unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsigned int len) { MYSQL *mysql; size_t fp_len= len; const gnutls_datum_t *cert_list; unsigned int cert_list_size; if (!cssl || !cssl->ssl) return 0; mysql= (MYSQL *)gnutls_session_get_ptr(cssl->ssl); cert_list = gnutls_certificate_get_peers (cssl->ssl, &cert_list_size); if (cert_list == NULL) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), "Unable to get server certificate"); return 0; } if (gnutls_fingerprint(GNUTLS_DIG_SHA1, &cert_list[0], fp, &fp_len) == 0) return fp_len; else { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), "Finger print buffer too small"); return 0; } }
static void print_x509_info_compact(gnutls_session_t session) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; gnutls_datum_t cinfo; cert_list = gnutls_certificate_get_peers(session, &cert_list_size); if (cert_list_size == 0) { fprintf(stderr, "No certificates found!\n"); return; } gnutls_x509_crt_init(&crt); ret = gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER); if (ret < 0) { fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); return; } ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo); if (ret == 0) { printf("- X.509 cert: %s\n", cinfo.data); gnutls_free(cinfo.data); } gnutls_x509_crt_deinit(crt); }
/* Return the certificate chain sent by the peer, or NULL on error. */ static ne_ssl_certificate *make_peers_chain(gnutls_session sock) { ne_ssl_certificate *current = NULL, *top = NULL; const gnutls_datum *certs; unsigned int n, count; certs = gnutls_certificate_get_peers(sock, &count); if (!certs) { return NULL; } for (n = 0; n < count; n++) { ne_ssl_certificate *cert; gnutls_x509_crt x5; if (gnutls_x509_crt_init(&x5) || gnutls_x509_crt_import(x5, &certs[n], GNUTLS_X509_FMT_DER)) { ne_ssl_cert_free(top); return NULL; } cert = populate_cert(ne_malloc(sizeof *cert), x5); if (top == NULL) { current = top = cert; } else { current->issuer = cert; current = cert; } } return top; }
int /* O - Status of call (0 = success) */ httpCopyCredentials( http_t *http, /* I - Connection to server */ cups_array_t **credentials) /* O - Array of credentials */ { unsigned count; /* Number of certificates */ const gnutls_datum_t *certs; /* Certificates */ DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials)); if (credentials) *credentials = NULL; if (!http || !http->tls || !credentials) return (-1); *credentials = cupsArrayNew(NULL, NULL); certs = gnutls_certificate_get_peers(http->tls, &count); DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count)); if (certs && count) { while (count > 0) { httpAddCredential(*credentials, certs->data, certs->size); certs ++; count --; } } return (0); }
static void ssl_vfy_fp(struct sockifo* ifo) { unsigned int i; uint8_t result[41]; size_t resultsiz = 20; if (!ifo->fingerprint) { esock(ifo, "No fingerprint given"); return; } const gnutls_datum_t* cert = gnutls_certificate_get_peers(ifo->ssl, &i); if (i < 1) { esock(ifo, "No certificate given to fingerprint"); return; } int rv = gnutls_fingerprint(GNUTLS_DIG_SHA1, cert, result + 20, &resultsiz); if (rv) { esock(ifo, gnutls_strerror(rv)); return; } for(i=0; i < 20; i++) { uint8_t v = result[20+i]; result[2*i ] = hex[v / 16]; result[2*i+1] = hex[v % 16]; } result[40] = 0; char* fp = ifo->fingerprint - 1; while (fp) { if (!memcmp(result, fp + 1, 40)) return; fp = strchr(fp + 1, ','); } snprintf(errbuf, sizeof(errbuf), "SSL fingerprint error: got %s expected %s", result, ifo->fingerprint); esock(ifo, errbuf); }
static int cert_callback(gnutls_session_t session) { const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; unsigned i; gnutls_datum_t t; struct priv_st *priv; cert_list = gnutls_certificate_get_peers(session, &cert_list_size); if (cert_list_size == 0) { fprintf(stderr, "no certificates sent by server!\n"); return -1; } priv = gnutls_session_get_ptr(session); for (i=0;i<cert_list_size;i++) { ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], &t); if (ret < 0) { fprintf(stderr, "error[%d]: %s\n", __LINE__, gnutls_strerror(ret)); exit(1); } write(priv->fd, t.data, t.size); gnutls_free(t.data); } priv->found = 1; return -1; }
/* grabs the username from the session certificate */ static int get_cert_info(worker_st * ws) { const gnutls_datum_t *cert; unsigned int ncerts; int ret; /* this is superflous. Verification has already been performed * during handshake. */ cert = gnutls_certificate_get_peers(ws->session, &ncerts); if (cert == NULL) { return -1; } ret = get_cert_names(ws, cert); if (ret < 0) { if (ws->config->cert_user_oid == NULL) { oclog(ws, LOG_ERR, "cannot read username from certificate; no cert-user-oid is set"); } else { oclog(ws, LOG_ERR, "cannot read username (%s) from certificate", ws->config->cert_user_oid); } return -1; } return 0; }
int CTlsSocket::Handshake(const CTlsSocket* pPrimarySocket /*=0*/, bool try_resume /*=false*/) { m_pOwner->LogMessage(Debug_Verbose, _T("CTlsSocket::Handshake()")); wxASSERT(m_session); m_tlsState = handshake; if (pPrimarySocket) { // Implicitly trust certificate of primary socket unsigned int cert_list_size; const gnutls_datum_t* const cert_list = gnutls_certificate_get_peers(pPrimarySocket->m_session, &cert_list_size); if (cert_list && cert_list_size) { delete [] m_implicitTrustedCert.data; m_implicitTrustedCert.data = new unsigned char[cert_list[0].size]; memcpy(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size); m_implicitTrustedCert.size = cert_list[0].size; } if (try_resume) { if (!CopySessionData(pPrimarySocket)) return FZ_REPLY_ERROR; } } return ContinueHandshake(); }
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) { gnutls_x509_crt_t cert; gnutls_digest_algorithm_t algo; unsigned int cert_list_size; const gnutls_datum_t *cert_list; uint8_t digest[RB_SSL_CERTFP_LEN * 2]; size_t digest_size; int len; if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509) return 0; if (gnutls_x509_crt_init(&cert) < 0) return 0; cert_list_size = 0; cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size); if (cert_list == NULL) { gnutls_x509_crt_deinit(cert); return 0; } if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) { gnutls_x509_crt_deinit(cert); return 0; } switch(method) { case RB_SSL_CERTFP_METH_SHA1: algo = GNUTLS_DIG_SHA1; len = RB_SSL_CERTFP_LEN_SHA1; break; case RB_SSL_CERTFP_METH_SHA256: algo = GNUTLS_DIG_SHA256; len = RB_SSL_CERTFP_LEN_SHA256; break; case RB_SSL_CERTFP_METH_SHA512: algo = GNUTLS_DIG_SHA512; len = RB_SSL_CERTFP_LEN_SHA512; break; default: return 0; } if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0) { gnutls_x509_crt_deinit(cert); return 0; } memcpy(certfp, digest, len); gnutls_x509_crt_deinit(cert); return len; }
static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) { const gnutls_datum_t *pcert; unsigned listsize; gnutls_x509_crt_t cert; int r; assert(session); assert(client_cert); pcert = gnutls_certificate_get_peers(session, &listsize); if (!pcert || !listsize) { log_error("Failed to retrieve certificate chain"); return -EINVAL; } r = gnutls_x509_crt_init(&cert); if (r < 0) { log_error("Failed to initialize client certificate"); return r; } /* Note that by passing values between 0 and listsize here, you can get access to the CA's certs */ r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER); if (r < 0) { log_error("Failed to import client certificate"); gnutls_x509_crt_deinit(cert); return r; } *client_cert = cert; return 0; }
int verify_certificate (gnutls_session session, char* CN) { unsigned int cert_list_size; const gnutls_datum *cert_list; int ret; char dn[MAX_DN_LEN]; size_t dn_len = MAX_DN_LEN; gnutls_x509_crt cert; ret = gnutls_certificate_verify_peers(session); if (ret < 0) { quorum_debug(LOG_DEBUG,"gnutls_certificate_verify_peers2 returns error"); return -1; } if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { quorum_debug(LOG_DEBUG,"The certificate is not a x.509 cert"); return -1; } if (gnutls_x509_crt_init (&cert) < 0) { quorum_debug(LOG_DEBUG,"error in gnutls_x509_crt_init"); return -1; } cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list == NULL) { quorum_debug(LOG_DEBUG,"No certificate was found!"); return -1; } if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) { quorum_debug(LOG_DEBUG,"error parsing certificate"); return -1; } if (gnutls_x509_crt_get_expiration_time (cert) < time (0)) { quorum_debug(LOG_DEBUG,"The certificate has expired"); return -1; } if (gnutls_x509_crt_get_activation_time (cert) > time (0)) { quorum_debug(LOG_DEBUG,"The certificate is not yet activated"); return -1; } memset(dn, 0, MAX_DN_LEN); gnutls_x509_crt_get_dn(cert, dn, &dn_len); strncpy(CN, strstr(dn, "CN=")+3, MAX_DN_LEN); CN[MAX_DN_LEN-1]= '\0'; quorum_debug(LOG_DEBUG,"The certificate cn:%s",CN); gnutls_x509_crt_deinit (cert); return 0; }
static void print_openpgp_info_compact(gnutls_session_t session) { gnutls_openpgp_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; cert_list = gnutls_certificate_get_peers(session, &cert_list_size); if (cert_list_size > 0) { gnutls_datum_t cinfo; gnutls_openpgp_crt_init(&crt); ret = gnutls_openpgp_crt_import(crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); return; } ret = gnutls_openpgp_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo); if (ret == 0) { printf("- OpenPGP cert: %s\n", cinfo.data); gnutls_free(cinfo.data); } gnutls_openpgp_crt_deinit(crt); } }
bool_t SSLi_getSHA1Hash(SSL_handle_t *session, uint8_t *hash) { gnutls_datum_t const * certificateData = gnutls_certificate_get_peers(*session, NULL); size_t resultSize = 0; int error = gnutls_fingerprint( GNUTLS_DIG_SHA1, certificateData, hash, &resultSize); return error == GNUTLS_E_SUCCESS && resultSize == 20; }
static int verify_certificate_callback( gnutls_session_t session ) { unsigned int status; const gnutls_datum_t *cert_list; unsigned int cert_list_size; int gnutlsret; int verifyret = 0; gnutls_x509_crt_t cert; const char *hostname; hostname = gnutls_session_get_ptr( session ); gnutlsret = gnutls_certificate_verify_peers2( session, &status ); if( gnutlsret < 0 ) return VERIFY_CERT_ERROR; if( status & GNUTLS_CERT_INVALID ) verifyret |= VERIFY_CERT_INVALID; if( status & GNUTLS_CERT_REVOKED ) verifyret |= VERIFY_CERT_REVOKED; if( status & GNUTLS_CERT_SIGNER_NOT_FOUND ) verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND; if( status & GNUTLS_CERT_SIGNER_NOT_CA ) verifyret |= VERIFY_CERT_SIGNER_NOT_CA; if( status & GNUTLS_CERT_INSECURE_ALGORITHM ) verifyret |= VERIFY_CERT_INSECURE_ALGORITHM; #ifdef GNUTLS_CERT_NOT_ACTIVATED /* Amusingly, the GnuTLS function used above didn't check for expiry until GnuTLS 2.8 or so. (See CVE-2009-1417) */ if( status & GNUTLS_CERT_NOT_ACTIVATED ) verifyret |= VERIFY_CERT_NOT_ACTIVATED; if( status & GNUTLS_CERT_EXPIRED ) verifyret |= VERIFY_CERT_EXPIRED; #endif if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 || gnutls_x509_crt_init( &cert ) < 0 ) return VERIFY_CERT_ERROR; cert_list = gnutls_certificate_get_peers( session, &cert_list_size ); if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 ) return VERIFY_CERT_ERROR; if( !gnutls_x509_crt_check_hostname( cert, hostname ) ) { verifyret |= VERIFY_CERT_INVALID; verifyret |= VERIFY_CERT_WRONG_HOSTNAME; } gnutls_x509_crt_deinit( cert ); return verifyret; }
bool session::get_peers_certificate (const gnutls_datum_t ** certs, unsigned int *certs_size) const { *certs = gnutls_certificate_get_peers (s, certs_size); if (*certs == NULL) return false; return true; }
int SSL_accept (SSL * ssl) { X509_STORE_CTX *store; int cert_list_size = 0; int err; int i, j; int x_priority[GNUTLS_MAX_ALGORITHM_NUM]; /* take options into account before accepting */ memset (x_priority, 0, sizeof (x_priority)); if (ssl->options & SSL_OP_NO_TLSv1) { for (i = 0, j = 0; i < GNUTLS_MAX_ALGORITHM_NUM && x_priority[i] != 0; i++, j++) { if (ssl->ctx->method->protocol_priority[j] == GNUTLS_TLS1) j++; else x_priority[i] = ssl->ctx->method->protocol_priority[j]; } if (i < GNUTLS_MAX_ALGORITHM_NUM) x_priority[i] = 0; gnutls_protocol_set_priority (ssl->gnutls_state, ssl->ctx->method->protocol_priority); } /* FIXME: dh params, do we want client cert? */ err = gnutls_handshake (ssl->gnutls_state); ssl->last_error = err; if (err < 0) { last_error = err; return 0; } store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX)); store->ssl = ssl; store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state, &cert_list_size); if (ssl->verify_callback) { ssl->verify_callback (1 /*FIXME*/, store); } ssl->state = SSL_ST_OK; err = store->error; free (store); /* FIXME: deal with error from callback */ return 1; }
const X509 * SSL_get_peer_certificate (SSL * ssl) { const gnutls_datum_t *cert_list; int cert_list_size = 0; cert_list = gnutls_certificate_get_peers (ssl->gnutls_state, &cert_list_size); return cert_list; }
int verify_certificate (gnutls_session session) { unsigned int cert_list_size; const gnutls_datum *cert_list; int ret; gnutls_x509_crt cert; ret = gnutls_certificate_verify_peers (session); if (ret < 0) { printf("gnutls_certificate_verify_peers2 returns error.\n"); return -1; } if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { printf("The certificate is not a x.509 cert\n"); return -1; } if (gnutls_x509_crt_init (&cert) < 0) { printf("error in gnutls_x509_crt_init\n"); return -1; } cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list == NULL) { printf("No certificate was found!\n"); return -1; } if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) { printf("error parsing certificate\n"); return -1; } if (gnutls_x509_crt_get_expiration_time (cert) < time (0)) { printf("The certificate has expired\n"); return -1; } if (gnutls_x509_crt_get_activation_time (cert) > time (0)) { printf("The certificate is not yet activated\n"); return -1; } gnutls_x509_crt_deinit (cert); return 0; }
/* returns true or false, depending on whether the hostname * matches to certificate */ static int verify_x509_hostname (gnutls_session_t session, const char *hostname) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size == 0) { fprintf (stderr, "No certificates found!\n"); return 0; } gnutls_x509_crt_init (&crt); ret = gnutls_x509_crt_import (crt, &cert_list[0], GNUTLS_X509_FMT_DER); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return 0; } /* Check the hostname of the first certificate if it matches * the name of the host we connected to. */ if (hostname != NULL) { if (gnutls_x509_crt_check_hostname (crt, hostname) == 0) { printf ("- The hostname in the certificate does NOT match '%s'\n", hostname); ret = 0; } else { printf ("- The hostname in the certificate matches '%s'.\n", hostname); ret = 1; } } gnutls_x509_crt_deinit (crt); return ret; }
int SSL_accept (SSL * ssl) { X509_STORE_CTX *store; int cert_list_size = 0; int err; char x_priority[256]; /* take options into account before connecting */ memset (x_priority, 0, sizeof (x_priority)); if (ssl->options & SSL_OP_NO_TLSv1) { snprintf(x_priority, sizeof(x_priority), "%s:-VERS-TLS1.0", ssl->ctx->method->priority_string); err = gnutls_priority_set_direct(ssl->gnutls_state, x_priority, NULL); if (err < 0) { last_error = err; return 0; } } /* FIXME: dh params, do we want client cert? */ err = gnutls_handshake (ssl->gnutls_state); ssl->last_error = err; if (err < 0) { last_error = err; return 0; } store = (X509_STORE_CTX *) calloc (1, sizeof (X509_STORE_CTX)); store->ssl = ssl; store->cert_list = gnutls_certificate_get_peers (ssl->gnutls_state, &cert_list_size); if (ssl->verify_callback) { ssl->verify_callback (1 /*FIXME*/, store); } ssl->state = SSL_ST_OK; err = store->error; free (store); /* FIXME: deal with error from callback */ return 1; }
static size_t wrfu(void *ptr, size_t size, size_t nmemb, void *stream) { const struct curl_tlssessioninfo *info; unsigned int cert_list_size; const gnutls_datum_t *chainp; CURLcode res; (void)stream; (void)ptr; res = curl_easy_getinfo(curl, CURLINFO_TLS_SESSION, &info); if(!res) { switch(info->backend) { case CURLSSLBACKEND_GNUTLS: /* info->internals is now the gnutls_session_t */ chainp = gnutls_certificate_get_peers(info->internals, &cert_list_size); if((chainp) && (cert_list_size)) { unsigned int i; for(i = 0; i < cert_list_size; i++) { gnutls_x509_crt_t cert; gnutls_datum_t dn; if(GNUTLS_E_SUCCESS == gnutls_x509_crt_init(&cert)) { if(GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &chainp[i], GNUTLS_X509_FMT_DER)) { if(GNUTLS_E_SUCCESS == gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, &dn)) { fprintf(stderr, "Certificate #%d: %.*s", i, dn.size, dn.data); gnutls_free(dn.data); } } gnutls_x509_crt_deinit(cert); } } } break; case CURLSSLBACKEND_NONE: default: break; } } return size * nmemb; }
bool session::get_peers_certificate (std::vector < gnutls_datum_t > &out_certs) const { const gnutls_datum_t *certs; unsigned int certs_size; certs = gnutls_certificate_get_peers (s, &certs_size); if (certs == NULL) return false; for (unsigned int i = 0; i < certs_size; i++) out_certs.push_back (certs[i]); return true; }
static GList * ssl_gnutls_get_peer_certificates(PurpleSslConnection * gsc) { PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc); PurpleCertificate *prvcrt = NULL; /* List of Certificate instances to return */ GList * peer_certs = NULL; /* List of raw certificates as given by GnuTLS */ const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; unsigned int i; /* This should never, ever happen. */ g_return_val_if_fail( gnutls_certificate_type_get (gnutls_data->session) == GNUTLS_CRT_X509, NULL); /* Get the certificate list from GnuTLS */ /* TODO: I am _pretty sure_ this doesn't block or do other exciting things */ cert_list = gnutls_certificate_get_peers(gnutls_data->session, &cert_list_size); /* Convert each certificate to a Certificate and append it to the list */ for (i = 0; i < cert_list_size; i++) { PurpleCertificate * newcrt = x509_import_from_datum(cert_list[i], GNUTLS_X509_FMT_DER); /* Append is somewhat inefficient on linked lists, but is easy to read. If someone complains, I'll change it. TODO: Is anyone complaining? (Maybe elb?) */ /* only append if previous cert was actually signed by this one. * Thanks Microsoft. */ if ((prvcrt == NULL) || x509_certificate_signed_by(prvcrt, newcrt)) { peer_certs = g_list_append(peer_certs, newcrt); prvcrt = newcrt; } else { x509_destroy_certificate(newcrt); purple_debug_error("gnutls", "Dropping further peer certificates " "because the chain is broken!\n"); break; } } /* cert_list doesn't need free()-ing */ return peer_certs; }
static int tlsg_session_peercert( tls_session *sess, struct berval *der ) { tlsg_session *s = (tlsg_session *)sess; const gnutls_datum_t *peer_cert_list; unsigned int list_size; peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size ); if (!peer_cert_list) return -1; der->bv_len = peer_cert_list[0].size; der->bv_val = LDAP_MALLOC( der->bv_len ); if (!der->bv_val) return -1; memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len); return 0; }
int CTlsSocket::Handshake(const CTlsSocket* pPrimarySocket, bool try_resume) { m_pOwner->LogMessage(MessageType::Debug_Verbose, _T("CTlsSocket::Handshake()")); wxASSERT(m_session); m_tlsState = TlsState::handshake; fz::native_string hostname; if (pPrimarySocket) { // Implicitly trust certificate of primary socket unsigned int cert_list_size; const gnutls_datum_t* const cert_list = gnutls_certificate_get_peers(pPrimarySocket->m_session, &cert_list_size); if (cert_list && cert_list_size) { delete [] m_implicitTrustedCert.data; m_implicitTrustedCert.data = new unsigned char[cert_list[0].size]; memcpy(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size); m_implicitTrustedCert.size = cert_list[0].size; } if (try_resume) { if (!CopySessionData(pPrimarySocket)) return FZ_REPLY_ERROR; } hostname = pPrimarySocket->m_socket.GetPeerHost(); } else { hostname = m_socket.GetPeerHost(); } if (!hostname.empty() && fz::get_address_type(hostname) == fz::address_type::unknown) { auto const utf8 = fz::to_utf8(hostname); if (!utf8.empty()) { int res = gnutls_server_name_set(m_session, GNUTLS_NAME_DNS, utf8.c_str(), utf8.size()); if (res) { LogError(res, _T("gnutls_server_name_set"), MessageType::Debug_Warning ); } } } gnutls_handshake_set_hook_function(m_session, GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_BOTH, &handshake_hook_func); return ContinueHandshake(); }
int TLSSocket::verify(VerifyResult& result) { const char* hostname = (const char*) gnutls_session_get_ptr (session); unsigned int status; int ret = gnutls_certificate_verify_peers2 (session, &status); if (ret < 0) { return -1; } result.distrusted = (status & GNUTLS_CERT_INVALID); result.unknownIssuer = (status & GNUTLS_CERT_SIGNER_NOT_FOUND); result.revoked = (status & GNUTLS_CERT_REVOKED); result.expired = (status & GNUTLS_CERT_EXPIRED); result.inactive = (status & GNUTLS_CERT_NOT_ACTIVATED); result.invalidCert = false; if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { result.invalidCert = true; return -1; } gnutls_x509_crt_t cert; if (gnutls_x509_crt_init (&cert) < 0) { return -1; } const gnutls_datum_t *cert_list; unsigned int cert_list_size; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list == NULL) { result.invalidCert = true; gnutls_x509_crt_deinit (cert); return -1; } if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0){ result.invalidCert = true; gnutls_x509_crt_deinit (cert); return -1; } result.hostnameMismatch = !gnutls_x509_crt_check_hostname (cert, hostname); gnutls_x509_crt_deinit (cert); return 0; }
int CTlsSocket::Handshake(const CTlsSocket* pPrimarySocket, bool try_resume) { m_pOwner->LogMessage(MessageType::Debug_Verbose, _T("CTlsSocket::Handshake()")); wxASSERT(m_session); m_tlsState = TlsState::handshake; wxString hostname; if (pPrimarySocket) { // Implicitly trust certificate of primary socket unsigned int cert_list_size; const gnutls_datum_t* const cert_list = gnutls_certificate_get_peers(pPrimarySocket->m_session, &cert_list_size); if (cert_list && cert_list_size) { delete [] m_implicitTrustedCert.data; m_implicitTrustedCert.data = new unsigned char[cert_list[0].size]; memcpy(m_implicitTrustedCert.data, cert_list[0].data, cert_list[0].size); m_implicitTrustedCert.size = cert_list[0].size; } if (try_resume) { if (!CopySessionData(pPrimarySocket)) return FZ_REPLY_ERROR; } hostname = pPrimarySocket->m_pSocket->GetPeerHost(); } else { hostname = m_pSocket->GetPeerHost(); } if( !hostname.empty() && !IsIpAddress(hostname) ) { const wxWX2MBbuf utf8 = hostname.mb_str(wxConvUTF8); if( utf8 ) { int res = gnutls_server_name_set( m_session, GNUTLS_NAME_DNS, utf8, strlen(utf8) ); if( res ) { LogError(res, _T("gnutls_server_name_set"), MessageType::Debug_Warning ); } } } return ContinueHandshake(); }
static int tlsg_session_peer_dn( tls_session *session, struct berval *der_dn ) { tlsg_session *s = (tlsg_session *)session; if ( !s->peer_der_dn.bv_val ) { const gnutls_datum_t *peer_cert_list; unsigned int list_size; struct berval bv; peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size ); if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS; bv.bv_len = peer_cert_list->size; bv.bv_val = (char *) peer_cert_list->data; tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 ); } *der_dn = s->peer_der_dn; return 0; }
/* Typically used in a resumed session. It will return * true if a certificate has been used. */ unsigned tls_has_session_cert(struct worker_st * ws) { unsigned int list_size = 0; const gnutls_datum_t * certs; if (ws->session == NULL) return 0; if (ws->cert_auth_ok) return 1; if (ws->config->cisco_client_compat == 0) { return 0; } certs = gnutls_certificate_get_peers(ws->session, &list_size); if (certs != NULL) return 1; return 0; }
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) { gnutls_x509_crt_t cert; unsigned int cert_list_size; const gnutls_datum_t *cert_list; uint8_t digest[RB_SSL_CERTFP_LEN * 2]; size_t digest_size; if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509) return 0; if (gnutls_x509_crt_init(&cert) < 0) return 0; cert_list_size = 0; cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size); if (cert_list == NULL) { gnutls_x509_crt_deinit(cert); return 0; } if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) { gnutls_x509_crt_deinit(cert); return 0; } if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0) { gnutls_x509_crt_deinit(cert); return 0; } memcpy(certfp, digest, RB_SSL_CERTFP_LEN); gnutls_x509_crt_deinit(cert); return 1; }