static void server(int fd, const char *prio) { int ret; char buffer[MAX_BUF + 1]; gnutls_session_t session; /* this must be called once in the program */ global_init(); memset(buffer, 0, sizeof(buffer)); if (debug) { gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_anon_allocate_server_credentials(&anoncred); session = initialize_tls_session(prio); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { close(fd); gnutls_deinit(session); fail("server: Handshake has failed (%s) for %s\n\n", gnutls_strerror(ret), prio); terminate(); } if (debug) success("server: Handshake was completed\n"); if (debug) success("server: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); close(fd); gnutls_deinit(session); gnutls_anon_free_server_credentials(anoncred); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("server: finished\n"); }
/** * Enables SSL for the given connection. * * @param connection The connection to enable SSL for. * * @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection * is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when * SSL initialization, setup, or handshake fails. */ idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection) { if (!connection || connection->ssl_data) return IDEVICE_E_INVALID_ARG; idevice_error_t ret = IDEVICE_E_SSL_ERROR; uint32_t return_me = 0; ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); /* Set up GnuTLS... */ debug_info("enabling SSL mode"); errno = 0; gnutls_global_init(); gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate); gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback); gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT); gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL); gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate); gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc); gnutls_x509_crt_init(&ssl_data_loc->root_cert); gnutls_x509_crt_init(&ssl_data_loc->host_cert); gnutls_x509_privkey_init(&ssl_data_loc->root_privkey); gnutls_x509_privkey_init(&ssl_data_loc->host_privkey); userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert); if (uerr != USERPREF_E_SUCCESS) { debug_info("Error %d when loading keys and certificates! %d", uerr); } debug_info("GnuTLS step 1..."); gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection); debug_info("GnuTLS step 2..."); gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write); debug_info("GnuTLS step 3..."); gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read); debug_info("GnuTLS step 4 -- now handshaking..."); if (errno) debug_info("WARN: errno says %s before handshake!", strerror(errno)); return_me = gnutls_handshake(ssl_data_loc->session); debug_info("GnuTLS handshake done..."); if (return_me != GNUTLS_E_SUCCESS) { internal_ssl_cleanup(ssl_data_loc); free(ssl_data_loc); debug_info("GnuTLS reported something wrong."); gnutls_perror(return_me); debug_info("oh.. errno says %s", strerror(errno)); } else { connection->ssl_data = ssl_data_loc; ret = IDEVICE_E_SUCCESS; debug_info("SSL mode enabled"); } return ret; }
ne_ssl_context *ne_ssl_context_create(int flags) { ne_ssl_context *ctx = ne_calloc(sizeof *ctx); gnutls_certificate_allocate_credentials(&ctx->cred); if (flags == NE_SSL_CTX_CLIENT) { gnutls_certificate_client_set_retrieve_function(ctx->cred, provide_client_cert); } return ctx; }
ufwissl_ssl_context *ufwissl_ssl_context_create(int flags) { ufwissl_ssl_context *ctx = ufwissl_calloc(sizeof *ctx); gnutls_certificate_allocate_credentials(&ctx->cred); /* if (flags == UFWISSL_SSL_CTX_CLIENT) { gnutls_certificate_client_set_retrieve_function(ctx->cred, provide_client_cert); }*/ return ctx; }
int main (void) { /* credentials */ gnutls_anon_client_credentials_t c_anoncred; gnutls_certificate_credentials_t c_certcred; gnutls_session_t client; int sd, i; /* General init. */ gnutls_global_init (); ecore_init(); // gnutls_global_set_log_function (tls_log_func); // gnutls_global_set_log_level (2); /* Init client */ gnutls_anon_allocate_client_credentials (&c_anoncred); gnutls_certificate_allocate_credentials (&c_certcred); for (i=0;i<5;i++) { gnutls_init (&client, GNUTLS_CLIENT); /* set very specific priorities */ gnutls_priority_set_direct(client, "NORMAL:+ANON-DH", NULL); gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, c_certcred); gnutls_server_name_set(client, GNUTLS_NAME_DNS, "localhost", strlen("localhost")); /* connect to the peer */ sd = tcp_connect (); /* associate gnutls with socket */ gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t) sd); /* add a callback for data being available for send/receive on socket */ if (!ecore_main_fd_handler_add(sd, ECORE_FD_READ | ECORE_FD_WRITE, (Ecore_Fd_Cb)_process_data, client, NULL, NULL)) { print("could not create fd handler!"); exit(1); } /* begin main loop */ ecore_main_loop_begin(); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_deinit (client); tcp_close (sd); } return 0; }
void doit(void) { gnutls_certificate_credentials_t x509cred; const char *path; unsigned int i; char file[512]; int ret; if (gnutls_fips140_mode_enabled()) { exit(77); } ret = global_init(); if (ret < 0) fail("global_init failed %d\n", ret); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); for (i = 0; files[i].file != NULL; i++) { ret = gnutls_certificate_allocate_credentials(&x509cred); if (ret < 0) fail("gnutls_certificate_allocate_credentials failed %d\n", ret); path = getenv("PKCS12PATH"); if (!path) path = "cert-tests/data/"; snprintf(file, sizeof(file), "%s/%s", path, files[i].file); if (debug) success ("Reading PKCS#12 blob from `%s' using password `%s'.\n", file, files[i].pass); ret = gnutls_certificate_set_x509_simple_pkcs12_file(x509cred, file, GNUTLS_X509_FMT_DER, files[i]. pass); if (ret < 0) fail("x509_pkcs12 failed %d: %s\n", ret, gnutls_strerror(ret)); if (debug) success("Read file OK\n"); gnutls_certificate_free_credentials(x509cred); } gnutls_global_deinit(); }
static gnutls_certificate_credentials_t CreateX509CertCredential(rfbCredential *cred) { gnutls_certificate_credentials_t x509_cred; int ret; if (!cred->x509Credential.x509CACertFile) { rfbClientLog("No CA certificate provided.\n"); return NULL; } if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { rfbClientLog("Cannot allocate credentials: %s.\n", gnutls_strerror(ret)); return NULL; } if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, cred->x509Credential.x509CACertFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load CA credentials: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } if (cred->x509Credential.x509ClientCertFile && cred->x509Credential.x509ClientKeyFile) { if ((ret = gnutls_certificate_set_x509_key_file(x509_cred, cred->x509Credential.x509ClientCertFile, cred->x509Credential.x509ClientKeyFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load client certificate or key: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } } else { rfbClientLog("No client certificate or key provided.\n"); } if (cred->x509Credential.x509CACrlFile) { if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, cred->x509Credential.x509CACrlFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load CRL: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } } else { rfbClientLog("No CRL provided.\n"); } gnutls_certificate_set_dh_params (x509_cred, rfbDHParams); return x509_cred; }
GIOChannel *g_io_channel_gnutls_new(int fd) { GIOGnuTLSChannel *gnutls_channel; GIOChannel *channel; int err; DBG(""); gnutls_channel = g_new(GIOGnuTLSChannel, 1); channel = (GIOChannel *) gnutls_channel; g_io_channel_init(channel); channel->funcs = &gnutls_channel_funcs; gnutls_channel->fd = fd; channel->is_seekable = FALSE; channel->is_readable = TRUE; channel->is_writeable = TRUE; channel->do_encode = FALSE; g_io_gnutls_global_init(); err = gnutls_init(&gnutls_channel->session, GNUTLS_CLIENT); if (err < 0) { g_free(gnutls_channel); return NULL; } gnutls_transport_set_ptr(gnutls_channel->session, gnutls_channel); gnutls_transport_set_push_function(gnutls_channel->session, g_io_gnutls_push_func); gnutls_transport_set_pull_function(gnutls_channel->session, g_io_gnutls_pull_func); #if GNUTLS_VERSION_NUMBER < 0x020c00 gnutls_transport_set_lowat(gnutls_channel->session, 0); gnutls_priority_set_direct(gnutls_channel->session, "NORMAL:%COMPAT", NULL); #else gnutls_priority_set_direct(gnutls_channel->session, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL); #endif gnutls_certificate_allocate_credentials(&gnutls_channel->cred); gnutls_credentials_set(gnutls_channel->session, GNUTLS_CRD_CERTIFICATE, gnutls_channel->cred); DBG("channel %p", channel); return channel; }
void relay_network_set_ssl_cert_key (int verbose) { #ifdef HAVE_GNUTLS char *certkey_path, *certkey_path2; int ret; gnutls_certificate_free_credentials (relay_gnutls_x509_cred); gnutls_certificate_allocate_credentials (&relay_gnutls_x509_cred); relay_network_init_ssl_cert_key_ok = 0; certkey_path = weechat_string_expand_home (weechat_config_string (relay_config_network_ssl_cert_key)); if (certkey_path) { certkey_path2 = weechat_string_replace (certkey_path, "%h", weechat_info_get ("weechat_dir", NULL)); if (certkey_path2) { ret = gnutls_certificate_set_x509_key_file (relay_gnutls_x509_cred, certkey_path2, certkey_path2, GNUTLS_X509_FMT_PEM); if (ret >= 0) { relay_network_init_ssl_cert_key_ok = 1; if (verbose) { weechat_printf (NULL, _("%s: SSL certificate and key have been " "set"), RELAY_PLUGIN_NAME); } } else { if (verbose) { weechat_printf (NULL, _("%s%s: warning: no SSL certificate/key " "found (option relay.network.ssl_cert_key)"), weechat_prefix ("error"), RELAY_PLUGIN_NAME); } } free (certkey_path2); } free (certkey_path); } #else /* make C compiler happy */ (void) verbose; #endif }
ne_ssl_context *ne_ssl_context_create(int flags) { ne_ssl_context *ctx = ne_calloc(sizeof *ctx); gnutls_certificate_allocate_credentials(&ctx->cred); if (flags == NE_SSL_CTX_CLIENT) { gnutls_certificate_client_set_retrieve_function(ctx->cred, provide_client_cert); } gnutls_certificate_set_verify_flags(ctx->cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); return ctx; }
struct cert* loadCert(const char* ca, const char* cert, const char* key) { struct cert* oc = xmalloc(sizeof(struct cert)); gnutls_certificate_allocate_credentials(&oc->cert); if (ca != NULL) gnutls_certificate_set_x509_trust_file(oc->cert, ca, GNUTLS_X509_FMT_PEM); int e1 = gnutls_certificate_set_x509_key_file(oc->cert, cert, key, GNUTLS_X509_FMT_PEM); if (e1 < 0) { return NULL; } gnutls_priority_init(&oc->priority, "PERFORMANCE:%SERVER_PRECEDENCE", NULL); gnutls_certificate_set_dh_params(oc->cert, dh_params); return oc; }
static Ecore_Con_Ssl_Error _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *svr, int ssl_type) { int ret; if (ssl_type & ECORE_CON_USE_SSL2) return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED; switch (ssl_type) { case ECORE_CON_USE_SSL3: case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_TLS: case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_MIXED: case ECORE_CON_USE_MIXED | ECORE_CON_LOAD_CERT: break; default: return ECORE_CON_SSL_ERROR_NONE; } SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_certificate_allocate_credentials(&svr->cert)); if ((!svr->use_cert) && svr->created) { SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_init(&svr->dh_params)); INF("Generating DH params"); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_dh_params_generate2(svr->dh_params, 1024)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_server_credentials(&svr->anoncred_s)); /* TODO: implement PSK */ // SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_server_credentials(&svr->pskcred_s)); gnutls_anon_set_server_dh_params(svr->anoncred_s, svr->dh_params); gnutls_certificate_set_dh_params(svr->cert, svr->dh_params); //gnutls_psk_set_server_dh_params(svr->pskcred_s, svr->dh_params); INF("DH params successfully generated and applied!"); } else if (!svr->use_cert) { //SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_psk_allocate_client_credentials(&svr->pskcred_c)); SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_anon_allocate_client_credentials(&svr->anoncred_c)); } return ECORE_CON_SSL_ERROR_NONE; error: _gnutls_print_errors(ret); _ecore_con_ssl_server_shutdown_gnutls(svr); return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED; }
static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd) { gnutls_certificate_credentials_t x509_cred; int ret; if (!vd->tls.x509cacert) { VNC_DEBUG("No CA x509 certificate specified\n"); return NULL; } if (!vd->tls.x509cert) { VNC_DEBUG("No server x509 certificate specified\n"); return NULL; } if (!vd->tls.x509key) { VNC_DEBUG("No server private key specified\n"); return NULL; } if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret)); return NULL; } if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, vd->tls.x509cacert, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } if ((ret = gnutls_certificate_set_x509_key_file (x509_cred, vd->tls.x509cert, vd->tls.x509key, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } if (vd->tls.x509cacrl) { if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, vd->tls.x509cacrl, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } } gnutls_certificate_set_dh_params (x509_cred, dh_params); return x509_cred; }
void doit (void) { gnutls_certificate_credentials_t x509_cred; int ret; unsigned int i; gnutls_x509_crt_t issuer; gnutls_x509_crt_t list[LIST_SIZE]; char dn[128]; size_t dn_size; unsigned int list_size; /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (6); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); /* test for gnutls_certificate_get_issuer() */ list_size = LIST_SIZE; ret = gnutls_x509_crt_list_import(list, &list_size, &cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import"); ret = gnutls_certificate_get_issuer(x509_cred, list[0], &issuer, 0); if (ret < 0) fail("gnutls_certificate_get_isser"); dn_size = sizeof(dn); ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); if (ret < 0) fail("gnutls_certificate_get_isser"); if (debug) fprintf(stderr, "Issuer's DN: %s\n", dn); for (i=0;i<list_size;i++) gnutls_x509_crt_deinit(list[i]); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("success"); }
static void run(const char *env, const char *filename) { gnutls_certificate_credentials_t x509_cred; int ret; remove(filename); #ifdef _WIN32 { char buf[512]; snprintf(buf, sizeof(buf), "%s=%s", env, filename); _putenv(buf); } #else setenv(env, filename, 1); #endif global_init(); if (debug) { gnutls_global_set_log_level(6); gnutls_global_set_log_function(tls_log_func); } /* test gnutls_certificate_flags() */ assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in error code\n"); exit(1); } test_cli_serv(x509_cred, "NORMAL", &ca3_cert, "localhost"); if (access(filename, R_OK) != 0) { fail("keylog file was not created\n"); exit(1); } search_for_str(filename); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); remove(filename); if (debug) success("success"); }
static gpointer server_thread (gpointer user_data) { int listener = GPOINTER_TO_INT (user_data), client; gnutls_certificate_credentials creds; gnutls_session_t session; struct sockaddr_in sin; int len; char buf[BUFSIZE]; int status; gnutls_certificate_allocate_credentials (&creds); if (gnutls_certificate_set_x509_key_file (creds, ssl_cert_file, ssl_key_file, GNUTLS_X509_FMT_PEM) != 0) { g_error ("Failed to set SSL certificate and key files " "(%s, %s).", ssl_cert_file, ssl_key_file); } gnutls_certificate_set_dh_params (creds, dh_params); /* Create a new session */ gnutls_init (&session, GNUTLS_SERVER); gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, creds); gnutls_dh_set_prime_bits (session, DH_BITS); /* Wait for client thread to connect */ len = sizeof (sin); client = accept (listener, (struct sockaddr *) &sin, (void *)&len); gnutls_transport_set_ptr (session, GINT_TO_POINTER (client)); /* Initial handshake */ status = gnutls_handshake (session); if (status < 0) g_error ("initial handshake failed: %d", status); /* Synchronous client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* Async client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* That's all, folks. */ gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit (session); close (client); gnutls_certificate_free_credentials (creds); return NULL; }
int rb_init_ssl(void) { gnutls_global_init(); if (gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS) { rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials"); return 0; } rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300); return 1; }
static int handshake (struct stream_data *data) { const int protocol_priority[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; const int kx_priority[] = { GNUTLS_KX_RSA, 0 }; const int cipher_priority[] = { GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0}; const int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int mac_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; int ret; #ifndef WIN32 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); #endif if (gnutls_global_init () != 0) return IKS_NOMEM; if (gnutls_certificate_allocate_credentials (&data->cred) < 0) return IKS_NOMEM; if (gnutls_init (&data->sess, GNUTLS_CLIENT) != 0) { gnutls_certificate_free_credentials (data->cred); return IKS_NOMEM; } gnutls_protocol_set_priority (data->sess, protocol_priority); gnutls_cipher_set_priority(data->sess, cipher_priority); gnutls_compression_set_priority(data->sess, comp_priority); gnutls_kx_set_priority(data->sess, kx_priority); gnutls_mac_set_priority(data->sess, mac_priority); gnutls_credentials_set (data->sess, GNUTLS_CRD_CERTIFICATE, data->cred); gnutls_transport_set_push_function (data->sess, (gnutls_push_func) tls_push); gnutls_transport_set_pull_function (data->sess, (gnutls_pull_func) tls_pull); gnutls_transport_set_ptr (data->sess, data->prs); ret = gnutls_handshake (data->sess); if (ret != 0) { gnutls_deinit (data->sess); gnutls_certificate_free_credentials (data->cred); return IKS_NET_TLSFAIL; } data->flags &= (~SF_TRY_SECURE); data->flags |= SF_SECURE; iks_send_header (data->prs, data->server); return IKS_OK; } // HAVE_GNUTLS
static void client(int fd, const char *prio) { int ret; gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(7); } gnutls_certificate_allocate_credentials(&x509_cred); assert(gnutls_init(&session, GNUTLS_CLIENT)>=0); assert(gnutls_priority_set_direct(session, prio, NULL)>=0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, fd); do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); terminate(); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); }
G_GNUC_COLD void tls_global_init(void) { static const struct { const char * const name; const int major; const int minor; } f = { "tls", 1, 0 }; char *cert_file, *key_file; #if !defined(REMAP_ZALLOC) && !defined(TRACK_MALLOC) && !defined(TRACK_ZALLOC) gnutls_global_set_mem_functions(halloc, halloc, NULL, hrealloc, hfree); #endif if (gnutls_global_init()) { g_error("gnutls_global_init() failed"); } #ifdef USE_TLS_CUSTOM_IO gnutls_global_set_log_level(9); gnutls_global_set_log_function(tls_log_function); #endif /* USE_TLS_CUSTOM_IO */ get_dh_params(); gnutls_certificate_allocate_credentials(&cert_cred); key_file = make_pathname(settings_config_dir(), "key.pem"); cert_file = make_pathname(settings_config_dir(), "cert.pem"); if (file_exists(key_file) && file_exists(cert_file)) { int ret; ret = gnutls_certificate_set_x509_key_file(cert_cred, cert_file, key_file, GNUTLS_X509_FMT_PEM); if (ret < 0) { g_warning("gnutls_certificate_set_x509_key_file() failed: %s", gnutls_strerror(ret)); } else { gnutls_certificate_set_dh_params(cert_cred, get_dh_params()); } } HFREE_NULL(key_file); HFREE_NULL(cert_file); header_features_add(FEATURES_CONNECTIONS, f.name, f.major, f.minor); header_features_add(FEATURES_G2_CONNECTIONS, f.name, f.major, f.minor); header_features_add(FEATURES_DOWNLOADS, f.name, f.major, f.minor); header_features_add(FEATURES_UPLOADS, f.name, f.major, f.minor); }
static void client(int fd) { int ret; gnutls_certificate_credentials_t xcred; gnutls_session_t session; global_init(); if (debug) { gnutls_global_set_log_function(client_log_func); gnutls_global_set_log_level(4711); } gnutls_certificate_allocate_credentials(&xcred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); gnutls_handshake_set_timeout(session, 20 * 1000); /* Use default priorities */ gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA:%COMPAT", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_transport_set_int(session, fd); gnutls_transport_set_push_function(session, odd_push); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret >= 0) { fail("client: Handshake succeeded!\n"); exit(1); } close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(xcred); gnutls_global_deinit(); }
int main (void) { /* credentials */ gnutls_anon_client_credentials_t c_anoncred; gnutls_certificate_credentials_t c_certcred; gnutls_session_t client; int sd; /* General init. */ gnutls_global_init (); ecore_init(); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (6); /* Init client */ gnutls_anon_allocate_client_credentials (&c_anoncred); gnutls_certificate_allocate_credentials (&c_certcred); gnutls_init (&client, GNUTLS_CLIENT); /* set very specific priorities */ gnutls_priority_set_direct(client, "NONE:%VERIFY_ALLOW_X509_V1_CA_CRT:+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+COMP-DEFLATE:+COMP-NULL:+CTYPE-X509:+SHA1:+SHA256:+SHA384:+SHA512:+AES-256-CBC:+AES-128-CBC:+3DES-CBC:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0", NULL); gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, c_certcred); gnutls_server_name_set(client, GNUTLS_NAME_DNS, "www.verisign.com", strlen("www.verisign.com")); /* connect to the peer */ sd = tcp_connect (); /* associate gnutls with socket */ gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t) sd); /* add a callback for data being available for send/receive on socket */ if (!ecore_main_fd_handler_add(sd, ECORE_FD_READ | ECORE_FD_WRITE, (Ecore_Fd_Cb)_process_data, client, NULL, NULL)) { print("could not create fd handler!"); exit(1); } /* begin main loop */ ecore_main_loop_begin(); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_deinit (client); tcp_close (sd); return 0; }
gboolean xfce_mailwatch_net_conn_make_secure(XfceMailwatchNetConn *net_conn, GError **error) { g_return_val_if_fail(net_conn && (!error || !*error), FALSE); g_return_val_if_fail(net_conn->fd != -1, FALSE); g_return_val_if_fail(!net_conn->is_secure, TRUE); #ifdef HAVE_SSL_SUPPORT /* init the x509 cert */ gnutls_certificate_allocate_credentials(&net_conn->gt_creds); gnutls_certificate_set_x509_trust_file(net_conn->gt_creds, GNUTLS_CA_FILE, GNUTLS_X509_FMT_PEM); /* init the session and set it up */ gnutls_init(&net_conn->gt_session, GNUTLS_CLIENT); gnutls_priority_set_direct (net_conn->gt_session, "NORMAL", NULL); gnutls_credentials_set(net_conn->gt_session, GNUTLS_CRD_CERTIFICATE, net_conn->gt_creds); gnutls_transport_set_ptr(net_conn->gt_session, (gnutls_transport_ptr_t)net_conn->fd); #if GNUTLS_VERSION_NUMBER < 0x020c00 if(fcntl(net_conn->fd, F_GETFL) & O_NONBLOCK) gnutls_transport_set_lowat(net_conn->gt_session, 0); #endif if(!xfce_mailwatch_net_conn_tls_handshake(net_conn, error)) { #if 0 gnutls_bye(net_conn->gt_session, GNUTLS_SHUT_RDWR); #endif gnutls_deinit(net_conn->gt_session); gnutls_certificate_free_credentials(net_conn->gt_creds); return FALSE; } net_conn->is_secure = TRUE; return TRUE; #else if(error) { g_set_error(error, XFCE_MAILWATCH_ERROR, 0, _("Not compiled with SSL/TLS support")); } g_critical("XfceMailwatch: TLS handshake failed: not compiled with SSL support."); return FALSE; #endif }
SSL * SSL_new (SSL_CTX * ctx) { SSL *ssl; int err; ssl = (SSL *) calloc (1, sizeof (SSL)); if (!ssl) return NULL; err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred); if (err < 0) { last_error = err; free (ssl); return NULL; } gnutls_init (&ssl->gnutls_state, ctx->method->connend); gnutls_protocol_set_priority (ssl->gnutls_state, ctx->method->protocol_priority); gnutls_cipher_set_priority (ssl->gnutls_state, ctx->method->cipher_priority); gnutls_compression_set_priority (ssl->gnutls_state, ctx->method->comp_priority); gnutls_kx_set_priority (ssl->gnutls_state, ctx->method->kx_priority); gnutls_mac_set_priority (ssl->gnutls_state, ctx->method->mac_priority); gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, ssl->gnutls_cred); if (ctx->certfile) gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred, ctx->certfile, ctx->certfile_type); if (ctx->keyfile) gnutls_certificate_set_x509_key_file (ssl->gnutls_cred, ctx->certfile, ctx->keyfile, ctx->keyfile_type); ssl->ctx = ctx; ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback; ssl->options = ctx->options; ssl->rfd = (gnutls_transport_ptr_t) - 1; ssl->wfd = (gnutls_transport_ptr_t) - 1; return ssl; }
void doit(void) { gnutls_certificate_credentials_t x509_cred; gnutls_certificate_allocate_credentials(&x509_cred); /* The file does not need to exist for this test */ gnutls_certificate_set_ocsp_status_request_file (x509_cred, "ocsp-status.der", 0); gnutls_certificate_set_ocsp_status_request_file (x509_cred, "ocsp-status.der", 0); gnutls_certificate_free_credentials(x509_cred); }
static void client(int fd) { int ret; gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; gnutls_certificate_allocate_credentials(&x509_cred); /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL)>=0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_transport_set_int(session, fd); /* Perform the TLS handshake */ do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); if (ret < 0) { fail("client: Handshake failed\n"); gnutls_perror(ret); exit(1); } else { if (debug) success("client: Handshake was completed\n"); } if (debug) success("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version(session))); gnutls_bye(session, GNUTLS_SHUT_WR); close(fd); gnutls_deinit(session); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); }
gtlsClientData::gtlsClientData(std::string const& _caFile, std::string const& _certFile, std::string const& _keyFile) { int ret = 0; gnutls_global_set_log_level(loglevel); gnutls_global_set_log_function(gtlsGeneric::logCallback); gnutls_certificate_allocate_credentials(&cred_); // GNUTLS_NOTICE("Allocted credentials"); // Add the certificate authority used. // GNUTLS_NOTICE("Setting CA, file='" << _caFile << "'"); ret = gnutls_certificate_set_x509_trust_file(cred_, _caFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_trust_file", ret); // GNUTLS_NOTICE("Processed " << ret << " certificates."); // Set the cert and private key. // Set the certificate and priate key pair. // GNUTLS_NOTICE("Setting certificate, file='" << _certFile << "'"); // GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'"); ret = gnutls_certificate_set_x509_key_file(cred_, _certFile.c_str(), _keyFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_key_file", ret); // GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s)."); ret = gnutls_init(&session_, GNUTLS_CLIENT); // printerror("gnutls_init", ret); ret = gnutls_set_default_priority(session_); // printerror("gnutls_set_default_priority", ret); gnutls_dh_set_prime_bits(session_, gtlsGeneric::GNUTLSIF_DH_BITS); const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 }; ret = gnutls_certificate_type_set_priority(session_, cert_type_priority); // printerror("gnutls_certificate_type_set_priority", ret); ret = gnutls_credentials_set(session_, GNUTLS_CRD_CERTIFICATE, cred_); // printerror("gnutls_credentials_set", ret); }
void relay_network_init () { #ifdef HAVE_GNUTLS /* credentials */ gnutls_certificate_allocate_credentials (&relay_gnutls_x509_cred); relay_network_set_ssl_cert_key (0); /* priority */ relay_gnutls_priority_cache = malloc (sizeof (*relay_gnutls_priority_cache)); if (relay_gnutls_priority_cache) relay_network_set_priority (); #endif relay_network_init_ok = 1; }
void initialize_tls_global(void) { gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CACERT, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CACRL, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (x509_cred, SERVERCERT, SERVERKEY, GNUTLS_X509_FMT_PEM); gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); gnutls_certificate_set_dh_params (x509_cred, dh_params); }
SSL * SSL_new (SSL_CTX * ctx) { SSL *ssl; int err; ssl = (SSL *) calloc (1, sizeof (SSL)); if (!ssl) return NULL; err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred); if (err < 0) { last_error = err; free (ssl); return NULL; } gnutls_init (&ssl->gnutls_state, ctx->method->connend); gnutls_priority_set_direct (ssl->gnutls_state, ctx->method->priority_string, NULL); gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, ssl->gnutls_cred); if (ctx->certfile) gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred, ctx->certfile, ctx->certfile_type); if (ctx->keyfile) gnutls_certificate_set_x509_key_file (ssl->gnutls_cred, ctx->certfile, ctx->keyfile, ctx->keyfile_type); ssl->ctx = ctx; ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback; ssl->options = ctx->options; ssl->rfd = (gnutls_transport_ptr_t) - 1; ssl->wfd = (gnutls_transport_ptr_t) - 1; ssl->ssl_peek_buffer = NULL; ssl->ssl_peek_buffer_size = ssl->ssl_peek_avail = 0; return ssl; }