/* Prints the trusted server's CAs. This is only
* if the server sends a certificate request packet.
*/
test_code_t
test_server_cas (gnutls_session session)
{
int ret;
if (verbose == 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
ret = do_handshake (session);
gnutls_certificate_client_set_retrieve_function (xcred, NULL);
if (ret == TEST_FAILED)
return ret;
return TEST_SUCCEED;
}
/**
* Enables SSL for the given connection.
*
* @param connection The connection to enable SSL for.
*
* @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection
* is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when
* SSL initialization, setup, or handshake fails.
*/
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_global_init();
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback);
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert);
if (uerr != USERPREF_E_SUCCESS) {
debug_info("Error %d when loading keys and certificates! %d", uerr);
}
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno)
debug_info("WARN: errno says %s before handshake!", strerror(errno));
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
return ret;
}
ne_ssl_context *ne_ssl_context_create(int flags)
{
ne_ssl_context *ctx = ne_calloc(sizeof *ctx);
gnutls_certificate_allocate_credentials(&ctx->cred);
if (flags == NE_SSL_CTX_CLIENT) {
gnutls_certificate_client_set_retrieve_function(ctx->cred,
provide_client_cert);
}
return ctx;
}
ne_ssl_context *ne_ssl_context_create(int flags)
{
ne_ssl_context *ctx = ne_calloc(sizeof *ctx);
gnutls_certificate_allocate_credentials(&ctx->cred);
if (flags == NE_SSL_CTX_CLIENT) {
gnutls_certificate_client_set_retrieve_function(ctx->cred,
provide_client_cert);
}
gnutls_certificate_set_verify_flags(ctx->cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
return ctx;
}
/* initializes a gnutls_session with some defaults.
*/
static gnutls_session
init_tls_session (const char *hostname)
{
gnutls_session session;
gnutls_init (&session, GNUTLS_CLIENT);
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
gnutls_handshake_set_private_extensions (session, 1);
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
gnutls_certificate_type_set_priority (session, cert_type_priority);
}
gnutls_cipher_set_priority (session, cipher_priority);
gnutls_compression_set_priority (session, comp_priority);
gnutls_kx_set_priority (session, kx_priority);
gnutls_protocol_set_priority (session, protocol_priority);
gnutls_mac_set_priority (session, mac_priority);
gnutls_dh_set_prime_bits (session, 512);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
/* send the fingerprint */
if (fingerprint != 0)
gnutls_openpgp_send_key (session, GNUTLS_OPENPGP_KEY_FINGERPRINT);
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
return session;
}
X509Credentials(const std::string& certstr, const std::string& keystr)
: key(keystr)
, certs(certstr)
{
// Throwing is ok here, the destructor of Credentials is called in that case
int ret = gnutls_certificate_set_x509_key(cred, certs.raw(), certs.size(), key.get());
ThrowOnError(ret, "Unable to set cert/key pair");
#ifdef GNUTLS_NEW_CERT_CALLBACK_API
gnutls_certificate_set_retrieve_function(cred, cert_callback);
#else
gnutls_certificate_client_set_retrieve_function(cred, cert_callback);
#endif
}
int
rb_init_ssl(void)
{
gnutls_global_init();
if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
{
rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
return 0;
}
#if GNUTLS_VERSION_MAJOR < 3
gnutls_certificate_client_set_retrieve_function(x509, cert_callback);
#else
gnutls_certificate_set_retrieve_function(x509, cert_callback);
#endif
#if (GNUTLS_VERSION_MAJOR < 3)
rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
#endif
return 1;
}
void
network_init ()
{
#ifdef HAVE_GNUTLS
if (!weechat_no_gnutls)
{
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&gnutls_xcred);
network_set_gnutls_ca_file ();
#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a
/* for gnutls >= 2.9.10 */
gnutls_certificate_set_verify_function (gnutls_xcred,
&hook_connect_gnutls_verify_certificates);
#endif
#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00
/* for gnutls >= 2.11.0 */
gnutls_certificate_set_retrieve_function (gnutls_xcred,
&hook_connect_gnutls_set_certificates);
#else
/* for gnutls < 2.11.0 */
gnutls_certificate_client_set_retrieve_function (gnutls_xcred,
&hook_connect_gnutls_set_certificates);
#endif
}
#endif /* HAVE_GNUTLS */
if (!weechat_no_gcrypt)
{
gcry_check_version (GCRYPT_VERSION);
gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
}
network_init_ok = 1;
}
void
client (void)
{
int ret, sd, ii;
gnutls_session_t session;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_set_default_priority (session);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fail ("client: Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
success ("client: Handshake was completed\n");
}
success ("client: TLS version is: %s\n",
gnutls_protocol_get_name (gnutls_protocol_get_version (session)));
/* see the Getting peer's information example */
print_info (session);
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
success ("client: Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fail ("client: Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_global_deinit ();
}
static struct mailstream_ssl_data * ssl_data_new(int fd, time_t timeout,
void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data)
{
struct mailstream_ssl_data * ssl_data;
gnutls_session session;
struct mailstream_cancel * cancel;
gnutls_certificate_credentials_t xcred;
int r;
struct mailstream_ssl_context * ssl_context = NULL;
mailstream_ssl_init();
if (gnutls_certificate_allocate_credentials (&xcred) != 0)
return NULL;
r = gnutls_init(&session, GNUTLS_CLIENT);
if (session == NULL || r != 0)
return NULL;
if (callback != NULL) {
ssl_context = mailstream_ssl_context_new(session, fd);
callback(ssl_context, cb_data);
}
gnutls_session_set_ptr(session, ssl_context);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function(xcred, mailstream_gnutls_client_cert_cb);
gnutls_set_default_priority(session);
gnutls_priority_set_direct(session, "NORMAL", NULL);
gnutls_record_disable_padding(session);
gnutls_dh_set_prime_bits(session, 512);
gnutls_transport_set_ptr(session, (gnutls_transport_ptr) fd);
/* lower limits on server key length restriction */
gnutls_dh_set_prime_bits(session, 512);
if (timeout == 0) {
timeout_value = mailstream_network_delay.tv_sec * 1000 + timeout.tv_usec / 1000;
}
else {
timeout_value = timeout;
}
gnutls_handshake_set_timeout(session, timeout_value);
do {
r = gnutls_handshake(session);
} while (r == GNUTLS_E_AGAIN || r == GNUTLS_E_INTERRUPTED);
if (r < 0) {
gnutls_perror(r);
goto free_ssl_conn;
}
cancel = mailstream_cancel_new();
if (cancel == NULL)
goto free_ssl_conn;
r = mailstream_prepare_fd(fd);
if (r < 0)
goto free_cancel;
ssl_data = malloc(sizeof(* ssl_data));
if (ssl_data == NULL)
goto err;
ssl_data->fd = fd;
ssl_data->session = session;
ssl_data->xcred = xcred;
ssl_data->cancel = cancel;
mailstream_ssl_context_free(ssl_context);
return ssl_data;
free_cancel:
mailstream_cancel_free(cancel);
free_ssl_conn:
gnutls_certificate_free_credentials(xcred);
mailstream_ssl_context_free(ssl_context);
gnutls_deinit(session);
err:
return NULL;
}
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
plist_t pair_record = NULL;
userpref_read_pair_record(connection->udid, &pair_record);
if (!pair_record) {
debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->udid);
return ret;
}
#ifdef HAVE_OPENSSL
key_data_t root_cert = { NULL, 0 };
key_data_t root_privkey = { NULL, 0 };
pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert);
pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_privkey);
if (pair_record)
plist_free(pair_record);
/* Set up OpenSSL */
if (openssl_init_done == 0) {
SSL_library_init();
openssl_init_done = 1;
}
BIO *ssl_bio = BIO_new(BIO_s_socket());
if (!ssl_bio) {
debug_info("ERROR: Could not create SSL bio.");
return ret;
}
BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE);
//SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_method());
SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_client_method());
if (ssl_ctx == NULL) {
debug_info("ERROR: Could not create SSL context.");
BIO_free(ssl_bio);
return ret;
}
BIO* membp;
X509* rootCert = NULL;
membp = BIO_new_mem_buf(root_cert.data, root_cert.size);
PEM_read_bio_X509(membp, &rootCert, NULL, NULL);
BIO_free(membp);
if (SSL_CTX_use_certificate(ssl_ctx, rootCert) != 1) {
debug_info("WARNING: Could not load RootCertificate");
}
X509_free(rootCert);
free(root_cert.data);
RSA* rootPrivKey = NULL;
membp = BIO_new_mem_buf(root_privkey.data, root_privkey.size);
PEM_read_bio_RSAPrivateKey(membp, &rootPrivKey, NULL, NULL);
BIO_free(membp);
if (SSL_CTX_use_RSAPrivateKey(ssl_ctx, rootPrivKey) != 1) {
debug_info("WARNING: Could not load RootPrivateKey");
}
RSA_free(rootPrivKey);
free(root_privkey.data);
SSL *ssl = SSL_new(ssl_ctx);
if (!ssl) {
debug_info("ERROR: Could not create SSL object");
BIO_free(ssl_bio);
SSL_CTX_free(ssl_ctx);
return ret;
}
SSL_set_connect_state(ssl);
SSL_set_verify(ssl, 0, ssl_verify_callback);
SSL_set_bio(ssl, ssl_bio, ssl_bio);
return_me = SSL_do_handshake(ssl);
if (return_me != 1) {
debug_info("ERROR in SSL_do_handshake: %s", ssl_error_to_string(SSL_get_error(ssl, return_me)));
SSL_free(ssl);
SSL_CTX_free(ssl_ctx);
} else {
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
ssl_data_loc->session = ssl;
ssl_data_loc->ctx = ssl_ctx;
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled, cipher: %s", SSL_get_cipher(ssl));
}
/* required for proper multi-thread clean up to prevent leaks */
#ifdef HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
#else
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate, internal_cert_callback);
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, ssl_data_loc->root_cert);
pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, ssl_data_loc->host_cert);
pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, ssl_data_loc->root_privkey);
pair_record_import_key_with_name(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, ssl_data_loc->host_privkey);
if (pair_record)
plist_free(pair_record);
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno) {
debug_info("WARNING: errno says %s before handshake!", strerror(errno));
}
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
#endif
return ret;
}
/* initializes a gnutls_session_t with some defaults.
*/
static gnutls_session_t
init_tls_session (const char *hostname)
{
const char *err;
gnutls_session_t session;
gnutls_init (&session, GNUTLS_CLIENT);
if (gnutls_priority_set_direct (session, info.priorities, &err) < 0)
{
fprintf (stderr, "Syntax error at: %s\n", err);
exit (1);
}
/* allow the use of private ciphersuites.
*/
if (disable_extensions == 0)
{
gnutls_handshake_set_private_extensions (session, 1);
gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
strlen (hostname));
if (cert_type_priority[0])
gnutls_certificate_type_set_priority (session, cert_type_priority);
}
if (cipher_priority[0])
gnutls_cipher_set_priority (session, cipher_priority);
if (comp_priority[0])
gnutls_compression_set_priority (session, comp_priority);
if (kx_priority[0])
gnutls_kx_set_priority (session, kx_priority);
if (protocol_priority[0])
gnutls_protocol_set_priority (session, protocol_priority);
if (mac_priority[0])
gnutls_mac_set_priority (session, mac_priority);
gnutls_dh_set_prime_bits (session, 512);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
if (srp_cred)
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
if (psk_cred)
gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
if (fingerprint != 0)
gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT);
#endif
/* use the max record size extension */
if (record_max_size > 0 && disable_extensions == 0)
{
if (gnutls_record_set_max_size (session, record_max_size) < 0)
{
fprintf (stderr,
"Cannot set the maximum record size to %d.\n",
record_max_size);
fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n");
exit (1);
}
}
#ifdef ENABLE_OPRFI
if (info.opaque_prf_input)
gnutls_oprfi_enable_client (session, strlen (info.opaque_prf_input),
info.opaque_prf_input);
#endif
#ifdef ENABLE_SESSION_TICKET
if (!info.noticket)
gnutls_session_ticket_enable_client (session);
#endif
return session;
}
int
main (void)
{
int ret, sd, ii;
gnutls_session_t session;
gnutls_priority_t priorities_cache;
char buffer[MAX_BUF + 1];
gnutls_certificate_credentials_t xcred;
/* Allow connections to servers that have OpenPGP keys as well.
*/
gnutls_global_init ();
load_keys ();
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
/* priorities */
gnutls_priority_init( &priorities_cache, "NORMAL", NULL);
/* sets the trusted cas file
*/
gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
/* Initialize TLS session
*/
gnutls_init (&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set (session, priorities_cache);
/* put the x509 credentials to the current session
*/
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer
*/
sd = tcp_connect ();
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
/* Perform the TLS handshake
*/
ret = gnutls_handshake (session);
if (ret < 0)
{
fprintf (stderr, "*** Handshake failed\n");
gnutls_perror (ret);
goto end;
}
else
{
printf ("- Handshake was completed\n");
}
gnutls_record_send (session, MSG, strlen (MSG));
ret = gnutls_record_recv (session, buffer, MAX_BUF);
if (ret == 0)
{
printf ("- Peer has closed the TLS connection\n");
goto end;
}
else if (ret < 0)
{
fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
goto end;
}
printf ("- Received %d bytes: ", ret);
for (ii = 0; ii < ret; ii++)
{
fputc (buffer[ii], stdout);
}
fputs ("\n", stdout);
gnutls_bye (session, GNUTLS_SHUT_RDWR);
end:
tcp_close (sd);
gnutls_deinit (session);
gnutls_certificate_free_credentials (xcred);
gnutls_priority_deinit( priorities_cache);
gnutls_global_deinit ();
return 0;
}
static struct mailstream_ssl_data * ssl_data_new(int fd, void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data)
{
struct mailstream_ssl_data * ssl_data;
gnutls_session session;
struct mailstream_cancel * cancel;
const int cipher_prio[] = { GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC,
GNUTLS_CIPHER_AES_256_CBC,
GNUTLS_CIPHER_ARCFOUR_128, 0 };
const int kx_prio[] = { GNUTLS_KX_DHE_RSA,
GNUTLS_KX_RSA,
GNUTLS_KX_DHE_DSS, 0 };
const int mac_prio[] = { GNUTLS_MAC_SHA1,
GNUTLS_MAC_MD5, 0 };
const int proto_prio[] = { GNUTLS_TLS1,
GNUTLS_SSL3, 0 };
gnutls_certificate_credentials_t xcred;
int r;
struct mailstream_ssl_context * ssl_context = NULL;
mailstream_ssl_init();
if (gnutls_certificate_allocate_credentials (&xcred) != 0)
return NULL;
r = gnutls_init(&session, GNUTLS_CLIENT);
if (session == NULL || r != 0)
return NULL;
if (callback != NULL) {
ssl_context = mailstream_ssl_context_new(session, fd);
callback(ssl_context, cb_data);
}
gnutls_session_set_ptr(session, ssl_context);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function(xcred, mailstream_gnutls_client_cert_cb);
gnutls_set_default_priority(session);
gnutls_protocol_set_priority (session, proto_prio);
gnutls_cipher_set_priority (session, cipher_prio);
gnutls_kx_set_priority (session, kx_prio);
gnutls_mac_set_priority (session, mac_prio);
gnutls_record_disable_padding(session);
gnutls_dh_set_prime_bits(session, 512);
gnutls_transport_set_ptr(session, (gnutls_transport_ptr) fd);
/* lower limits on server key length restriction */
gnutls_dh_set_prime_bits(session, 512);
do {
r = gnutls_handshake(session);
} while (r == GNUTLS_E_AGAIN || r == GNUTLS_E_INTERRUPTED);
if (r < 0) {
gnutls_perror(r);
goto free_ssl_conn;
}
cancel = mailstream_cancel_new();
if (cancel == NULL)
goto free_ssl_conn;
r = mailstream_prepare_fd(fd);
if (r < 0)
goto free_cancel;
ssl_data = malloc(sizeof(* ssl_data));
if (ssl_data == NULL)
goto err;
ssl_data->fd = fd;
ssl_data->session = session;
ssl_data->xcred = xcred;
ssl_data->cancel = cancel;
mailstream_ssl_context_free(ssl_context);
return ssl_data;
free_cancel:
mailstream_cancel_free(cancel);
free_ssl_conn:
gnutls_certificate_free_credentials(xcred);
mailstream_ssl_context_free(ssl_context);
gnutls_deinit(session);
err:
return NULL;
}
