static void server(int sd, const char *prio) { gnutls_psk_server_credentials_t server_pskcred; int ret; gnutls_session_t session; char buffer[MAX_BUF + 1]; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); side = "server"; gnutls_psk_allocate_server_credentials(&server_pskcred); gnutls_psk_set_server_credentials_hint(server_pskcred, "hint"); gnutls_psk_set_server_credentials_function(server_pskcred, pskfunc); gnutls_psk_set_server_dh_params(server_pskcred, dh_params); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, prio, NULL); gnutls_credentials_set(session, GNUTLS_CRD_PSK, server_pskcred); gnutls_transport_set_int(session, sd); ret = gnutls_handshake(session); if (ret < 0) { close(sd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); return; } if (debug) success("server: Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { memset(buffer, 0, MAX_BUF + 1); gnutls_record_set_timeout(session, 10000); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send(session, buffer, strlen(buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(sd); gnutls_deinit(session); gnutls_psk_free_server_credentials(server_pskcred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
void server (void) { client_len = sizeof (sa_cli); session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); success ("server: connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); return; } success ("server: Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ i = 0; for (;;) { bzero (buffer, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("server: Peer has closed the GNUTLS connection\n"); break; } else if (ret < 0) { fail ("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); close (listen_sd); gnutls_psk_free_server_credentials (server_pskcred); gnutls_global_deinit (); success ("server: finished\n"); }
int main (void) { int ret; int sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_srp_client_credentials_t srp_cred; gnutls_certificate_credentials_t cert_cred; gnutls_global_init (); /* now enable the gnutls-extra library which contains the * SRP stuff. */ gnutls_global_init_extra (); gnutls_srp_allocate_client_credentials (&srp_cred); gnutls_certificate_allocate_credentials (&cert_cred); gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_srp_set_client_credentials (srp_cred, USERNAME, PASSWORD); /* connects to server */ sd = tcp_connect (); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Set the priorities. */ gnutls_priority_set_direct (session, "NORMAL:+SRP:+SRP-RSA:+SRP-DSS", NULL); /* put the SRP credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (gnutls_error_is_fatal (ret) == 1 || ret == 0) { if (ret == 0) { printf ("- Peer has closed the GNUTLS connection\n"); goto end; } else { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } } else check_alert (session, ret); if (ret > 0) { printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); } gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_srp_free_client_credentials (srp_cred); gnutls_certificate_free_credentials (cert_cred); gnutls_global_deinit (); return 0; }
mref_err_t mref_fetch_handle(struct mref *m, FILE *h, const char *me) { char *mhsh, *rhsh, *store; gnutls_session_t sess; gnutls_anon_client_credentials_t cred; int fd = fileno(h); int err, i, store_good; unsigned char h_mref[32], h_calc[32]; gcry_md_hd_t ghd; size_t mhsh_len, ns_len, rhsh_len, store_len; if (!mref_split(m)) return MREF_ERR_NOT_FIELDS; store = mref_field_alloc(m, MREF_FLD_STORE); if (!store) return MREF_ERR_NOMEM; //printf("store is: %s\n", store); mhsh = mref_field_alloc(m, MREF_FLD_MESSAGE_HASH); if (!mhsh) return MREF_ERR_NOMEM; _mref_b64dec(h_mref, mhsh, mref_field_length(m, MREF_FLD_MESSAGE_HASH)); //printf("mhsh is: %s\n", mhsh); rhsh = mref_field_alloc(m, MREF_FLD_MREF_HASH); rhsh_len = mref_field_length(m, MREF_FLD_MREF_HASH); if (!rhsh) return MREF_ERR_NOMEM; //printf("rhsh is: %s\n", rhsh); /* err = gnutls_global_init(); if (err != GNUTLS_E_SUCCESS) return MREF_ERR_TLS(err); err = gnutls_init(&sess, GNUTLS_CLIENT); if (err != GNUTLS_E_SUCCESS) return MREF_ERR_TLS(err); err = gnutls_credentials_set(sess, GNUTLS_CRD_ANON, &cred); if (err != GNUTLS_E_SUCCESS) return MREF_ERR_TLS(err); */ /*** from info gnutls ***/ { int ret, sd; gnutls_session_t session; char buffer[MAX_BUF + 1]; const char *err; /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); gnutls_session_set_ptr (session, (void *) store); gnutls_server_name_set (session, GNUTLS_NAME_DNS, store, strlen(store)); /* Use default priorities */ ret = gnutls_priority_set_direct (session, "NORMAL", &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf (stderr, "Syntax error at: %s\n", err); } exit (1); } /* put the x509 credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, mref_cred()); /* connect to the peer */ sd = tcp_connect(store); if (sd == -1) { gnutls_deinit (session); return MREF_ERR_CONNECT_FAIL; } gnutls_transport_set_int (session, sd); gnutls_handshake_set_timeout (session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); /* Perform the TLS handshake */ do ret = gnutls_handshake (session); while (ret < 0 && gnutls_error_is_fatal (ret) == 0); if (ret < 0) { tcp_close(sd); gnutls_deinit(session); return MREF_ERR_TLS(ret); } gnutls_record_send (session, rhsh, rhsh_len); //fprintf(stderr, "sent rhsh, %d bytes\n", rhsh_len); mref_trace_headers(m, h, sd, me); state = st_goodbad; ns_len = 0; gcry_md_open(&ghd, GCRY_MD_SHA256, 0); if (!ghd) return MREF_ERR_GCRYPT; while ((ret = gnutls_record_recv (session, buffer, MAX_BUF)) > 0) { int i; for (i = 0; i < ret; ++i) { switch (state) { case st_goodbad: store_good = buffer[i] == '+'; ++state; break; case st_count: if (buffer[i] >= '0' && buffer[i] <= '9') ns_len = ns_len * 10 + buffer[i] - '0'; else if (buffer[i] == ':') ++state; else return MREF_ERR_STORE_PROTO; break; case st_data: if (store_good) fputc(buffer[i], h); else fputc(buffer[i], stderr); gcry_md_write(ghd, buffer + i, 1); if (--ns_len == 0) ++ state; break; case st_comma: if (buffer[i] == ',') break; case st_toomuch: return MREF_ERR_STORE_PROTO; } } } if (ret < 0) { if (gnutls_error_is_fatal(ret)) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); } else { fprintf (stderr, "*** Warning: %s\n", gnutls_strerror (ret)); gnutls_bye (session, GNUTLS_SHUT_RDWR); } tcp_close(sd); gnutls_deinit (session); return MREF_ERR_TLS(ret); } tcp_close(sd); gnutls_deinit (session); memcpy(h_calc, gcry_md_read(ghd, 0), 32); gcry_md_close(ghd); if (memcmp(h_mref, h_calc, 32) != 0) return MREF_ERR_BAD_MSG_HASH; if (fflush(h) != 0) return MREF_ERR_SYS; if (fsync(fd) != 0) return MREF_ERR_SYS; fclose(h); /* cannot fail */ return 0; } }
static void client(int fd) { gnutls_session_t session; int ret; gnutls_anon_client_credentials_t anoncred; gnutls_datum_t mac_key, iv, cipher_key; gnutls_datum_t read_mac_key, read_iv, read_cipher_key; unsigned char rseq_number[8]; unsigned char wseq_number[8]; unsigned char key_material[512], *p; unsigned i; unsigned block_size, hash_size, key_size, iv_size; const char *err; /* Need to enable anonymous KX specifically. */ global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_client_credentials(&anoncred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ ret = gnutls_priority_set_direct(session, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+ANON-DH:+ANON-ECDH:+CURVE-ALL", &err); if (ret < 0) { fail("client: priority set failed (%s): %s\n", gnutls_strerror(ret), err); exit(1); } /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed: %s\n", strerror(ret)); terminate(); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); ret = gnutls_cipher_get(session); if (ret != GNUTLS_CIPHER_AES_128_CBC) { fprintf(stderr, "negotiated unexpected cipher: %s\n", gnutls_cipher_get_name(ret)); terminate(); } ret = gnutls_mac_get(session); if (ret != GNUTLS_MAC_SHA1) { fprintf(stderr, "negotiated unexpected mac: %s\n", gnutls_mac_get_name(ret)); terminate(); } iv_size = 16; hash_size = 20; key_size = 16; block_size = 2*hash_size + 2*key_size + 2 *iv_size; ret = gnutls_prf(session, 13, "key expansion", 1, 0, NULL, block_size, (void*)key_material); if (ret < 0) { fprintf(stderr, "error in %d\n", __LINE__); gnutls_perror(ret); terminate(); } p = key_material; /* check whether the key material matches our calculations */ ret = gnutls_record_get_state(session, 0, &mac_key, &iv, &cipher_key, wseq_number); if (ret < 0) { fprintf(stderr, "error in %d\n", __LINE__); gnutls_perror(ret); terminate(); } if (memcmp(wseq_number, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) != 0) { dump("wseq:", wseq_number, 8); fprintf(stderr, "error in %d\n", __LINE__); terminate(); } ret = gnutls_record_get_state(session, 1, &read_mac_key, &read_iv, &read_cipher_key, rseq_number); if (ret < 0) { fprintf(stderr, "error in %d\n", __LINE__); gnutls_perror(ret); terminate(); } if (memcmp(rseq_number, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) != 0) { dump("rseq:", rseq_number, 8); fprintf(stderr, "error in %d\n", __LINE__); terminate(); } if (hash_size != mac_key.size || memcmp(p, mac_key.data, hash_size) != 0) { dump("MAC:", mac_key.data, mac_key.size); dump("Block:", key_material, block_size); fprintf(stderr, "error in %d\n", __LINE__); terminate(); } p+= hash_size; if (hash_size != read_mac_key.size || memcmp(p, read_mac_key.data, hash_size) != 0) { dump("MAC:", read_mac_key.data, read_mac_key.size); dump("Block:", key_material, block_size); fprintf(stderr, "error in %d\n", __LINE__); terminate(); } p+= hash_size; if (key_size != cipher_key.size || memcmp(p, cipher_key.data, key_size) != 0) { fprintf(stderr, "error in %d\n", __LINE__); terminate(); } p+= key_size; if (key_size != read_cipher_key.size || memcmp(p, read_cipher_key.data, key_size) != 0) { fprintf(stderr, "error in %d\n", __LINE__); terminate(); } p+= key_size; if (iv_size != iv.size || memcmp(p, iv.data, iv_size) != 0) { fprintf(stderr, "error in %d\n", __LINE__); terminate(); } p+=iv_size; if (iv_size != read_iv.size || memcmp(p, read_iv.data, iv_size) != 0) { fprintf(stderr, "error in %d\n", __LINE__); terminate(); } /* check sequence numbers */ for (i=0;i<5;i++) { ret = gnutls_record_send(session, "hello", 5); if (ret < 0) { fail("gnutls_record_send: %s\n", gnutls_strerror(ret)); } } ret = gnutls_record_get_state(session, 0, NULL, NULL, NULL, wseq_number); if (ret < 0) { fprintf(stderr, "error in %d\n", __LINE__); gnutls_perror(ret); terminate(); } if (memcmp(wseq_number, "\x00\x00\x00\x00\x00\x00\x00\x06", 8) != 0) { dump("wseq:", wseq_number, 8); fprintf(stderr, "error in %d\n", __LINE__); terminate(); } ret = gnutls_record_get_state(session, 1, NULL, NULL, NULL, rseq_number); if (ret < 0) { fprintf(stderr, "error in %d\n", __LINE__); gnutls_perror(ret); terminate(); } if (memcmp(rseq_number, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) != 0) { dump("wseq:", wseq_number, 8); fprintf(stderr, "error in %d\n", __LINE__); terminate(); } gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_client_credentials(anoncred); gnutls_global_deinit(); }
static void server(int fd) { int ret; gnutls_certificate_credentials_t xcred; char buffer[MAX_BUF + 1]; gnutls_session_t session; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&xcred); ret = gnutls_certificate_set_x509_key_mem(xcred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); gnutls_init(&session, GNUTLS_SERVER); gnutls_handshake_set_timeout(session, 20 * 1000); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); /* see the Getting peer's information example */ /* print_info(session); */ memset(buffer, 1, sizeof(buffer)); do { ret = gnutls_record_send(session, buffer, sizeof(buffer)-1); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: data sending has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); if (ret < 0) { fail("server: error in closing session: %s\n", gnutls_strerror(ret)); } close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
int main (void) { int ret; int sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; /* variables used in session resuming */ int t; char *session_data = NULL; size_t session_data_size = 0; gnutls_global_init (); /* X509 stuff */ gnutls_certificate_allocate_credentials (&xcred); gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM); for (t = 0; t < 2; t++) { /* connect 2 times to the server */ sd = tcp_connect (); gnutls_init (&session, GNUTLS_CLIENT); gnutls_priority_set_direct (session, "PERFORMANCE:!ARCFOUR-128", NULL); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); if (t > 0) { /* if this is not the first time we connect */ gnutls_session_set_data (session, session_data, session_data_size); free (session_data); } gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } if (t == 0) { /* the first time we connect */ /* get the session data size */ gnutls_session_get_data (session, NULL, &session_data_size); session_data = malloc (session_data_size); /* put session data to the session variable */ gnutls_session_get_data (session, session_data, &session_data_size); } else { /* the second time we connect */ /* check if we actually resumed the previous session */ if (gnutls_session_is_resumed (session) != 0) { printf ("- Previous session was resumed\n"); } else { fprintf (stderr, "*** Previous session was NOT resumed\n"); } } /* This function was defined in a previous example */ /* print_info(session); */ gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); } /* for() */ gnutls_certificate_free_credentials (xcred); gnutls_global_deinit (); return 0; }
/* * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) { ssize_t result; int retval = 0; struct SessionHandle *data = conn->data; int done = 0; char buf[120]; /* This has only been tested on the proftpd server, and the mod_tls code sends a close notify alert without waiting for a close notify alert in response. Thus we wait for a close notify alert from the server, but we do not send one. Let's hope other servers do the same... */ if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE) gnutls_bye(conn->ssl[sockindex].session, GNUTLS_SHUT_WR); if(conn->ssl[sockindex].session) { while(!done) { int what = Curl_socket_ready(conn->sock[sockindex], CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT); if(what > 0) { /* Something to read, let's do it and hope that it is the close notify alert from the server */ result = gnutls_record_recv(conn->ssl[sockindex].session, buf, sizeof(buf)); switch(result) { case 0: /* This is the expected response. There was no data but only the close notify alert */ done = 1; break; case GNUTLS_E_AGAIN: case GNUTLS_E_INTERRUPTED: infof(data, "GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED\n"); break; default: retval = -1; done = 1; break; } } else if(0 == what) { /* timeout */ failf(data, "SSL shutdown timeout"); done = 1; break; } else { /* anything that gets here is fatally bad */ failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); retval = -1; done = 1; } } gnutls_deinit(conn->ssl[sockindex].session); } gnutls_certificate_free_credentials(conn->ssl[sockindex].cred); #ifdef USE_TLS_SRP if(data->set.ssl.authtype == CURL_TLSAUTH_SRP && data->set.ssl.username != NULL) gnutls_srp_free_client_credentials(conn->ssl[sockindex].srp_client_cred); #endif conn->ssl[sockindex].cred = NULL; conn->ssl[sockindex].session = NULL; return retval; }
int main(void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_datum_t out; int type; unsigned status; #if 0 const char *err; #endif gnutls_certificate_credentials_t xcred; if (gnutls_check_version("3.4.6") == NULL) { fprintf(stderr, "GnuTLS 3.4.6 or later is required for this example\n"); exit(1); } /* for backwards compatibility with gnutls < 3.3.0 */ CHECK(gnutls_global_init()); /* X509 stuff */ CHECK(gnutls_certificate_allocate_credentials(&xcred)); /* sets the trusted cas file */ CHECK(gnutls_certificate_set_x509_trust_file(xcred, CAFILE, GNUTLS_X509_FMT_PEM)); /* If client holds a certificate it can be set using the following: * gnutls_certificate_set_x509_key_file (xcred, "cert.pem", "key.pem", GNUTLS_X509_FMT_PEM); */ /* Initialize TLS session */ CHECK(gnutls_init(&session, GNUTLS_CLIENT)); gnutls_session_set_ptr(session, (void *) "my_host_name"); CHECK(gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name", strlen("my_host_name"))); /* It is recommended to use the default priorities */ CHECK(gnutls_set_default_priority(session)); #if 0 /* if more fine-graned control is required */ ret = gnutls_priority_set_direct(session, "NORMAL", &err); if (ret < 0) { if (ret == GNUTLS_E_INVALID_REQUEST) { fprintf(stderr, "Syntax error at: %s\n", err); } exit(1); } #endif /* put the x509 credentials to the current session */ CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred)); gnutls_session_set_verify_cert(session, "my_host_name", 0); /* connect to the peer */ sd = tcp_connect(); gnutls_transport_set_int(session, sd); gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { if (ret == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) { /* check certificate verification status */ type = gnutls_certificate_type_get(session); status = gnutls_session_get_verify_cert_status(session); CHECK(gnutls_certificate_verification_status_print(status, type, &out, 0)); printf("cert verify output: %s\n", out.data); gnutls_free(out.data); } fprintf(stderr, "*** Handshake failed: %s\n", gnutls_strerror(ret)); goto end; } else { char *desc; desc = gnutls_session_get_desc(session); printf("- Session info: %s\n", desc); gnutls_free(desc); } /* send data */ CHECK(gnutls_record_send(session, MSG, strlen(MSG))); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { printf("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)); goto end; } if (ret > 0) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } CHECK(gnutls_bye(session, GNUTLS_SHUT_RDWR)); end: tcp_close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); return 0; }
static void server(int fd, const char *prio) { int ret; char buffer[MAX_BUF + 1]; gnutls_session_t session; gnutls_certificate_credentials_t x509_cred; gnutls_datum_t skey; /* this must be called once in the program */ global_init(); memset(buffer, 0, sizeof(buffer)); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); assert(gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM)>=0); assert(gnutls_init(&session, GNUTLS_SERVER)>=0); assert(gnutls_session_ticket_key_generate(&skey)>=0); assert(gnutls_session_ticket_enable_server(session, &skey) >= 0); gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, handshake_callback); /* avoid calling all the priority functions, since the defaults * are adequate. */ assert(gnutls_priority_set_direct(session, prio, NULL)>=0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { /* failure is expected here */ goto end; } if (debug) { success("server: Handshake was completed\n"); } if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); if (sent == 0) { fail("client: didn't send new sessiont ticket\n"); terminate(); } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); end: close(fd); gnutls_deinit(session); gnutls_free(skey.data); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
gboolean cib_remote_listen(int ssock, gpointer data) { int lpc = 0; int csock = 0; unsigned laddr; struct sockaddr_in addr; #ifdef HAVE_GNUTLS_GNUTLS_H gnutls_session *session = NULL; #endif cib_client_t *new_client = NULL; xmlNode *login = NULL; const char *user = NULL; const char *pass = NULL; const char *tmp = NULL; cl_uuid_t client_id; char uuid_str[UU_UNPARSE_SIZEOF]; /* accept the connection */ laddr = sizeof(addr); csock = accept(ssock, (struct sockaddr*)&addr, &laddr); crm_debug("New %s connection from %s", ssock == remote_tls_fd?"secure":"clear-text", inet_ntoa(addr.sin_addr)); if (csock == -1) { crm_err("accept socket failed"); return TRUE; } if(ssock == remote_tls_fd) { #ifdef HAVE_GNUTLS_GNUTLS_H /* create gnutls session for the server socket */ session = create_tls_session(csock, GNUTLS_SERVER); if (session == NULL) { crm_err("TLS session creation failed"); close(csock); return TRUE; } #endif } do { crm_debug_2("Iter: %d", lpc); if(ssock == remote_tls_fd) { #ifdef HAVE_GNUTLS_GNUTLS_H login = cib_recv_remote_msg(session, TRUE); #endif } else { login = cib_recv_remote_msg(GINT_TO_POINTER(csock), FALSE); } sleep(1); } while(login == NULL && ++lpc < 10); crm_log_xml_info(login, "Login: "******"cib_command")) { crm_err("Wrong tag: %s", tmp); goto bail; } tmp = crm_element_value(login, "op"); if(safe_str_neq(tmp, "authenticate")) { crm_err("Wrong operation: %s", tmp); goto bail; } user = crm_element_value(login, "user"); pass = crm_element_value(login, "password"); /* Non-root daemons can only validate the password of the * user they're running as */ if(check_group_membership(user, CRM_DAEMON_GROUP) == FALSE) { crm_err("User is not a member of the required group"); goto bail; } else if (authenticate_user(user, pass) == FALSE) { crm_err("PAM auth failed"); goto bail; } /* send ACK */ crm_malloc0(new_client, sizeof(cib_client_t)); num_clients++; new_client->channel_name = "remote"; new_client->name = crm_element_value_copy(login, "name"); cl_uuid_generate(&client_id); cl_uuid_unparse(&client_id, uuid_str); CRM_CHECK(new_client->id == NULL, crm_free(new_client->id)); new_client->id = crm_strdup(uuid_str); new_client->callback_id = NULL; if(ssock == remote_tls_fd) { #ifdef HAVE_GNUTLS_GNUTLS_H new_client->encrypted = TRUE; new_client->channel = (void*)session; #endif } else { new_client->channel = GINT_TO_POINTER(csock); } free_xml(login); login = create_xml_node(NULL, "cib_result"); crm_xml_add(login, F_CIB_OPERATION, CRM_OP_REGISTER); crm_xml_add(login, F_CIB_CLIENTID, new_client->id); cib_send_remote_msg(new_client->channel, login, new_client->encrypted); free_xml(login); new_client->source = (void*)G_main_add_fd( G_PRIORITY_DEFAULT, csock, FALSE, cib_remote_msg, new_client, cib_remote_connection_destroy); g_hash_table_insert(client_list, new_client->id, new_client); return TRUE; bail: if(ssock == remote_tls_fd) { #ifdef HAVE_GNUTLS_GNUTLS_H gnutls_bye(*session, GNUTLS_SHUT_RDWR); gnutls_deinit(*session); gnutls_free(session); #endif } close(csock); free_xml(login); return TRUE; }
static void server(int fd) { int ret; gnutls_session_t session; gnutls_certificate_credentials_t serverx509cred; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ ret = gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+RSA:%NO_SESSION_HASH", NULL); if (ret < 0) { fail("server: priority set failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } ret = gnutls_session_set_premaster(session, GNUTLS_SERVER, GNUTLS_TLS1_0, GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1, GNUTLS_COMP_NULL, &master, &sess_id); if (ret < 0) { fail("server: gnutls_session_set_premaster failed: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_handshake_set_random(session, &hsrnd); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(serverx509cred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
static void client(int fd) { gnutls_session_t session; int ret; gnutls_certificate_credentials_t clientx509cred; const char *err; /* Need to enable anonymous KX specifically. */ global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&clientx509cred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); ret = gnutls_session_set_premaster(session, GNUTLS_CLIENT, GNUTLS_TLS1_0, GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1, GNUTLS_COMP_NULL, &master, &sess_id); if (ret < 0) { fail("client: gnutls_session_set_premaster failed: %s\n", gnutls_strerror(ret)); exit(1); } /* Use default priorities */ ret = gnutls_priority_set_direct(session, "NONE:+VERS-TLS1.0:+AES-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA", &err); if (ret < 0) { fail("client: priority set failed (%s): %s\n", gnutls_strerror(ret), err); exit(1); } ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) exit(1); gnutls_handshake_set_random(session, &hrnd); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed: %s\n", strerror(ret)); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); ret = gnutls_cipher_get(session); if (ret != GNUTLS_CIPHER_AES_128_CBC) { fprintf(stderr, "negotiated unexpected cipher: %s\n", gnutls_cipher_get_name(ret)); exit(1); } ret = gnutls_mac_get(session); if (ret != GNUTLS_MAC_SHA1) { fprintf(stderr, "negotiated unexpected mac: %s\n", gnutls_mac_get_name(ret)); exit(1); } check_prfs(session); gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); }
static void client(int sd, const char *prio) { int ret, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_psk_client_credentials_t pskcred; /* Need to enable anonymous KX specifically. */ const gnutls_datum_t key = { (void *) "DEADBEEF", 8 }; const char *hint; global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); side = "client"; gnutls_psk_allocate_client_credentials(&pskcred); gnutls_psk_set_client_credentials(pskcred, "test", &key, GNUTLS_PSK_KEY_HEX); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_priority_set_direct(session, prio, NULL); /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred); gnutls_transport_set_int(session, sd); /* Perform the TLS handshake */ ret = gnutls_handshake(session); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); goto end; } else { if (debug) success("client: Handshake was completed\n"); } /* check the hint */ hint = gnutls_psk_client_get_hint(session); if (hint == NULL || strcmp(hint, "hint") != 0) { fail("client: hint is not the expected: %s\n", gnutls_psk_client_get_hint(session)); goto end; } gnutls_record_send(session, MSG, strlen(MSG)); ret = gnutls_record_recv(session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail("client: Error: %s\n", gnutls_strerror(ret)); goto end; } if (debug) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } gnutls_bye(session, GNUTLS_SHUT_RDWR); end: close(sd); gnutls_deinit(session); gnutls_psk_free_client_credentials(pskcred); gnutls_global_deinit(); }
static void server (void) { /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&pgp_cred); ret = gnutls_certificate_set_openpgp_key_mem2 (pgp_cred, &server_crt, &server_key, "auto", GNUTLS_OPENPGP_FMT_BASE64); if (err < 0) { fail ("Could not set server key files...\n"); } if (debug) success ("Launched, setting DH parameters...\n"); generate_dh_params (); gnutls_certificate_set_dh_params (pgp_cred, dh_params); client_len = sizeof (sa_cli); session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); if (debug) success ("server: connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); return; } if (debug) success ("server: Handshake was completed\n"); if (debug) success ("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ if (debug) print_info (session); i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail ("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); close (listen_sd); gnutls_certificate_free_credentials (pgp_cred); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); if (debug) success ("server: finished\n"); }
int main (void) { int err, listen_sd; int sd, ret; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; int client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; /* this must be called once in the program */ gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM); generate_dh_params (); gnutls_priority_init (&priority_cache, "NORMAL", NULL); gnutls_certificate_set_dh_params (x509_cred, dh_params); /* Socket operations */ listen_sd = socket (AF_INET, SOCK_STREAM, 0); SOCKET_ERR (listen_sd, "socket"); memset (&sa_serv, '\0', sizeof (sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons (PORT); /* Server Port number */ setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, sizeof (int)); err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv)); SOCKET_ERR (err, "bind"); err = listen (listen_sd, 1024); SOCKET_ERR (err, "listen"); printf ("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof (sa_cli); for (;;) { session = initialize_tls_session (); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); printf ("- connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fprintf (stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror (ret)); continue; } printf ("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("\n- Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fprintf (stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } printf ("\n"); /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); } close (listen_sd); gnutls_certificate_free_credentials (x509_cred); gnutls_priority_deinit (priority_cache); gnutls_global_deinit (); return 0; }
static void test_success(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; to_server_len = 0; to_client_len = 0; client_ret_val = 0; server_ret_val = 0; server_ok = 0; client_ok = 0; /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); gnutls_session_set_verify_function(server, server_callback); gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); gnutls_session_set_verify_function(client, client_callback); HANDSHAKE(client, server); gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); if (server_ok == 0) fail("Server certificate verify callback wasn't called\n"); if (client_ok == 0) fail("Client certificate verify callback wasn't called\n"); }
static void server (struct params_res *params) { size_t t; /* this must be called once in the program, it is mostly for the server. */ if (debug) { gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (2); } gnutls_global_init (); gnutls_anon_allocate_server_credentials (&anoncred); if (debug) success ("Launched, generating DH parameters...\n"); generate_dh_params (); gnutls_anon_set_server_dh_params (anoncred, dh_params); if (params->enable_db) { wrap_db_init (); } if (params->enable_session_ticket_server) gnutls_session_ticket_key_generate (&session_ticket_key); for (t = 0; t < 2; t++) { client_len = sizeof (sa_cli); session = initialize_tls_session (params); sd = accept (listen_sd, (SA *) & sa_cli, &client_len); if (debug) success ("server: connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret)); return; } if (debug) success ("server: Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ i = 0; for (;;) { memset (buffer, 0, MAX_BUF + 1); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("server: Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0) { fail ("server: Received corrupted data(%d). Closing...\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ gnutls_record_send (session, buffer, strlen (buffer)); } } /* do not wait for the peer to close the connection. */ gnutls_bye (session, GNUTLS_SHUT_WR); close (sd); gnutls_deinit (session); } close (listen_sd); if (params->enable_db) { wrap_db_deinit (); } gnutls_free (session_ticket_key.data); session_ticket_key.data = NULL; if (debug) success ("server: finished\n"); }
static void client(int fd) { int ret; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; gnutls_session_t session; global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&xcred); ret = disable_system_calls(); if (ret < 0) { fprintf(stderr, "could not enable seccomp\n"); exit(2); } /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); gnutls_handshake_set_timeout(session, 20 * 1000); /* Use default priorities */ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); do { ret = gnutls_record_recv(session, buffer, sizeof(buffer)-1); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail("client: Error: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); if (ret < 0) { fail("server: error in closing session: %s\n", gnutls_strerror(ret)); } end: close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); }
static void client (struct params_res *params) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; /* Need to enable anonymous KX specifically. */ /* variables used in session resuming */ int t; gnutls_datum_t session_data; if (debug) { gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (2); } gnutls_global_init (); gnutls_anon_allocate_client_credentials (&anoncred); for (t = 0; t < 2; t++) { /* connect 2 times to the server */ /* connect to the peer */ sd = tcp_connect (); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NO_EXTENSIONS); /* Use default priorities */ gnutls_priority_set_direct (session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); /* put the anonymous credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); if (params->enable_session_ticket_client) gnutls_session_ticket_enable_client (session); if (t > 0) { /* if this is not the first time we connect */ gnutls_session_set_data (session, session_data.data, session_data.size); gnutls_free (session_data.data); } gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { if (debug) success ("client: Handshake was completed\n"); } if (t == 0) { /* the first time we connect */ /* get the session data size */ ret = gnutls_session_get_data2 (session, &session_data); if (ret < 0) fail ("Getting resume data failed\n"); } else { /* the second time we connect */ /* check if we actually resumed the previous session */ if (gnutls_session_is_resumed (session) != 0) { if (params->expect_resume) { if (debug) success ("- Previous session was resumed\n"); } else fail ("- Previous session was resumed\n"); } else { if (params->expect_resume) { fail ("*** Previous session was NOT resumed\n"); } else { if (debug) success ("*** Previous session was NOT resumed (expected)\n"); } } } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } if (debug ) { printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); } gnutls_bye (session, GNUTLS_SHUT_RDWR); tcp_close (sd); gnutls_deinit (session); } end: gnutls_anon_free_client_credentials (anoncred); }
/** Handles one client. * This one connects to the remote server, and proxies every traffic * between our client and the server. * * @param config is the main CryWrap configuration structure. * @param insock is the socket through which the client sends input. * @param outsock is the socket through which we send output. * * @note Exits on error. */ static int _crywrap_do_one (const crywrap_config_t *config, int insock, int outsock) { int sock, ret, tls_pending; gnutls_session_t session; char buffer[_CRYWRAP_MAXBUF + 2]; fd_set fdset; unsigned int status = 0; struct sockaddr_storage faddr; socklen_t socklen = sizeof (struct sockaddr_storage); char peer_name[NI_MAXHOST]; /* Log the connection */ if (getpeername (insock, (struct sockaddr *)&faddr, &socklen) != 0) cry_error ("getpeername(): %s", strerror (errno)); else { getnameinfo ((struct sockaddr *)&faddr, sizeof (struct sockaddr_storage), peer_name, sizeof (peer_name), NULL, 0, NI_NUMERICHOST); cry_log ("Accepted connection from %s on %d to %s/%d", peer_name, insock, config->dest.host, config->dest.port); } /* Do the handshake with our peer */ session = _crywrap_tls_session_create (config); gnutls_transport_set_ptr2 (session, (gnutls_transport_ptr_t)insock, (gnutls_transport_ptr_t)outsock); do { ret = gnutls_handshake(session); } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); if (ret < 0) { cry_error ("Handshake failed: %s", gnutls_strerror (ret)); gnutls_alert_send_appropriate(session, ret); goto error; } /* Verify the client's certificate, if any. */ if (config->verify) { ret = gnutls_certificate_verify_peers2 (session, &status); if (ret < 0) cry_log ("Error getting certificate from client: %s", gnutls_strerror (ret)); if (ret == 0 && status != 0) { if (status & GNUTLS_CERT_INVALID) cry_log ("%s", "Client certificate not trusted or invalid"); } if (config->verify > 0 && status != 0) { ret = -1; gnutls_alert_send( session, GNUTLS_AL_FATAL, GNUTLS_A_INSUFFICIENT_SECURITY); goto error; } } /* Connect to the remote host */ sock = _crywrap_remote_connect (config->dest.addr, htons (config->dest.port)); for (;;) { FD_ZERO (&fdset); FD_SET (insock, &fdset); FD_SET (sock, &fdset); memset (buffer, 0, _CRYWRAP_MAXBUF + 1); tls_pending = 0; if (gnutls_record_check_pending(session) > 0) tls_pending = 1; else { select (sock + 1, &fdset, NULL, NULL, NULL); if (FD_ISSET (insock, &fdset)) tls_pending = 1; } /* TLS client */ if (tls_pending != 0) { ret = gnutls_record_recv (session, buffer, _CRYWRAP_MAXBUF); if (ret == 0) { cry_log ("%s", "Peer has closed the GNUTLS connection"); break; } else if (ret < 0) { cry_log ("Received corrupted data: %s.", gnutls_strerror (ret)); break; } else send (sock, buffer, ret, 0); } /* Remote server */ if (FD_ISSET (sock, &fdset)) { ret = recv (sock, buffer, _CRYWRAP_MAXBUF, 0); if (ret == 0) { cry_log ("%s", "Server has closed the connection"); break; } else if (ret < 0) { cry_log ("Received corrupted data: %s.", strerror (errno)); break; } else { int r, o = 0; do { r = gnutls_record_send (session, &buffer[o], ret - o); o += r; } while (r > 0 && ret > o); if (r < 0) cry_log ("Received corrupt data: %s", gnutls_strerror (r)); } } } error: gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit (session); close (insock); close (outsock); return (ret == 0) ? 0 : 1; }
int main(void) { int listen_sd; int sd, ret; gnutls_certificate_credentials_t x509_cred; gnutls_priority_t priority_cache; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; socklen_t client_len; char topbuf[512]; gnutls_session_t session; char buffer[MAX_BUF + 1]; int optval = 1; /* for backwards compatibility with gnutls < 3.3.0 */ CHECK(gnutls_global_init()); CHECK(gnutls_certificate_allocate_credentials(&x509_cred)); CHECK(gnutls_certificate_set_x509_trust_file(x509_cred, CAFILE, GNUTLS_X509_FMT_PEM)); CHECK(gnutls_certificate_set_x509_crl_file(x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM)); /* The following code sets the certificate key pair as well as, * an OCSP response which corresponds to it. It is possible * to set multiple key-pairs and multiple OCSP status responses * (the latter since 3.5.6). See the manual pages of the individual * functions for more information. */ CHECK(gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM)); CHECK(gnutls_certificate_set_ocsp_status_request_file(x509_cred, OCSP_STATUS_FILE, 0)); CHECK(gnutls_priority_init(&priority_cache, NULL, NULL)); /* Instead of the default options as shown above one could specify * additional options such as server precedence in ciphersuite selection * as follows: * gnutls_priority_init2(&priority_cache, * "%SERVER_PRECEDENCE", * NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND); */ #if GNUTLS_VERSION_NUMBER >= 0x030506 /* only available since GnuTLS 3.5.6, on previous versions see * gnutls_certificate_set_dh_params(). */ gnutls_certificate_set_known_dh_params(x509_cred, GNUTLS_SEC_PARAM_MEDIUM); #endif /* Socket operations */ listen_sd = socket(AF_INET, SOCK_STREAM, 0); memset(&sa_serv, '\0', sizeof(sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port = htons(PORT); /* Server Port number */ setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval, sizeof(int)); bind(listen_sd, (struct sockaddr *) &sa_serv, sizeof(sa_serv)); listen(listen_sd, 1024); printf("Server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof(sa_cli); for (;;) { CHECK(gnutls_init(&session, GNUTLS_SERVER)); CHECK(gnutls_priority_set(session, priority_cache)); CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred)); /* We don't request any certificate from the client. * If we did we would need to verify it. One way of * doing that is shown in the "Verifying a certificate" * example. */ gnutls_certificate_server_set_request(session, GNUTLS_CERT_IGNORE); gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); sd = accept(listen_sd, (struct sockaddr *) &sa_cli, &client_len); printf("- connection from %s, port %d\n", inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf, sizeof(topbuf)), ntohs(sa_cli.sin_port)); gnutls_transport_set_int(session, sd); LOOP_CHECK(ret, gnutls_handshake(session)); if (ret < 0) { close(sd); gnutls_deinit(session); fprintf(stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror(ret)); continue; } printf("- Handshake was completed\n"); /* see the Getting peer's information example */ /* print_info(session); */ for (;;) { LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF)); if (ret == 0) { printf ("\n- Peer has closed the GnuTLS connection\n"); break; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "\n*** Received corrupted " "data(%d). Closing the connection.\n\n", ret); break; } else if (ret > 0) { /* echo data back to the client */ CHECK(gnutls_record_send(session, buffer, ret)); } } printf("\n"); /* do not wait for the peer to close the connection. */ LOOP_CHECK(ret, gnutls_bye(session, GNUTLS_SHUT_WR)); close(sd); gnutls_deinit(session); } close(listen_sd); gnutls_certificate_free_credentials(x509_cred); gnutls_priority_deinit(priority_cache); gnutls_global_deinit(); return 0; }
static void server(int fd) { int ret; gnutls_session_t session; gnutls_anon_server_credentials_t anoncred; gnutls_dh_params_t dh_params; char buf[128]; const gnutls_datum_t p3 = { (unsigned char *) pkcs3, strlen(pkcs3) }; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_server_credentials(&anoncred); gnutls_dh_params_init(&dh_params); gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params(anoncred, dh_params); gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ ret = gnutls_priority_set_direct(session, "NORMAL:+ANON-DH:+ANON-ECDH", NULL); if (ret < 0) { fail("server: priority set failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); do { ret = gnutls_record_recv(session, buf, sizeof(buf)); } while(ret > 0); if (ret < 0) { fail("error: %s\n", gnutls_strerror(ret)); } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_server_credentials(anoncred); gnutls_dh_params_deinit(dh_params); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
int main(void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; if (gnutls_check_version("3.1.4") == NULL) { fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } /* for backwards compatibility with gnutls < 3.3.0 */ CHECK(gnutls_global_init()); /* X509 stuff */ CHECK(gnutls_certificate_allocate_credentials(&xcred)); /* sets the system trusted CAs for Internet PKI */ CHECK(gnutls_certificate_set_x509_system_trust(xcred)); /* Initialize TLS session */ CHECK(gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM)); /* Use default priorities */ CHECK(gnutls_set_default_priority(session)); /* put the x509 credentials to the current session */ CHECK(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred)); CHECK(gnutls_server_name_set(session, GNUTLS_NAME_DNS, "www.example.com", strlen("www.example.com"))); gnutls_session_set_verify_cert(session, "www.example.com", 0); /* connect to the peer */ sd = udp_connect(); gnutls_transport_set_int(session, sd); /* set the connection MTU */ gnutls_dtls_set_mtu(session, 1000); /* gnutls_dtls_set_timeouts(session, 1000, 60000); */ /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); /* Note that DTLS may also receive GNUTLS_E_LARGE_PACKET */ if (ret < 0) { fprintf(stderr, "*** Handshake failed\n"); gnutls_perror(ret); goto end; } else { char *desc; desc = gnutls_session_get_desc(session); printf("- Session info: %s\n", desc); gnutls_free(desc); } LOOP_CHECK(ret, gnutls_record_send(session, MSG, strlen(MSG))); LOOP_CHECK(ret, gnutls_record_recv(session, buffer, MAX_BUF)); if (ret == 0) { printf("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0 && gnutls_error_is_fatal(ret) == 0) { fprintf(stderr, "*** Warning: %s\n", gnutls_strerror(ret)); } else if (ret < 0) { fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)); goto end; } if (ret > 0) { printf("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc(buffer[ii], stdout); } fputs("\n", stdout); } /* It is suggested not to use GNUTLS_SHUT_RDWR in DTLS * connections because the peer's closure message might * be lost */ CHECK(gnutls_bye(session, GNUTLS_SHUT_WR)); end: udp_close(sd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); return 0; }
void doit(void) { global_init(); int ret; char buf[1024]; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server2_cert, &server2_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_pull_timeout_function(server, server_pull_timeout_func); gnutls_transport_set_ptr(server, server); /* Init client */ ret = gnutls_certificate_allocate_credentials(&clientx509cred); if (ret < 0) exit(1); ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) exit(1); ret = gnutls_priority_set_direct(client, "NORMAL", NULL); if (ret < 0) exit(1); gnutls_record_set_max_size(client, 512); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_pull_timeout_function(client, client_pull_timeout_func); gnutls_transport_set_ptr(client, client); HANDSHAKE(client, server); memset(buf, 1, sizeof(buf)); ret = gnutls_record_send(server, buf, 513); if (ret != 512 || ret < 0) { gnutls_perror(ret); exit(1); } success("did not send a 513-byte packet\n"); ret = gnutls_record_send(server, buf, 512); if (ret < 0) { gnutls_perror(ret); exit(1); } success("did send a 512-byte packet\n"); gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); }
void SSLi_shutdown(SSL_handle_t *session) { gnutls_bye(*session, GNUTLS_SHUT_WR); }
void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_psk_client_credentials_t pskcred; /* Need to enable anonymous KX specifically. */ const int kx_prio[] = { GNUTLS_KX_DHE_PSK, 0 }; const gnutls_datum_t key = { "DEADBEEF", 8 }; gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); // gnutls_global_set_log_level (99); gnutls_psk_allocate_client_credentials (&pskcred); gnutls_psk_set_client_credentials (pskcred, "test", &key, GNUTLS_PSK_KEY_HEX); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_PSK, pskcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { success ("client: Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } if (debug) { printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); } gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_psk_free_client_credentials (pskcred); gnutls_global_deinit (); }
static void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (2); gnutls_certificate_allocate_credentials (&xcred); /* sets the trusted cas file */ if (debug) success ("Setting key files...\n"); ret = gnutls_certificate_set_openpgp_key_mem (xcred, &cert, &key, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) { fail ("Could not set key files...\n"); } /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ if (debug) success ("Connecting...\n"); sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else if (debug) { success ("client: Handshake was completed\n"); } if (debug) success ("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ if (debug) print_info (session); gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { if (debug) success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } if (debug) { printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); } gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_global_deinit (); }
static void server(int fd) { int ret; char buffer[MAX_BUF + 1]; gnutls_session_t session; gnutls_anon_server_credentials_t anoncred; /* this must be called once in the program */ global_init(); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_anon_allocate_server_credentials(&anoncred); gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); gnutls_dtls_set_mtu(session, 1500); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-ECDH:+CURVE-ALL", NULL); gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); terminate(); fail("server: Handshake has failed (%s)\n\n", gnutls_strerror(ret)); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); /* see the Getting peer's information example */ /* print_info(session); */ /* avoid uninitialized warnings */ memset(buffer, 1, sizeof(buffer)); ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session) + 12); if (ret != GNUTLS_E_LARGE_PACKET) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session) + 5048); if (ret != GNUTLS_E_LARGE_PACKET) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session)); if (ret < 0) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } gnutls_dtls_set_mtu(session, MAX_MTU); ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session) + 12); if (ret != GNUTLS_E_LARGE_PACKET) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session) + 5048); if (ret != GNUTLS_E_LARGE_PACKET) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session)); if (ret > 16384 || ret < 0) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } /* test cork and uncork */ gnutls_record_cork(session); ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session)); if (ret < 0) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } ret = gnutls_record_uncork(session, 0); if (ret < 0) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } gnutls_record_cork(session); ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session) - 16); if (ret < 0) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } ret = gnutls_record_send(session, buffer, gnutls_dtls_get_data_mtu(session)); if (ret != GNUTLS_E_LARGE_PACKET) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } ret = gnutls_record_uncork(session, GNUTLS_RECORD_WAIT); if (ret < 0) { terminate(); fail("send[%d]: %s\n", __LINE__, gnutls_strerror(ret)); } /* do not wait for the peer to close the connection. */ gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_anon_free_server_credentials(anoncred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
int main (void) { int ret, sd, ii; gnutls_session_t session; gnutls_priority_t priorities_cache; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; /* Allow connections to servers that have OpenPGP keys as well. */ gnutls_global_init (); load_keys (); /* X509 stuff */ gnutls_certificate_allocate_credentials (&xcred); /* priorities */ gnutls_priority_init (&priorities_cache, "NORMAL", NULL); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_retrieve_function2 (xcred, cert_callback); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_priority_set (session, priorities_cache); /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_priority_deinit (priorities_cache); gnutls_global_deinit (); return 0; }