/* Prints the trusted server's CAs. This is only * if the server sends a certificate request packet. */ test_code_t test_server_cas (gnutls_session session) { int ret; if (verbose == 0) return TEST_IGNORE; ADD_ALL_CIPHERS (session); ADD_ALL_COMP (session); ADD_ALL_CERTTYPES (session); ADD_ALL_PROTOCOLS (session); ADD_ALL_MACS (session); ADD_ALL_KX (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); ret = do_handshake (session); gnutls_certificate_client_set_retrieve_function (xcred, NULL); if (ret == TEST_FAILED) return ret; return TEST_SUCCEED; }
/** * Enables SSL for the given connection. * * @param connection The connection to enable SSL for. * * @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection * is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when * SSL initialization, setup, or handshake fails. */ idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection) { if (!connection || connection->ssl_data) return IDEVICE_E_INVALID_ARG; idevice_error_t ret = IDEVICE_E_SSL_ERROR; uint32_t return_me = 0; ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); /* Set up GnuTLS... */ debug_info("enabling SSL mode"); errno = 0; gnutls_global_init(); gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate); gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback); gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT); gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL); gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate); gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc); gnutls_x509_crt_init(&ssl_data_loc->root_cert); gnutls_x509_crt_init(&ssl_data_loc->host_cert); gnutls_x509_privkey_init(&ssl_data_loc->root_privkey); gnutls_x509_privkey_init(&ssl_data_loc->host_privkey); userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert); if (uerr != USERPREF_E_SUCCESS) { debug_info("Error %d when loading keys and certificates! %d", uerr); } debug_info("GnuTLS step 1..."); gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection); debug_info("GnuTLS step 2..."); gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write); debug_info("GnuTLS step 3..."); gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read); debug_info("GnuTLS step 4 -- now handshaking..."); if (errno) debug_info("WARN: errno says %s before handshake!", strerror(errno)); return_me = gnutls_handshake(ssl_data_loc->session); debug_info("GnuTLS handshake done..."); if (return_me != GNUTLS_E_SUCCESS) { internal_ssl_cleanup(ssl_data_loc); free(ssl_data_loc); debug_info("GnuTLS reported something wrong."); gnutls_perror(return_me); debug_info("oh.. errno says %s", strerror(errno)); } else { connection->ssl_data = ssl_data_loc; ret = IDEVICE_E_SUCCESS; debug_info("SSL mode enabled"); } return ret; }
ne_ssl_context *ne_ssl_context_create(int flags) { ne_ssl_context *ctx = ne_calloc(sizeof *ctx); gnutls_certificate_allocate_credentials(&ctx->cred); if (flags == NE_SSL_CTX_CLIENT) { gnutls_certificate_client_set_retrieve_function(ctx->cred, provide_client_cert); } return ctx; }
ne_ssl_context *ne_ssl_context_create(int flags) { ne_ssl_context *ctx = ne_calloc(sizeof *ctx); gnutls_certificate_allocate_credentials(&ctx->cred); if (flags == NE_SSL_CTX_CLIENT) { gnutls_certificate_client_set_retrieve_function(ctx->cred, provide_client_cert); } gnutls_certificate_set_verify_flags(ctx->cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); return ctx; }
/* initializes a gnutls_session with some defaults. */ static gnutls_session init_tls_session (const char *hostname) { gnutls_session session; gnutls_init (&session, GNUTLS_CLIENT); /* allow the use of private ciphersuites. */ if (disable_extensions == 0) { gnutls_handshake_set_private_extensions (session, 1); gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, strlen (hostname)); gnutls_certificate_type_set_priority (session, cert_type_priority); } gnutls_cipher_set_priority (session, cipher_priority); gnutls_compression_set_priority (session, comp_priority); gnutls_kx_set_priority (session, kx_priority); gnutls_protocol_set_priority (session, protocol_priority); gnutls_mac_set_priority (session, mac_priority); gnutls_dh_set_prime_bits (session, 512); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); /* send the fingerprint */ if (fingerprint != 0) gnutls_openpgp_send_key (session, GNUTLS_OPENPGP_KEY_FINGERPRINT); /* use the max record size extension */ if (record_max_size > 0 && disable_extensions == 0) { if (gnutls_record_set_max_size (session, record_max_size) < 0) { fprintf (stderr, "Cannot set the maximum record size to %d.\n", record_max_size); fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n"); exit (1); } } return session; }
X509Credentials(const std::string& certstr, const std::string& keystr) : key(keystr) , certs(certstr) { // Throwing is ok here, the destructor of Credentials is called in that case int ret = gnutls_certificate_set_x509_key(cred, certs.raw(), certs.size(), key.get()); ThrowOnError(ret, "Unable to set cert/key pair"); #ifdef GNUTLS_NEW_CERT_CALLBACK_API gnutls_certificate_set_retrieve_function(cred, cert_callback); #else gnutls_certificate_client_set_retrieve_function(cred, cert_callback); #endif }
int rb_init_ssl(void) { gnutls_global_init(); if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS) { rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials"); return 0; } #if GNUTLS_VERSION_MAJOR < 3 gnutls_certificate_client_set_retrieve_function(x509, cert_callback); #else gnutls_certificate_set_retrieve_function(x509, cert_callback); #endif #if (GNUTLS_VERSION_MAJOR < 3) rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300); #endif return 1; }
void network_init () { #ifdef HAVE_GNUTLS if (!weechat_no_gnutls) { gnutls_global_init (); gnutls_certificate_allocate_credentials (&gnutls_xcred); network_set_gnutls_ca_file (); #if LIBGNUTLS_VERSION_NUMBER >= 0x02090a /* for gnutls >= 2.9.10 */ gnutls_certificate_set_verify_function (gnutls_xcred, &hook_connect_gnutls_verify_certificates); #endif #if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* for gnutls >= 2.11.0 */ gnutls_certificate_set_retrieve_function (gnutls_xcred, &hook_connect_gnutls_set_certificates); #else /* for gnutls < 2.11.0 */ gnutls_certificate_client_set_retrieve_function (gnutls_xcred, &hook_connect_gnutls_set_certificates); #endif } #endif /* HAVE_GNUTLS */ if (!weechat_no_gcrypt) { gcry_check_version (GCRYPT_VERSION); gcry_control (GCRYCTL_DISABLE_SECMEM, 0); gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); } network_init_ok = 1; }
void client (void) { int ret, sd, ii; gnutls_session_t session; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); gnutls_certificate_allocate_credentials (&xcred); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_mem (xcred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_set_default_priority (session); /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fail ("client: Handshake failed\n"); gnutls_perror (ret); goto end; } else { success ("client: Handshake was completed\n"); } success ("client: TLS version is: %s\n", gnutls_protocol_get_name (gnutls_protocol_get_version (session))); /* see the Getting peer's information example */ print_info (session); gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { success ("client: Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fail ("client: Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_global_deinit (); }
static struct mailstream_ssl_data * ssl_data_new(int fd, time_t timeout, void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) { struct mailstream_ssl_data * ssl_data; gnutls_session session; struct mailstream_cancel * cancel; gnutls_certificate_credentials_t xcred; int r; struct mailstream_ssl_context * ssl_context = NULL; mailstream_ssl_init(); if (gnutls_certificate_allocate_credentials (&xcred) != 0) return NULL; r = gnutls_init(&session, GNUTLS_CLIENT); if (session == NULL || r != 0) return NULL; if (callback != NULL) { ssl_context = mailstream_ssl_context_new(session, fd); callback(ssl_context, cb_data); } gnutls_session_set_ptr(session, ssl_context); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function(xcred, mailstream_gnutls_client_cert_cb); gnutls_set_default_priority(session); gnutls_priority_set_direct(session, "NORMAL", NULL); gnutls_record_disable_padding(session); gnutls_dh_set_prime_bits(session, 512); gnutls_transport_set_ptr(session, (gnutls_transport_ptr) fd); /* lower limits on server key length restriction */ gnutls_dh_set_prime_bits(session, 512); if (timeout == 0) { timeout_value = mailstream_network_delay.tv_sec * 1000 + timeout.tv_usec / 1000; } else { timeout_value = timeout; } gnutls_handshake_set_timeout(session, timeout_value); do { r = gnutls_handshake(session); } while (r == GNUTLS_E_AGAIN || r == GNUTLS_E_INTERRUPTED); if (r < 0) { gnutls_perror(r); goto free_ssl_conn; } cancel = mailstream_cancel_new(); if (cancel == NULL) goto free_ssl_conn; r = mailstream_prepare_fd(fd); if (r < 0) goto free_cancel; ssl_data = malloc(sizeof(* ssl_data)); if (ssl_data == NULL) goto err; ssl_data->fd = fd; ssl_data->session = session; ssl_data->xcred = xcred; ssl_data->cancel = cancel; mailstream_ssl_context_free(ssl_context); return ssl_data; free_cancel: mailstream_cancel_free(cancel); free_ssl_conn: gnutls_certificate_free_credentials(xcred); mailstream_ssl_context_free(ssl_context); gnutls_deinit(session); err: return NULL; }
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection) { if (!connection || connection->ssl_data) return IDEVICE_E_INVALID_ARG; idevice_error_t ret = IDEVICE_E_SSL_ERROR; uint32_t return_me = 0; plist_t pair_record = NULL; userpref_read_pair_record(connection->udid, &pair_record); if (!pair_record) { debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->udid); return ret; } #ifdef HAVE_OPENSSL key_data_t root_cert = { NULL, 0 }; key_data_t root_privkey = { NULL, 0 }; pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert); pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_privkey); if (pair_record) plist_free(pair_record); /* Set up OpenSSL */ if (openssl_init_done == 0) { SSL_library_init(); openssl_init_done = 1; } BIO *ssl_bio = BIO_new(BIO_s_socket()); if (!ssl_bio) { debug_info("ERROR: Could not create SSL bio."); return ret; } BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE); //SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_method()); SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_client_method()); if (ssl_ctx == NULL) { debug_info("ERROR: Could not create SSL context."); BIO_free(ssl_bio); return ret; } BIO* membp; X509* rootCert = NULL; membp = BIO_new_mem_buf(root_cert.data, root_cert.size); PEM_read_bio_X509(membp, &rootCert, NULL, NULL); BIO_free(membp); if (SSL_CTX_use_certificate(ssl_ctx, rootCert) != 1) { debug_info("WARNING: Could not load RootCertificate"); } X509_free(rootCert); free(root_cert.data); RSA* rootPrivKey = NULL; membp = BIO_new_mem_buf(root_privkey.data, root_privkey.size); PEM_read_bio_RSAPrivateKey(membp, &rootPrivKey, NULL, NULL); BIO_free(membp); if (SSL_CTX_use_RSAPrivateKey(ssl_ctx, rootPrivKey) != 1) { debug_info("WARNING: Could not load RootPrivateKey"); } RSA_free(rootPrivKey); free(root_privkey.data); SSL *ssl = SSL_new(ssl_ctx); if (!ssl) { debug_info("ERROR: Could not create SSL object"); BIO_free(ssl_bio); SSL_CTX_free(ssl_ctx); return ret; } SSL_set_connect_state(ssl); SSL_set_verify(ssl, 0, ssl_verify_callback); SSL_set_bio(ssl, ssl_bio, ssl_bio); return_me = SSL_do_handshake(ssl); if (return_me != 1) { debug_info("ERROR in SSL_do_handshake: %s", ssl_error_to_string(SSL_get_error(ssl, return_me))); SSL_free(ssl); SSL_CTX_free(ssl_ctx); } else { ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); ssl_data_loc->session = ssl; ssl_data_loc->ctx = ssl_ctx; connection->ssl_data = ssl_data_loc; ret = IDEVICE_E_SUCCESS; debug_info("SSL mode enabled, cipher: %s", SSL_get_cipher(ssl)); } /* required for proper multi-thread clean up to prevent leaks */ #ifdef HAVE_ERR_REMOVE_THREAD_STATE ERR_remove_thread_state(NULL); #else ERR_remove_state(0); #endif #else ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); /* Set up GnuTLS... */ debug_info("enabling SSL mode"); errno = 0; gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate); gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate, internal_cert_callback); gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT); gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL); gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate); gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc); gnutls_x509_crt_init(&ssl_data_loc->root_cert); gnutls_x509_crt_init(&ssl_data_loc->host_cert); gnutls_x509_privkey_init(&ssl_data_loc->root_privkey); gnutls_x509_privkey_init(&ssl_data_loc->host_privkey); pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, ssl_data_loc->root_cert); pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, ssl_data_loc->host_cert); pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, ssl_data_loc->root_privkey); pair_record_import_key_with_name(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, ssl_data_loc->host_privkey); if (pair_record) plist_free(pair_record); debug_info("GnuTLS step 1..."); gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection); debug_info("GnuTLS step 2..."); gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write); debug_info("GnuTLS step 3..."); gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read); debug_info("GnuTLS step 4 -- now handshaking..."); if (errno) { debug_info("WARNING: errno says %s before handshake!", strerror(errno)); } return_me = gnutls_handshake(ssl_data_loc->session); debug_info("GnuTLS handshake done..."); if (return_me != GNUTLS_E_SUCCESS) { internal_ssl_cleanup(ssl_data_loc); free(ssl_data_loc); debug_info("GnuTLS reported something wrong."); gnutls_perror(return_me); debug_info("oh.. errno says %s", strerror(errno)); } else { connection->ssl_data = ssl_data_loc; ret = IDEVICE_E_SUCCESS; debug_info("SSL mode enabled"); } #endif return ret; }
/* initializes a gnutls_session_t with some defaults. */ static gnutls_session_t init_tls_session (const char *hostname) { const char *err; gnutls_session_t session; gnutls_init (&session, GNUTLS_CLIENT); if (gnutls_priority_set_direct (session, info.priorities, &err) < 0) { fprintf (stderr, "Syntax error at: %s\n", err); exit (1); } /* allow the use of private ciphersuites. */ if (disable_extensions == 0) { gnutls_handshake_set_private_extensions (session, 1); gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, strlen (hostname)); if (cert_type_priority[0]) gnutls_certificate_type_set_priority (session, cert_type_priority); } if (cipher_priority[0]) gnutls_cipher_set_priority (session, cipher_priority); if (comp_priority[0]) gnutls_compression_set_priority (session, comp_priority); if (kx_priority[0]) gnutls_kx_set_priority (session, kx_priority); if (protocol_priority[0]) gnutls_protocol_set_priority (session, protocol_priority); if (mac_priority[0]) gnutls_mac_set_priority (session, mac_priority); gnutls_dh_set_prime_bits (session, 512); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); if (srp_cred) gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); if (psk_cred) gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); gnutls_certificate_set_verify_function (xcred, cert_verify_callback); gnutls_certificate_set_verify_flags (xcred, 0); /* send the fingerprint */ #ifdef ENABLE_OPENPGP if (fingerprint != 0) gnutls_openpgp_send_cert (session, GNUTLS_OPENPGP_CERT_FINGERPRINT); #endif /* use the max record size extension */ if (record_max_size > 0 && disable_extensions == 0) { if (gnutls_record_set_max_size (session, record_max_size) < 0) { fprintf (stderr, "Cannot set the maximum record size to %d.\n", record_max_size); fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n"); exit (1); } } #ifdef ENABLE_OPRFI if (info.opaque_prf_input) gnutls_oprfi_enable_client (session, strlen (info.opaque_prf_input), info.opaque_prf_input); #endif #ifdef ENABLE_SESSION_TICKET if (!info.noticket) gnutls_session_ticket_enable_client (session); #endif return session; }
int main (void) { int ret, sd, ii; gnutls_session_t session; gnutls_priority_t priorities_cache; char buffer[MAX_BUF + 1]; gnutls_certificate_credentials_t xcred; /* Allow connections to servers that have OpenPGP keys as well. */ gnutls_global_init (); load_keys (); /* X509 stuff */ gnutls_certificate_allocate_credentials (&xcred); /* priorities */ gnutls_priority_init( &priorities_cache, "NORMAL", NULL); /* sets the trusted cas file */ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); /* Initialize TLS session */ gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ gnutls_priority_set (session, priorities_cache); /* put the x509 credentials to the current session */ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); /* connect to the peer */ sd = tcp_connect (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd); /* Perform the TLS handshake */ ret = gnutls_handshake (session); if (ret < 0) { fprintf (stderr, "*** Handshake failed\n"); gnutls_perror (ret); goto end; } else { printf ("- Handshake was completed\n"); } gnutls_record_send (session, MSG, strlen (MSG)); ret = gnutls_record_recv (session, buffer, MAX_BUF); if (ret == 0) { printf ("- Peer has closed the TLS connection\n"); goto end; } else if (ret < 0) { fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret)); goto end; } printf ("- Received %d bytes: ", ret); for (ii = 0; ii < ret; ii++) { fputc (buffer[ii], stdout); } fputs ("\n", stdout); gnutls_bye (session, GNUTLS_SHUT_RDWR); end: tcp_close (sd); gnutls_deinit (session); gnutls_certificate_free_credentials (xcred); gnutls_priority_deinit( priorities_cache); gnutls_global_deinit (); return 0; }
static struct mailstream_ssl_data * ssl_data_new(int fd, void (* callback)(struct mailstream_ssl_context * ssl_context, void * cb_data), void * cb_data) { struct mailstream_ssl_data * ssl_data; gnutls_session session; struct mailstream_cancel * cancel; const int cipher_prio[] = { GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 }; const int kx_prio[] = { GNUTLS_KX_DHE_RSA, GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, 0 }; const int mac_prio[] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; const int proto_prio[] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; gnutls_certificate_credentials_t xcred; int r; struct mailstream_ssl_context * ssl_context = NULL; mailstream_ssl_init(); if (gnutls_certificate_allocate_credentials (&xcred) != 0) return NULL; r = gnutls_init(&session, GNUTLS_CLIENT); if (session == NULL || r != 0) return NULL; if (callback != NULL) { ssl_context = mailstream_ssl_context_new(session, fd); callback(ssl_context, cb_data); } gnutls_session_set_ptr(session, ssl_context); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function(xcred, mailstream_gnutls_client_cert_cb); gnutls_set_default_priority(session); gnutls_protocol_set_priority (session, proto_prio); gnutls_cipher_set_priority (session, cipher_prio); gnutls_kx_set_priority (session, kx_prio); gnutls_mac_set_priority (session, mac_prio); gnutls_record_disable_padding(session); gnutls_dh_set_prime_bits(session, 512); gnutls_transport_set_ptr(session, (gnutls_transport_ptr) fd); /* lower limits on server key length restriction */ gnutls_dh_set_prime_bits(session, 512); do { r = gnutls_handshake(session); } while (r == GNUTLS_E_AGAIN || r == GNUTLS_E_INTERRUPTED); if (r < 0) { gnutls_perror(r); goto free_ssl_conn; } cancel = mailstream_cancel_new(); if (cancel == NULL) goto free_ssl_conn; r = mailstream_prepare_fd(fd); if (r < 0) goto free_cancel; ssl_data = malloc(sizeof(* ssl_data)); if (ssl_data == NULL) goto err; ssl_data->fd = fd; ssl_data->session = session; ssl_data->xcred = xcred; ssl_data->cancel = cancel; mailstream_ssl_context_free(ssl_context); return ssl_data; free_cancel: mailstream_cancel_free(cancel); free_ssl_conn: gnutls_certificate_free_credentials(xcred); mailstream_ssl_context_free(ssl_context); gnutls_deinit(session); err: return NULL; }