/**
* Enables SSL for the given connection.
*
* @param connection The connection to enable SSL for.
*
* @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection
* is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when
* SSL initialization, setup, or handshake fails.
*/
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_global_init();
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback);
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert);
if (uerr != USERPREF_E_SUCCESS) {
debug_info("Error %d when loading keys and certificates! %d", uerr);
}
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno)
debug_info("WARN: errno says %s before handshake!", strerror(errno));
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
return ret;
}
/* Duplicate a client certificate, which must be in the decrypted state. */
static ne_ssl_client_cert *dup_client_cert(const ne_ssl_client_cert *cc)
{
int ret;
ne_ssl_client_cert *newcc = ne_calloc(sizeof *newcc);
newcc->decrypted = 1;
if (cc->keyless) {
newcc->keyless = 1;
}
else {
ret = gnutls_x509_privkey_init(&newcc->pkey);
if (ret != 0) goto dup_error;
ret = gnutls_x509_privkey_cpy(newcc->pkey, cc->pkey);
if (ret != 0) goto dup_error;
}
newcc->cert.subject = x509_crt_copy(cc->cert.subject);
if (!newcc->cert.subject) goto dup_error;
if (cc->friendly_name) newcc->friendly_name = ne_strdup(cc->friendly_name);
populate_cert(&newcc->cert, newcc->cert.subject);
return newcc;
dup_error:
if (newcc->pkey) gnutls_x509_privkey_deinit(newcc->pkey);
if (newcc->cert.subject) gnutls_x509_crt_deinit(newcc->cert.subject);
ne_free(newcc);
return NULL;
}
/**
* gnutls_privkey_import_ecc_raw:
* @key: The key
* @curve: holds the curve
* @x: holds the x
* @y: holds the y
* @k: holds the k
*
* This function will convert the given elliptic curve parameters to the
* native #gnutls_privkey_t format. The output will be stored
* in @key.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.0
**/
int
gnutls_privkey_import_ecc_raw(gnutls_privkey_t key,
gnutls_ecc_curve_t curve,
const gnutls_datum_t * x,
const gnutls_datum_t * y,
const gnutls_datum_t * k)
{
int ret;
gnutls_x509_privkey_t xkey;
ret = gnutls_x509_privkey_init(&xkey);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_privkey_import_ecc_raw(xkey, curve, x, y, k);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret = gnutls_privkey_import_x509(key, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
if (ret < 0) {
gnutls_assert();
goto error;
}
return 0;
error:
gnutls_x509_privkey_deinit(xkey);
return ret;
}
/**
* gnutls_privkey_import_dsa_raw:
* @key: The structure to store the parsed key
* @p: holds the p
* @q: holds the q
* @g: holds the g
* @y: holds the y
* @x: holds the x
*
* This function will convert the given DSA raw parameters to the
* native #gnutls_privkey_t format. The output will be stored
* in @key.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
gnutls_privkey_import_dsa_raw(gnutls_privkey_t key,
const gnutls_datum_t * p,
const gnutls_datum_t * q,
const gnutls_datum_t * g,
const gnutls_datum_t * y,
const gnutls_datum_t * x)
{
int ret;
gnutls_x509_privkey_t xkey;
ret = gnutls_x509_privkey_init(&xkey);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_privkey_import_dsa_raw(xkey, p, q, g, y, x);
if (ret < 0) {
gnutls_assert();
goto error;
}
ret = gnutls_privkey_import_x509(key, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
if (ret < 0) {
gnutls_assert();
goto error;
}
return 0;
error:
gnutls_x509_privkey_deinit(xkey);
return ret;
}
/*-
* gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm
* @cert: is a DER encoded private key
*
* This function will return the public key algorithm of a DER encoded private
* key.
*
* Returns a member of the gnutls_pk_algorithm_t enumeration on success,
* or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error.
*
-*/
int
gnutls_x509_extract_key_pk_algorithm (const gnutls_datum_t * key)
{
gnutls_x509_privkey_t pkey;
int ret, pk;
ret = gnutls_x509_privkey_init (&pkey);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_x509_privkey_import (pkey, key, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
pk = gnutls_x509_privkey_get_pk_algorithm (pkey);
gnutls_x509_privkey_deinit (pkey);
return pk;
}
static gnutls_x509_privkey generate_private_key(void)
{
int ret;
gnutls_x509_privkey key;
ret = gnutls_x509_privkey_init(&key);
if ( ret < 0 ) {
fprintf(stderr, "error initializing private key: %s.\n", gnutls_strerror(ret));
return NULL;
}
gcry_set_progress_handler(entropy_progress_cb, NULL);
fprintf(stderr, "Generating %d bits RSA private key... This might take a very long time.\n", generated_key_size);
fprintf(stderr, "[Increasing system activity will speed-up the process].\n");
fprintf(stderr, "Generation in progress... ");
fflush(stderr);
ret = gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, generated_key_size, 0);
if ( ret < 0 ) {
fprintf(stderr, "error generating private RSA key: %s\n", gnutls_strerror(ret));
gnutls_x509_privkey_deinit(key);
return NULL;
}
fprintf(stderr, "\n\n");
return key;
}
/**
* FIXME Replace this with a tls_load_key function and use it
* in tls_connection_create.
*
* Most probably we only need one context and key for all connections
*/
int
tls_check_keyfile(const char *keyfile)
{
gnutls_x509_privkey_t key;
gnutls_datum_t keycontent = { NULL, 0 };
FILE *keyfp;
size_t br;
SSL_library_init();
OpenSSL_add_all_algorithms();
if (access(capture_get_keyfile(), R_OK) != 0)
return 0;
if (!(keyfp = fopen(capture_get_keyfile(), "rb")))
return 0;
fseek(keyfp, 0, SEEK_END);
keycontent.size = ftell(keyfp);
fseek(keyfp, 0, SEEK_SET);
keycontent.data = sng_malloc(keycontent.size);
br = fread(keycontent.data, 1, keycontent.size, keyfp);
fclose(keyfp);
gnutls_x509_privkey_init(&key);
if (gnutls_x509_privkey_import(key, &keycontent, GNUTLS_X509_FMT_PEM) < 0)
return 0;
sng_free(keycontent.data);
return 1;
}
gnutls_x509_privkey tls_load_privkey(requiem_client_profile_t *cp)
{
int ret;
size_t size;
gnutls_datum data;
char filename[256];
gnutls_x509_privkey key;
requiem_client_profile_get_tls_key_filename(cp, filename, sizeof(filename));
ret = access(filename, F_OK);
if ( ret < 0 )
return gen_crypto(cp, filename,
requiem_client_profile_get_uid(cp),
requiem_client_profile_get_gid(cp));
ret = _requiem_load_file(filename, &data.data, &size);
if ( ret < 0 ) {
fprintf(stderr, "could not load '%s': %s.\n", filename, requiem_strerror(ret));
return NULL;
}
data.size = (unsigned int) size;
gnutls_x509_privkey_init(&key);
gnutls_x509_privkey_import(key, &data, GNUTLS_X509_FMT_PEM);
_requiem_unload_file(data.data, size);
return key;
}
void SslContext::setKeyFile(const std::string& filename)
{
if (error_) return;
if (!enabled) return;
TRACE("SslContext::setKeyFile: \"%s\"", filename.c_str());
gnutls_datum_t data;
if ((error_ = loadFile(data, filename))) {
log(x0::Severity::error, "Error loading private key file(%s): %s", filename.c_str(), error_.message().c_str());
return;
}
int rv;
if ((rv = gnutls_x509_privkey_init(&x509PrivateKey_)) < 0) {
freeFile(data);
return;
}
if ((rv = gnutls_x509_privkey_import(x509PrivateKey_, &data, GNUTLS_X509_FMT_PEM)) < 0) {
TRACE("setKeyFile: failed to import key as x509-fmt-pem. trying pkcs-plain.");
rv = gnutls_x509_privkey_import_pkcs8(x509PrivateKey_, &data, GNUTLS_X509_FMT_PEM, nullptr, GNUTLS_PKCS_PLAIN);
}
if (rv < 0) {
log(x0::Severity::error, "Error loading private key file(%s): %s", filename.c_str(), gnutls_strerror(rv));
freeFile(data);
return;
}
freeFile(data);
TRACE("setKeyFile: success.");
}
int mailstream_ssl_set_client_private_key_data(struct mailstream_ssl_context * ssl_context,
unsigned char *pkey_der, size_t len)
{
#ifdef USE_SSL
#ifndef USE_GNUTLS
EVP_PKEY *pkey = NULL;
if (pkey_der != NULL && len > 0)
pkey = d2i_AutoPrivateKey(NULL, (const unsigned char **)&pkey_der, len);
ssl_context->client_pkey = (EVP_PKEY *)pkey;
return 0;
#else
gnutls_datum tmp;
int r;
ssl_context->client_pkey = NULL;
if (len == 0)
return 0;
gnutls_x509_privkey_init(&(ssl_context->client_pkey));
tmp.data = pkey_der;
tmp.size = len;
if ((r = gnutls_x509_privkey_import(ssl_context->client_pkey, &tmp, GNUTLS_X509_FMT_DER)) < 0) {
gnutls_x509_privkey_deinit(ssl_context->client_pkey);
ssl_context->client_pkey = NULL;
return -1;
}
return 0;
#endif
#endif
return -1;
}
static int ecdsa_params_to_pem(dnssec_key_t *dnskey, const legacy_privkey_t *params,
dnssec_binary_t *pem)
{
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int result = gnutls_x509_privkey_init(&key);
if (result != GNUTLS_E_SUCCESS) {
return DNSSEC_ENOMEM;
}
gnutls_ecc_curve_t curve = 0;
gnutls_datum_t x = { 0 };
gnutls_datum_t y = { 0 };
ecdsa_extract_public_params(dnskey, &curve, &x, &y);
gnutls_datum_t k = binary_to_datum(¶ms->private_key);
result = gnutls_x509_privkey_import_ecc_raw(key, curve, &x, &y, &k);
if (result != DNSSEC_EOK) {
return DNSSEC_KEY_IMPORT_ERROR;
}
gnutls_x509_privkey_fix(key);
return pem_from_x509(key, pem);
}
/**
* gnutls_privkey_export_x509:
* @pkey: The private key
* @key: Location for the key to be exported.
*
* Converts the given abstract private key to a #gnutls_x509_privkey_t
* type. The key must be of type %GNUTLS_PRIVKEY_X509. The key returned
* in @key must be deinitialized with gnutls_x509_privkey_deinit().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.4.0
*/
int
gnutls_privkey_export_x509(gnutls_privkey_t pkey,
gnutls_x509_privkey_t *key)
{
int ret;
if (pkey->type != GNUTLS_PRIVKEY_X509) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
ret = gnutls_x509_privkey_init(key);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_privkey_cpy(*key, pkey->key.x509);
if (ret < 0) {
gnutls_x509_privkey_deinit(*key);
*key = NULL;
return gnutls_assert_val(ret);
}
return 0;
}
/**
* gnutls_privkey_import_x509:
* @pkey: The private key
* @key: The private key to be imported
* @flags: Flags for the import
*
* This function will import the given private key to the abstract
* #gnutls_privkey_t type.
*
* The #gnutls_x509_privkey_t object must not be deallocated
* during the lifetime of this structure.
*
* @flags might be zero or one of %GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE
* and %GNUTLS_PRIVKEY_IMPORT_COPY.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 2.12.0
**/
int
gnutls_privkey_import_x509(gnutls_privkey_t pkey,
gnutls_x509_privkey_t key, unsigned int flags)
{
int ret;
ret = check_if_clean(pkey);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (flags & GNUTLS_PRIVKEY_IMPORT_COPY) {
ret = gnutls_x509_privkey_init(&pkey->key.x509);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_privkey_cpy(pkey->key.x509, key);
if (ret < 0) {
gnutls_x509_privkey_deinit(pkey->key.x509);
return gnutls_assert_val(ret);
}
} else
pkey->key.x509 = key;
pkey->type = GNUTLS_PRIVKEY_X509;
pkey->pk_algorithm = gnutls_x509_privkey_get_pk_algorithm(key);
pkey->flags = flags;
return 0;
}
/* Load the private key.
* @mand should be non zero if it is required to read a private key.
*/
gnutls_x509_privkey_t
load_x509_private_key (int mand, common_info_st * info)
{
gnutls_x509_privkey_t key;
int ret;
gnutls_datum_t dat;
size_t size;
unsigned int flags = 0;
const char* pass;
if (!info->privkey && !mand)
return NULL;
if (info->privkey == NULL)
error (EXIT_FAILURE, 0, "missing --load-privkey");
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
dat.data = (void*)read_binary_file (info->privkey, &size);
dat.size = size;
if (!dat.data)
error (EXIT_FAILURE, errno, "reading --load-privkey: %s", info->privkey);
if (info->pkcs8)
{
pass = get_password (info, &flags, 0);
ret =
gnutls_x509_privkey_import_pkcs8 (key, &dat, info->incert_format,
pass, flags);
}
else
{
ret = gnutls_x509_privkey_import2 (key, &dat, info->incert_format, NULL, 0);
if (ret == GNUTLS_E_DECRYPTION_FAILED)
{
pass = get_password (info, &flags, 0);
ret = gnutls_x509_privkey_import2 (key, &dat, info->incert_format, pass, flags);
}
}
free (dat.data);
if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
{
error (EXIT_FAILURE, 0,
"import error: could not find a valid PEM header; "
"check if your key is PKCS #12 encoded");
}
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-privkey: %s: %s",
info->privkey, gnutls_strerror (ret));
return key;
}
void
doit (void)
{
gnutls_x509_privkey_t key;
gnutls_x509_crt_t crt;
gnutls_digest_algorithm_t hash_algo;
unsigned char _signature[128];
size_t _signature_size = sizeof (_signature);
gnutls_datum signature;
int ret;
size_t i;
gnutls_global_init ();
for (i = 0; i < sizeof (key_dat) / sizeof (key_dat[0]); i++)
{
success ("loop %d\n", i);
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
fail ("gnutls_x509_privkey_init\n");
ret = gnutls_x509_privkey_import (key, &key_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_privkey_import\n");
ret = gnutls_x509_privkey_sign_data (key, GNUTLS_DIG_SHA1, 0, &raw_data,
_signature, &_signature_size);
if (ret < 0)
fail ("gnutls_x509_privkey_sign_hash\n");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
fail ("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_import (crt, &cert_dat[i], GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import\n");
signature.data = _signature;
signature.size = _signature_size;
ret = gnutls_x509_crt_get_verify_algorithm (crt, &signature, &hash_algo);
if (ret < 0 || hash_algo != GNUTLS_DIG_SHA1)
fail ("gnutls_x509_crt_get_verify_algorithm\n");
ret = gnutls_x509_crt_verify_hash (crt, 0, &hash_data, &signature);
if (ret < 0)
fail ("gnutls_x509_privkey_verify_hash\n");
gnutls_x509_privkey_deinit (key);
gnutls_x509_crt_deinit (crt);
}
gnutls_global_deinit ();
}
gboolean
crypto_verify_pkcs8 (const guint8 *data,
gsize data_len,
gboolean is_encrypted,
const char *password,
GError **error)
{
gnutls_x509_privkey_t p8;
gnutls_datum_t dt;
int err;
g_return_val_if_fail (data != NULL, FALSE);
if (!crypto_init (error))
return FALSE;
dt.data = (unsigned char *) data;
dt.size = data_len;
err = gnutls_x509_privkey_init (&p8);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERROR_FAILED,
_("Couldn't initialize PKCS#8 decoder: %s"),
gnutls_strerror (err));
return FALSE;
}
err = gnutls_x509_privkey_import_pkcs8 (p8,
&dt,
GNUTLS_X509_FMT_DER,
is_encrypted ? password : NULL,
is_encrypted ? 0 : GNUTLS_PKCS_PLAIN);
gnutls_x509_privkey_deinit (p8);
if (err < 0) {
if (err == GNUTLS_E_UNKNOWN_CIPHER_TYPE) {
/* HACK: gnutls doesn't support all the cipher types that openssl
* can use with PKCS#8, so if we encounter one, we have to assume
* the given password works. gnutls needs to unsuckify, apparently.
* Specifically, by default openssl uses pbeWithMD5AndDES-CBC
* which gnutls does not support.
*/
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode PKCS#8 file: %s"),
gnutls_strerror (err));
return FALSE;
}
}
return TRUE;
}
static int import_key(gnutls_certificate_credentials_t xcred, const gnutls_datum_t *skey, const gnutls_datum_t *cert)
{
gnutls_x509_privkey_t key;
gnutls_x509_crt_t *crt_list;
unsigned crt_list_size, idx, i;
gnutls_datum_t tcert;
int ret;
assert(gnutls_x509_privkey_init(&key)>=0);
ret = gnutls_x509_crt_list_import2(&crt_list, &crt_list_size, cert, GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("error in gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret));
}
ret = gnutls_x509_privkey_import(key, skey, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in key import: %s\n", gnutls_strerror(ret));
}
ret = gnutls_certificate_set_x509_key(xcred, crt_list,
crt_list_size, key);
if (ret < 0) {
success("error in gnutls_certificate_set_x509_key: %s\n", gnutls_strerror(ret));
idx = ret;
goto cleanup;
}
/* return index */
idx = ret;
/* verify whether the stored certificate match the ones we have */
for (i=0;i<MIN(2, crt_list_size);i++) {
ret = gnutls_certificate_get_crt_raw(xcred, idx, i, &tcert);
if (ret < 0) {
fail("error in %d: cert: %d: %s\n", __LINE__, i, gnutls_strerror(ret));
exit(1);
}
compare(&tcert, cert->data+i);
}
cleanup:
gnutls_x509_privkey_deinit(key);
for (i=0;i<crt_list_size;i++) {
gnutls_x509_crt_deinit(crt_list[i]);
}
gnutls_free(crt_list);
return idx;
}
static gchar* _make_rsasha1_base64_signature(const gchar* base_string,
const gchar* key)
{
gnutls_privkey_t pkey;
gnutls_x509_privkey_t x509_pkey;
gnutls_datum_t pkey_data;
gnutls_datum_t signature;
gchar* out = NULL;
pkey_data.data = (guchar*)key;
pkey_data.size = strlen(key);
gnutls_privkey_init(&pkey);
gnutls_x509_privkey_init(&x509_pkey);
int res = gnutls_x509_privkey_import(x509_pkey, &pkey_data, GNUTLS_X509_FMT_PEM);
if (res != GNUTLS_E_SUCCESS) {
goto out;
}
res = gnutls_privkey_import_x509(pkey, x509_pkey, 0);
if (res != GNUTLS_E_SUCCESS) {
goto out;
}
res = gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA1, 0, &pkey_data,
&signature);
if (res != GNUTLS_E_SUCCESS) {
goto out;
}
out = g_malloc0((signature.size / 3 + 1) * 4 + 4);
gint state = 0;
gint save = 0;
gchar* p = out;
p += g_base64_encode_step(signature.data, signature.size,
FALSE, p, &state, &save);
g_base64_encode_close(FALSE, p, &state, &save);
gnutls_free(signature.data);
out:
gnutls_x509_privkey_deinit(x509_pkey);
gnutls_privkey_deinit(pkey);
return out;
}
PrivateKey
PrivateKey::generate(unsigned key_length)
{
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize GnuTLS.");
gnutls_x509_privkey_t key;
if (gnutls_x509_privkey_init(&key) != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize private key.");
int err = gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, key_length, 0);
if (err != GNUTLS_E_SUCCESS) {
gnutls_x509_privkey_deinit(key);
throw CryptoException(std::string("Can't generate RSA key pair: ") + gnutls_strerror(err));
}
return PrivateKey{key};
}
/**
* gnutls_rsa_params_init - This function will initialize the temporary RSA parameters
* @rsa_params: Is a structure that will hold the parameters
*
* This function will initialize the temporary RSA parameters structure.
*
**/
int
gnutls_rsa_params_init (gnutls_rsa_params_t * rsa_params)
{
int ret;
ret = gnutls_x509_privkey_init (rsa_params);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
(*rsa_params)->crippled = 1;
return 0;
}
void doit(void)
{
gnutls_dh_params_t dh_params;
gnutls_x509_privkey_t privkey;
gnutls_datum_t p1, g1, p2, g2, q;
unsigned bits = 0;
int ret;
/* import DH parameters from DSA key and verify they are the same */
gnutls_dh_params_init(&dh_params);
gnutls_x509_privkey_init(&privkey);
ret = gnutls_x509_privkey_import(privkey, &dsa_key, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_dh_params_import_dsa(dh_params, privkey);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_dh_params_export_raw(dh_params, &p1, &g1, &bits);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
ret = gnutls_x509_privkey_export_dsa_raw(privkey, &p2, &q, &g2, NULL, NULL);
if (ret < 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (bits > q.size*8 || bits < q.size*8-8)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (compare(&p1, &p2) != 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
if (compare(&g1, &g2) != 0)
fail("error in %s: %d\n", __FILE__, __LINE__);
gnutls_free(p1.data);
gnutls_free(g1.data);
gnutls_free(p2.data);
gnutls_free(g2.data);
gnutls_free(q.data);
gnutls_dh_params_deinit(dh_params);
gnutls_x509_privkey_deinit(privkey);
success("all ok\n");
}
struct SSLConnection *
tls_connection_create(struct in_addr caddr, uint16_t cport, struct in_addr saddr, uint16_t sport) {
struct SSLConnection *conn = NULL;
gnutls_datum_t keycontent = { NULL, 0 };
FILE *keyfp;
gnutls_x509_privkey_t spkey;
size_t br;
// Allocate memory for this connection
conn = sng_malloc(sizeof(struct SSLConnection));
memcpy(&conn->client_addr, &caddr, sizeof(struct in_addr));
memcpy(&conn->server_addr, &saddr, sizeof(struct in_addr));
memcpy(&conn->client_port, &cport, sizeof(uint16_t));
memcpy(&conn->server_port, &sport, sizeof(uint16_t));
SSL_library_init();
OpenSSL_add_all_algorithms();
if (!(conn->ssl_ctx = SSL_CTX_new(SSLv23_server_method())))
return NULL;
if (!(conn->ssl = SSL_new(conn->ssl_ctx)))
return NULL;
if (!(keyfp = fopen(capture_get_keyfile(), "rb")))
return NULL;
fseek(keyfp, 0, SEEK_END);
keycontent.size = ftell(keyfp);
fseek(keyfp, 0, SEEK_SET);
keycontent.data = sng_malloc(keycontent.size);
br = fread(keycontent.data, 1, keycontent.size, keyfp);
fclose(keyfp);
gnutls_x509_privkey_init(&spkey);
gnutls_x509_privkey_import(spkey, &keycontent, GNUTLS_X509_FMT_PEM);
sng_free(keycontent.data);
gnutls_privkey_init(&conn->server_private_key);
gnutls_privkey_import_x509(conn->server_private_key, spkey, 0);
// Add this connection to the list
conn->next = connections;
connections = conn;
return conn;
}
static int import_Key(QWidget * w, gnutls_x509_privkey_t * privkey,
gnutls_datum_t * raw)
{
int ret;
if (raw->size == 0)
return -1;
gnutls_x509_privkey_init(privkey);
ret =
gnutls_x509_privkey_import2(*privkey, raw, GNUTLS_X509_FMT_PEM, NULL,
0);
if (ret == GNUTLS_E_DECRYPTION_FAILED && w != NULL) {
bool ok;
QString text;
text =
QInputDialog::getText(w,
QLatin1String
("This file requires a password"),
QLatin1String("Please enter your password"),
QLineEdit::Password, QString(), &ok);
if (!ok) {
ret = -1;
goto fail;
}
ret =
gnutls_x509_privkey_import2(*privkey, raw, GNUTLS_X509_FMT_PEM,
text.toAscii().data(), 0);
}
if (ret == GNUTLS_E_BASE64_DECODING_ERROR
|| ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
ret = gnutls_x509_privkey_import(*privkey, raw, GNUTLS_X509_FMT_DER);
if (ret < 0) {
goto fail;
}
return 0;
fail:
gnutls_x509_privkey_deinit(*privkey);
*privkey = NULL;
return ret;
}
/* Load the certificate and the private key.
*/
static void
load_keys (void)
{
int ret;
gnutls_datum_t data;
data = load_file (CERT_FILE);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
gnutls_x509_crt_init (&crt);
ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
data = load_file (KEY_FILE);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
gnutls_x509_privkey_init (&key);
ret = gnutls_x509_privkey_import (key, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
}
int
_gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey,
const gnutls_datum_t * raw_key,
gnutls_x509_crt_fmt_t type)
{
gnutls_x509_privkey_t tmpkey;
int ret;
ret = gnutls_x509_privkey_init (&tmpkey);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_x509_privkey_import (tmpkey, raw_key, type);
#ifdef ENABLE_PKI
/* If normal key decoding doesn't work try decoding a plain PKCS #8 key */
if (ret < 0)
ret = gnutls_x509_privkey_import_pkcs8 (tmpkey, raw_key, type,
NULL, GNUTLS_PKCS_PLAIN);
#endif
if (ret < 0)
{
gnutls_assert ();
gnutls_x509_privkey_deinit (tmpkey);
return ret;
}
ret = _gnutls_x509_privkey_to_gkey (privkey, tmpkey);
if (ret < 0)
{
gnutls_assert ();
gnutls_x509_privkey_deinit (tmpkey);
return ret;
}
gnutls_x509_privkey_deinit (tmpkey);
return 0;
}
static gnutls_privkey_t _load_privkey(gnutls_datum_t *dat, common_info_st * info)
{
int ret;
gnutls_privkey_t key;
gnutls_x509_privkey_t xkey;
ret = gnutls_x509_privkey_init (&xkey);
if (ret < 0)
error (EXIT_FAILURE, 0, "x509_privkey_init: %s", gnutls_strerror (ret));
ret = gnutls_privkey_init (&key);
if (ret < 0)
error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
if (info->pkcs8)
{
const char *pass = get_pass ();
ret =
gnutls_x509_privkey_import_pkcs8 (xkey, dat, info->incert_format,
pass, 0);
}
else
ret = gnutls_x509_privkey_import (xkey, dat, info->incert_format);
if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
{
error (EXIT_FAILURE, 0,
"import error: could not find a valid PEM header; "
"check if your key is PKCS #8 or PKCS #12 encoded");
}
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-privkey: %s: %s",
info->privkey, gnutls_strerror (ret));
ret = gnutls_privkey_import_x509(key, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_privkey_import_x509: %s",
gnutls_strerror (ret));
return key;
}
static
int import_dsa_dh(gnutls_dh_params_t dh_params, gnutls_datum_t *params, gnutls_x509_crt_fmt_t format)
{
gnutls_x509_privkey_t pkey;
int ret;
ret = gnutls_x509_privkey_init(&pkey);
if (ret < 0)
return ret;
ret = gnutls_x509_privkey_import(pkey, params, format);
if (ret < 0)
return ret;
ret = gnutls_dh_params_import_dsa(dh_params, pkey);
gnutls_x509_privkey_deinit(pkey);
return ret;
}
static int dsa_params_to_pem(const legacy_privkey_t *params, dnssec_binary_t *pem)
{
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int result = gnutls_x509_privkey_init(&key);
if (result != GNUTLS_E_SUCCESS) {
return DNSSEC_ENOMEM;
}
gnutls_datum_t p = binary_to_datum(¶ms->prime);
gnutls_datum_t q = binary_to_datum(¶ms->subprime);
gnutls_datum_t g = binary_to_datum(¶ms->base);
gnutls_datum_t x = binary_to_datum(¶ms->private_value);
gnutls_datum_t y = binary_to_datum(¶ms->public_value);
result = gnutls_x509_privkey_import_dsa_raw(key, &p, &q, &g, &y, &x);
if (result != DNSSEC_EOK) {
return DNSSEC_KEY_IMPORT_ERROR;
}
return pem_from_x509(key, pem);
}
/*!
* Generate new key and export it in the PEM format.
*/
int pem_generate(gnutls_pk_algorithm_t algorithm, unsigned bits,
dnssec_binary_t *pem_ptr, char **id_ptr)
{
assert(pem_ptr);
assert(id_ptr);
// generate key
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int r = gnutls_x509_privkey_init(&key);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_ENOMEM;
}
r = gnutls_x509_privkey_generate(key, algorithm, bits, 0);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_KEY_GENERATE_ERROR;
}
// convert to PEM and export the ID
dnssec_binary_t pem = { 0 };
r = pem_gnutls_x509_export(key, &pem);
if (r != DNSSEC_EOK) {
return r;
}
// export key ID
char *id = gnutls_x509_privkey_hex_key_id(key);
if (!id) {
dnssec_binary_free(&pem);
return DNSSEC_ENOMEM;
}
*pem_ptr = pem;
*id_ptr = id;
return DNSSEC_EOK;
}
int
main (void)
{
gnutls_x509_privkey_t key;
gnutls_datum_t p, q, g, y, x;
int ret;
gnutls_global_init ();
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
return 1;
ret = gnutls_x509_privkey_generate (key, GNUTLS_PK_DSA, 512, 0);
if (ret < 0)
return 1;
ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
if (ret < 0)
return 1;
if (q.size == 3 && memcmp (q.data, "\x01\x00\x01", 3) == 0)
{
printf ("buggy\n");
return 1;
}
else
printf ("success!\n");
gnutls_free (p.data);
gnutls_free (q.data);
gnutls_free (g.data);
gnutls_free (y.data);
gnutls_free (x.data);
gnutls_x509_privkey_deinit (key);
gnutls_global_deinit ();
return 0;
}
