unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsigned int len)
{
MYSQL *mysql;
size_t fp_len= len;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size;
if (!cssl || !cssl->ssl)
return 0;
mysql= (MYSQL *)gnutls_session_get_ptr(cssl->ssl);
cert_list = gnutls_certificate_get_peers (cssl->ssl, &cert_list_size);
if (cert_list == NULL)
{
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
ER(CR_SSL_CONNECTION_ERROR),
"Unable to get server certificate");
return 0;
}
if (gnutls_fingerprint(GNUTLS_DIG_SHA1, &cert_list[0], fp, &fp_len) == 0)
return fp_len;
else
{
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
ER(CR_SSL_CONNECTION_ERROR),
"Finger print buffer too small");
return 0;
}
}
static void print_x509_info_compact(gnutls_session_t session)
{
gnutls_x509_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
gnutls_datum_t cinfo;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size == 0) {
fprintf(stderr, "No certificates found!\n");
return;
}
gnutls_x509_crt_init(&crt);
ret =
gnutls_x509_crt_import(crt, &cert_list[0],
GNUTLS_X509_FMT_DER);
if (ret < 0) {
fprintf(stderr, "Decoding error: %s\n",
gnutls_strerror(ret));
return;
}
ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
if (ret == 0) {
printf("- X.509 cert: %s\n", cinfo.data);
gnutls_free(cinfo.data);
}
gnutls_x509_crt_deinit(crt);
}
/* Return the certificate chain sent by the peer, or NULL on error. */
static ne_ssl_certificate *make_peers_chain(gnutls_session sock)
{
ne_ssl_certificate *current = NULL, *top = NULL;
const gnutls_datum *certs;
unsigned int n, count;
certs = gnutls_certificate_get_peers(sock, &count);
if (!certs) {
return NULL;
}
for (n = 0; n < count; n++) {
ne_ssl_certificate *cert;
gnutls_x509_crt x5;
if (gnutls_x509_crt_init(&x5) ||
gnutls_x509_crt_import(x5, &certs[n], GNUTLS_X509_FMT_DER)) {
ne_ssl_cert_free(top);
return NULL;
}
cert = populate_cert(ne_malloc(sizeof *cert), x5);
if (top == NULL) {
current = top = cert;
} else {
current->issuer = cert;
current = cert;
}
}
return top;
}
int /* O - Status of call (0 = success) */
httpCopyCredentials(
http_t *http, /* I - Connection to server */
cups_array_t **credentials) /* O - Array of credentials */
{
unsigned count; /* Number of certificates */
const gnutls_datum_t *certs; /* Certificates */
DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
if (credentials)
*credentials = NULL;
if (!http || !http->tls || !credentials)
return (-1);
*credentials = cupsArrayNew(NULL, NULL);
certs = gnutls_certificate_get_peers(http->tls, &count);
DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
if (certs && count)
{
while (count > 0)
{
httpAddCredential(*credentials, certs->data, certs->size);
certs ++;
count --;
}
}
return (0);
}
static void ssl_vfy_fp(struct sockifo* ifo) {
unsigned int i;
uint8_t result[41];
size_t resultsiz = 20;
if (!ifo->fingerprint) {
esock(ifo, "No fingerprint given");
return;
}
const gnutls_datum_t* cert = gnutls_certificate_get_peers(ifo->ssl, &i);
if (i < 1) {
esock(ifo, "No certificate given to fingerprint");
return;
}
int rv = gnutls_fingerprint(GNUTLS_DIG_SHA1, cert, result + 20, &resultsiz);
if (rv) {
esock(ifo, gnutls_strerror(rv));
return;
}
for(i=0; i < 20; i++) {
uint8_t v = result[20+i];
result[2*i ] = hex[v / 16];
result[2*i+1] = hex[v % 16];
}
result[40] = 0;
char* fp = ifo->fingerprint - 1;
while (fp) {
if (!memcmp(result, fp + 1, 40))
return;
fp = strchr(fp + 1, ',');
}
snprintf(errbuf, sizeof(errbuf), "SSL fingerprint error: got %s expected %s", result, ifo->fingerprint);
esock(ifo, errbuf);
}
static int cert_callback(gnutls_session_t session)
{
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
unsigned i;
gnutls_datum_t t;
struct priv_st *priv;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size == 0) {
fprintf(stderr, "no certificates sent by server!\n");
return -1;
}
priv = gnutls_session_get_ptr(session);
for (i=0;i<cert_list_size;i++) {
ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], &t);
if (ret < 0) {
fprintf(stderr, "error[%d]: %s\n", __LINE__,
gnutls_strerror(ret));
exit(1);
}
write(priv->fd, t.data, t.size);
gnutls_free(t.data);
}
priv->found = 1;
return -1;
}
/* grabs the username from the session certificate */
static
int get_cert_info(worker_st * ws)
{
const gnutls_datum_t *cert;
unsigned int ncerts;
int ret;
/* this is superflous. Verification has already been performed
* during handshake. */
cert = gnutls_certificate_get_peers(ws->session, &ncerts);
if (cert == NULL) {
return -1;
}
ret = get_cert_names(ws, cert);
if (ret < 0) {
if (ws->config->cert_user_oid == NULL) {
oclog(ws, LOG_ERR, "cannot read username from certificate; no cert-user-oid is set");
} else {
oclog(ws, LOG_ERR, "cannot read username (%s) from certificate",
ws->config->cert_user_oid);
}
return -1;
}
return 0;
}
int CTlsSocket::Handshake(const CTlsSocket* pPrimarySocket /*=0*/, bool try_resume /*=false*/)
{
m_pOwner->LogMessage(Debug_Verbose, _T("CTlsSocket::Handshake()"));
wxASSERT(m_session);
m_tlsState = handshake;
if (pPrimarySocket)
{
// Implicitly trust certificate of primary socket
unsigned int cert_list_size;
const gnutls_datum_t* const cert_list = gnutls_certificate_get_peers(pPrimarySocket->m_session, &cert_list_size);
if (cert_list && cert_list_size)
{
delete [] m_implicitTrustedCert.data;
m_implicitTrustedCert.data = new unsigned char[cert_list[0].size];
memcpy(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size);
m_implicitTrustedCert.size = cert_list[0].size;
}
if (try_resume)
{
if (!CopySessionData(pPrimarySocket))
return FZ_REPLY_ERROR;
}
}
return ContinueHandshake();
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
gnutls_x509_crt_t cert;
gnutls_digest_algorithm_t algo;
unsigned int cert_list_size;
const gnutls_datum_t *cert_list;
uint8_t digest[RB_SSL_CERTFP_LEN * 2];
size_t digest_size;
int len;
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
return 0;
if (gnutls_x509_crt_init(&cert) < 0)
return 0;
cert_list_size = 0;
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
if (cert_list == NULL)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
switch(method)
{
case RB_SSL_CERTFP_METH_SHA1:
algo = GNUTLS_DIG_SHA1;
len = RB_SSL_CERTFP_LEN_SHA1;
break;
case RB_SSL_CERTFP_METH_SHA256:
algo = GNUTLS_DIG_SHA256;
len = RB_SSL_CERTFP_LEN_SHA256;
break;
case RB_SSL_CERTFP_METH_SHA512:
algo = GNUTLS_DIG_SHA512;
len = RB_SSL_CERTFP_LEN_SHA512;
break;
default:
return 0;
}
if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
memcpy(certfp, digest, len);
gnutls_x509_crt_deinit(cert);
return len;
}
static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
const gnutls_datum_t *pcert;
unsigned listsize;
gnutls_x509_crt_t cert;
int r;
assert(session);
assert(client_cert);
pcert = gnutls_certificate_get_peers(session, &listsize);
if (!pcert || !listsize) {
log_error("Failed to retrieve certificate chain");
return -EINVAL;
}
r = gnutls_x509_crt_init(&cert);
if (r < 0) {
log_error("Failed to initialize client certificate");
return r;
}
/* Note that by passing values between 0 and listsize here, you
can get access to the CA's certs */
r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
if (r < 0) {
log_error("Failed to import client certificate");
gnutls_x509_crt_deinit(cert);
return r;
}
*client_cert = cert;
return 0;
}
int
verify_certificate (gnutls_session session, char* CN)
{
unsigned int cert_list_size;
const gnutls_datum *cert_list;
int ret;
char dn[MAX_DN_LEN];
size_t dn_len = MAX_DN_LEN;
gnutls_x509_crt cert;
ret = gnutls_certificate_verify_peers(session);
if (ret < 0)
{
quorum_debug(LOG_DEBUG,"gnutls_certificate_verify_peers2 returns error");
return -1;
}
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
quorum_debug(LOG_DEBUG,"The certificate is not a x.509 cert");
return -1;
}
if (gnutls_x509_crt_init (&cert) < 0)
{
quorum_debug(LOG_DEBUG,"error in gnutls_x509_crt_init");
return -1;
}
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list == NULL)
{
quorum_debug(LOG_DEBUG,"No certificate was found!");
return -1;
}
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
quorum_debug(LOG_DEBUG,"error parsing certificate");
return -1;
}
if (gnutls_x509_crt_get_expiration_time (cert) < time (0))
{
quorum_debug(LOG_DEBUG,"The certificate has expired");
return -1;
}
if (gnutls_x509_crt_get_activation_time (cert) > time (0))
{
quorum_debug(LOG_DEBUG,"The certificate is not yet activated");
return -1;
}
memset(dn, 0, MAX_DN_LEN);
gnutls_x509_crt_get_dn(cert, dn, &dn_len);
strncpy(CN, strstr(dn, "CN=")+3, MAX_DN_LEN);
CN[MAX_DN_LEN-1]= '\0';
quorum_debug(LOG_DEBUG,"The certificate cn:%s",CN);
gnutls_x509_crt_deinit (cert);
return 0;
}
static void print_openpgp_info_compact(gnutls_session_t session)
{
gnutls_openpgp_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size > 0) {
gnutls_datum_t cinfo;
gnutls_openpgp_crt_init(&crt);
ret = gnutls_openpgp_crt_import(crt, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0) {
fprintf(stderr, "Decoding error: %s\n",
gnutls_strerror(ret));
return;
}
ret =
gnutls_openpgp_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT,
&cinfo);
if (ret == 0) {
printf("- OpenPGP cert: %s\n", cinfo.data);
gnutls_free(cinfo.data);
}
gnutls_openpgp_crt_deinit(crt);
}
}
bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash)
{
gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL);
size_t resultSize = 0;
int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize);
return error == GNUTLS_E_SUCCESS && resultSize == 20;
}
static int verify_certificate_callback( gnutls_session_t session )
{
unsigned int status;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size;
int gnutlsret;
int verifyret = 0;
gnutls_x509_crt_t cert;
const char *hostname;
hostname = gnutls_session_get_ptr( session );
gnutlsret = gnutls_certificate_verify_peers2( session, &status );
if( gnutlsret < 0 )
return VERIFY_CERT_ERROR;
if( status & GNUTLS_CERT_INVALID )
verifyret |= VERIFY_CERT_INVALID;
if( status & GNUTLS_CERT_REVOKED )
verifyret |= VERIFY_CERT_REVOKED;
if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
if( status & GNUTLS_CERT_SIGNER_NOT_CA )
verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
#ifdef GNUTLS_CERT_NOT_ACTIVATED
/* Amusingly, the GnuTLS function used above didn't check for expiry
until GnuTLS 2.8 or so. (See CVE-2009-1417) */
if( status & GNUTLS_CERT_NOT_ACTIVATED )
verifyret |= VERIFY_CERT_NOT_ACTIVATED;
if( status & GNUTLS_CERT_EXPIRED )
verifyret |= VERIFY_CERT_EXPIRED;
#endif
if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 || gnutls_x509_crt_init( &cert ) < 0 )
return VERIFY_CERT_ERROR;
cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
return VERIFY_CERT_ERROR;
if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
{
verifyret |= VERIFY_CERT_INVALID;
verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
}
gnutls_x509_crt_deinit( cert );
return verifyret;
}
bool session::get_peers_certificate (const gnutls_datum_t ** certs,
unsigned int *certs_size) const
{
*certs = gnutls_certificate_get_peers (s, certs_size);
if (*certs == NULL)
return false;
return true;
}
int
SSL_accept (SSL * ssl)
{
X509_STORE_CTX *store;
int cert_list_size = 0;
int err;
int i, j;
int x_priority[GNUTLS_MAX_ALGORITHM_NUM];
/* take options into account before accepting */
memset (x_priority, 0, sizeof (x_priority));
if (ssl->options & SSL_OP_NO_TLSv1)
{
for (i = 0, j = 0;
i < GNUTLS_MAX_ALGORITHM_NUM && x_priority[i] != 0; i++, j++)
{
if (ssl->ctx->method->protocol_priority[j] == GNUTLS_TLS1)
j++;
else
x_priority[i] = ssl->ctx->method->protocol_priority[j];
}
if (i < GNUTLS_MAX_ALGORITHM_NUM)
x_priority[i] = 0;
gnutls_protocol_set_priority (ssl->gnutls_state,
ssl->ctx->method->protocol_priority);
}
/* FIXME: dh params, do we want client cert? */
err = gnutls_handshake (ssl->gnutls_state);
ssl->last_error = err;
if (err < 0)
{
last_error = err;
return 0;
}
store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX));
store->ssl = ssl;
store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
&cert_list_size);
if (ssl->verify_callback)
{
ssl->verify_callback (1 /*FIXME*/, store);
}
ssl->state = SSL_ST_OK;
err = store->error;
free (store);
/* FIXME: deal with error from callback */
return 1;
}
const X509 *
SSL_get_peer_certificate (SSL * ssl)
{
const gnutls_datum_t *cert_list;
int cert_list_size = 0;
cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
&cert_list_size);
return cert_list;
}
int
verify_certificate (gnutls_session session)
{
unsigned int cert_list_size;
const gnutls_datum *cert_list;
int ret;
gnutls_x509_crt cert;
ret = gnutls_certificate_verify_peers (session);
if (ret < 0)
{
printf("gnutls_certificate_verify_peers2 returns error.\n");
return -1;
}
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
printf("The certificate is not a x.509 cert\n");
return -1;
}
if (gnutls_x509_crt_init (&cert) < 0)
{
printf("error in gnutls_x509_crt_init\n");
return -1;
}
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list == NULL)
{
printf("No certificate was found!\n");
return -1;
}
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
printf("error parsing certificate\n");
return -1;
}
if (gnutls_x509_crt_get_expiration_time (cert) < time (0))
{
printf("The certificate has expired\n");
return -1;
}
if (gnutls_x509_crt_get_activation_time (cert) > time (0))
{
printf("The certificate is not yet activated\n");
return -1;
}
gnutls_x509_crt_deinit (cert);
return 0;
}
/* returns true or false, depending on whether the hostname
* matches to certificate */
static int
verify_x509_hostname (gnutls_session_t session, const char *hostname)
{
gnutls_x509_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list_size == 0)
{
fprintf (stderr, "No certificates found!\n");
return 0;
}
gnutls_x509_crt_init (&crt);
ret =
gnutls_x509_crt_import (crt, &cert_list[0],
GNUTLS_X509_FMT_DER);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n",
gnutls_strerror (ret));
return 0;
}
/* Check the hostname of the first certificate if it matches
* the name of the host we connected to.
*/
if (hostname != NULL)
{
if (gnutls_x509_crt_check_hostname (crt, hostname) == 0)
{
printf
("- The hostname in the certificate does NOT match '%s'\n",
hostname);
ret = 0;
}
else
{
printf ("- The hostname in the certificate matches '%s'.\n",
hostname);
ret = 1;
}
}
gnutls_x509_crt_deinit (crt);
return ret;
}
int
SSL_accept (SSL * ssl)
{
X509_STORE_CTX *store;
int cert_list_size = 0;
int err;
char x_priority[256];
/* take options into account before connecting */
memset (x_priority, 0, sizeof (x_priority));
if (ssl->options & SSL_OP_NO_TLSv1)
{
snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string);
err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL);
if (err < 0)
{
last_error = err;
return 0;
}
}
/* FIXME: dh params, do we want client cert? */
err = gnutls_handshake (ssl->gnutls_state);
ssl->last_error = err;
if (err < 0)
{
last_error = err;
return 0;
}
store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX));
store->ssl = ssl;
store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state,
&cert_list_size);
if (ssl->verify_callback)
{
ssl->verify_callback (1 /*FIXME*/, store);
}
ssl->state = SSL_ST_OK;
err = store->error;
free (store);
/* FIXME: deal with error from callback */
return 1;
}
static size_t wrfu(void *ptr, size_t size, size_t nmemb, void *stream)
{
const struct curl_tlssessioninfo *info;
unsigned int cert_list_size;
const gnutls_datum_t *chainp;
CURLcode res;
(void)stream;
(void)ptr;
res = curl_easy_getinfo(curl, CURLINFO_TLS_SESSION, &info);
if(!res) {
switch(info->backend) {
case CURLSSLBACKEND_GNUTLS:
/* info->internals is now the gnutls_session_t */
chainp = gnutls_certificate_get_peers(info->internals, &cert_list_size);
if((chainp) && (cert_list_size)) {
unsigned int i;
for(i = 0; i < cert_list_size; i++) {
gnutls_x509_crt_t cert;
gnutls_datum_t dn;
if(GNUTLS_E_SUCCESS == gnutls_x509_crt_init(&cert)) {
if(GNUTLS_E_SUCCESS ==
gnutls_x509_crt_import(cert, &chainp[i], GNUTLS_X509_FMT_DER)) {
if(GNUTLS_E_SUCCESS ==
gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, &dn)) {
fprintf(stderr, "Certificate #%d: %.*s", i, dn.size, dn.data);
gnutls_free(dn.data);
}
}
gnutls_x509_crt_deinit(cert);
}
}
}
break;
case CURLSSLBACKEND_NONE:
default:
break;
}
}
return size * nmemb;
}
bool session::get_peers_certificate (std::vector < gnutls_datum_t >
&out_certs) const
{
const gnutls_datum_t *certs;
unsigned int certs_size;
certs = gnutls_certificate_get_peers (s, &certs_size);
if (certs == NULL)
return false;
for (unsigned int i = 0; i < certs_size; i++)
out_certs.push_back (certs[i]);
return true;
}
static GList *
ssl_gnutls_get_peer_certificates(PurpleSslConnection * gsc)
{
PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
PurpleCertificate *prvcrt = NULL;
/* List of Certificate instances to return */
GList * peer_certs = NULL;
/* List of raw certificates as given by GnuTLS */
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
unsigned int i;
/* This should never, ever happen. */
g_return_val_if_fail( gnutls_certificate_type_get (gnutls_data->session) == GNUTLS_CRT_X509, NULL);
/* Get the certificate list from GnuTLS */
/* TODO: I am _pretty sure_ this doesn't block or do other exciting things */
cert_list = gnutls_certificate_get_peers(gnutls_data->session,
&cert_list_size);
/* Convert each certificate to a Certificate and append it to the list */
for (i = 0; i < cert_list_size; i++) {
PurpleCertificate * newcrt = x509_import_from_datum(cert_list[i],
GNUTLS_X509_FMT_DER);
/* Append is somewhat inefficient on linked lists, but is easy
to read. If someone complains, I'll change it.
TODO: Is anyone complaining? (Maybe elb?) */
/* only append if previous cert was actually signed by this one.
* Thanks Microsoft. */
if ((prvcrt == NULL) || x509_certificate_signed_by(prvcrt, newcrt)) {
peer_certs = g_list_append(peer_certs, newcrt);
prvcrt = newcrt;
} else {
x509_destroy_certificate(newcrt);
purple_debug_error("gnutls", "Dropping further peer certificates "
"because the chain is broken!\n");
break;
}
}
/* cert_list doesn't need free()-ing */
return peer_certs;
}
static int
tlsg_session_peercert( tls_session *sess, struct berval *der )
{
tlsg_session *s = (tlsg_session *)sess;
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
if (!peer_cert_list)
return -1;
der->bv_len = peer_cert_list[0].size;
der->bv_val = LDAP_MALLOC( der->bv_len );
if (!der->bv_val)
return -1;
memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
return 0;
}
int CTlsSocket::Handshake(const CTlsSocket* pPrimarySocket, bool try_resume)
{
m_pOwner->LogMessage(MessageType::Debug_Verbose, _T("CTlsSocket::Handshake()"));
wxASSERT(m_session);
m_tlsState = TlsState::handshake;
fz::native_string hostname;
if (pPrimarySocket) {
// Implicitly trust certificate of primary socket
unsigned int cert_list_size;
const gnutls_datum_t* const cert_list = gnutls_certificate_get_peers(pPrimarySocket->m_session, &cert_list_size);
if (cert_list && cert_list_size) {
delete [] m_implicitTrustedCert.data;
m_implicitTrustedCert.data = new unsigned char[cert_list[0].size];
memcpy(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size);
m_implicitTrustedCert.size = cert_list[0].size;
}
if (try_resume) {
if (!CopySessionData(pPrimarySocket))
return FZ_REPLY_ERROR;
}
hostname = pPrimarySocket->m_socket.GetPeerHost();
}
else {
hostname = m_socket.GetPeerHost();
}
if (!hostname.empty() && fz::get_address_type(hostname) == fz::address_type::unknown) {
auto const utf8 = fz::to_utf8(hostname);
if (!utf8.empty()) {
int res = gnutls_server_name_set(m_session, GNUTLS_NAME_DNS, utf8.c_str(), utf8.size());
if (res) {
LogError(res, _T("gnutls_server_name_set"), MessageType::Debug_Warning );
}
}
}
gnutls_handshake_set_hook_function(m_session, GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_BOTH, &handshake_hook_func);
return ContinueHandshake();
}
int TLSSocket::verify(VerifyResult& result) {
const char* hostname = (const char*) gnutls_session_get_ptr (session);
unsigned int status;
int ret = gnutls_certificate_verify_peers2 (session, &status);
if (ret < 0) {
return -1;
}
result.distrusted = (status & GNUTLS_CERT_INVALID);
result.unknownIssuer = (status & GNUTLS_CERT_SIGNER_NOT_FOUND);
result.revoked = (status & GNUTLS_CERT_REVOKED);
result.expired = (status & GNUTLS_CERT_EXPIRED);
result.inactive = (status & GNUTLS_CERT_NOT_ACTIVATED);
result.invalidCert = false;
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
result.invalidCert = true;
return -1;
}
gnutls_x509_crt_t cert;
if (gnutls_x509_crt_init (&cert) < 0) {
return -1;
}
const gnutls_datum_t *cert_list;
unsigned int cert_list_size;
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list == NULL) {
result.invalidCert = true;
gnutls_x509_crt_deinit (cert);
return -1;
}
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0){
result.invalidCert = true;
gnutls_x509_crt_deinit (cert);
return -1;
}
result.hostnameMismatch = !gnutls_x509_crt_check_hostname (cert, hostname);
gnutls_x509_crt_deinit (cert);
return 0;
}
int CTlsSocket::Handshake(const CTlsSocket* pPrimarySocket, bool try_resume)
{
m_pOwner->LogMessage(MessageType::Debug_Verbose, _T("CTlsSocket::Handshake()"));
wxASSERT(m_session);
m_tlsState = TlsState::handshake;
wxString hostname;
if (pPrimarySocket) {
// Implicitly trust certificate of primary socket
unsigned int cert_list_size;
const gnutls_datum_t* const cert_list = gnutls_certificate_get_peers(pPrimarySocket->m_session, &cert_list_size);
if (cert_list && cert_list_size)
{
delete [] m_implicitTrustedCert.data;
m_implicitTrustedCert.data = new unsigned char[cert_list[0].size];
memcpy(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size);
m_implicitTrustedCert.size = cert_list[0].size;
}
if (try_resume)
{
if (!CopySessionData(pPrimarySocket))
return FZ_REPLY_ERROR;
}
hostname = pPrimarySocket->m_pSocket->GetPeerHost();
}
else {
hostname = m_pSocket->GetPeerHost();
}
if( !hostname.empty() && !IsIpAddress(hostname) ) {
const wxWX2MBbuf utf8 = hostname.mb_str(wxConvUTF8);
if( utf8 ) {
int res = gnutls_server_name_set( m_session, GNUTLS_NAME_DNS, utf8, strlen(utf8) );
if( res ) {
LogError(res, _T("gnutls_server_name_set"), MessageType::Debug_Warning );
}
}
}
return ContinueHandshake();
}
static int
tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
{
tlsg_session *s = (tlsg_session *)session;
if ( !s->peer_der_dn.bv_val ) {
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
struct berval bv;
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
bv.bv_len = peer_cert_list->size;
bv.bv_val = (char *) peer_cert_list->data;
tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
}
*der_dn = s->peer_der_dn;
return 0;
}
/* Typically used in a resumed session. It will return
* true if a certificate has been used.
*/
unsigned tls_has_session_cert(struct worker_st * ws)
{
unsigned int list_size = 0;
const gnutls_datum_t * certs;
if (ws->session == NULL)
return 0;
if (ws->cert_auth_ok)
return 1;
if (ws->config->cisco_client_compat == 0) {
return 0;
}
certs = gnutls_certificate_get_peers(ws->session, &list_size);
if (certs != NULL)
return 1;
return 0;
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
gnutls_x509_crt_t cert;
unsigned int cert_list_size;
const gnutls_datum_t *cert_list;
uint8_t digest[RB_SSL_CERTFP_LEN * 2];
size_t digest_size;
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
return 0;
if (gnutls_x509_crt_init(&cert) < 0)
return 0;
cert_list_size = 0;
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
if (cert_list == NULL)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
memcpy(certfp, digest, RB_SSL_CERTFP_LEN);
gnutls_x509_crt_deinit(cert);
return 1;
}
