciphers, cipher_index, sizeof(cipher_index)/sizeof(pri_item), US"cipher")) || (expmac != NULL && !set_priority(mac_priority, sizeof(mac_priority)/sizeof(int), expmac, mac_index, sizeof(mac_index)/sizeof(pri_item), US"MAC")) || (expkx != NULL && !set_priority(kx_priority, sizeof(kx_priority)/sizeof(int), expkx, kx_index, sizeof(kx_index)/sizeof(pri_item), US"key-exchange")) || (expproto != NULL && !set_priority(proto_priority, sizeof(proto_priority)/sizeof(int), expproto, proto_index, sizeof(proto_index)/sizeof(pri_item), US"protocol"))) { gnutls_deinit(session); return NULL; } /* Define the various priorities */ gnutls_cipher_set_priority(session, cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); gnutls_protocol_set_priority(session, proto_priority); gnutls_mac_set_priority(session, mac_priority); gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_dh_set_prime_bits(session, DH_BITS); /* Request or demand a certificate of the peer, as configured. This will happen only in a server. */ if (verify_requirement != VERIFY_NONE) gnutls_certificate_server_set_request(session, (verify_requirement == VERIFY_OPTIONAL)? GNUTLS_CERT_REQUEST : GNUTLS_CERT_REQUIRE); gnutls_db_set_cache_expiration(session, ssl_session_timeout); /* Reduce security in favour of increased compatibility, if the admin decides to make that trade-off. */ if (gnutls_compat_mode) { #if LIBGNUTLS_VERSION_NUMBER >= 0x020104 DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n"); gnutls_session_enable_compatibility_mode(session); #else DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n"); #endif } DEBUG(D_tls) debug_printf("initialized GnuTLS session\n"); return session; }