int manos_tls_init (manos_tls_socket_t *tls, const char *cert, const char *key) { manos_tls_socket_t socket; int err; socket = malloc (sizeof (*socket)); if (socket == NULL) { return ENOMEM; } memset (socket, 0, sizeof (*socket)); err = gnutls_certificate_allocate_credentials (&socket->credentials); if (err != 0) { return err; } err = gnutls_certificate_set_x509_key_file (socket->credentials, cert, key, GNUTLS_X509_FMT_PEM); if (err != 0) { return err; } gnutls_certificate_set_params_function(socket->credentials, get_dh_params); *tls = socket; return 0; }
int ne_ssl_context_keypair(ne_ssl_context *ctx, const char *cert, const char *key) { gnutls_certificate_set_x509_key_file(ctx->cred, cert, key, GNUTLS_X509_FMT_PEM); return 0; }
void TLSSocket::init(const std::string& caPath, const std::string& crlPath, const std::string& certPath, const std::string& keyPath) { gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); gnutls_global_init(); gnutls_certificate_allocate_credentials(&xcred); if (!caPath.empty()) { gnutls_certificate_set_x509_trust_file(xcred, caPath.c_str(), GNUTLS_X509_FMT_PEM); gnutls_certificate_set_verify_flags (xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); } if (!crlPath.empty()) { gnutls_certificate_set_x509_crl_file(xcred, crlPath.c_str(), GNUTLS_X509_FMT_PEM); } gnutls_certificate_set_x509_key_file(xcred, certPath.c_str(), keyPath.c_str(), GNUTLS_X509_FMT_PEM); gnutls_dh_params_init(&dh_params); gnutls_dh_params_generate2(dh_params, 1024); gnutls_priority_init(&priority_cache, "NORMAL", NULL); gnutls_certificate_set_dh_params(xcred, dh_params); }
int ufwissl_ssl_context_keypair(ufwissl_ssl_context * ctx, const char *cert, const char *key) { return (gnutls_certificate_set_x509_key_file(ctx->cred, cert, key, GNUTLS_X509_FMT_PEM) == 0) ? UFWISSL_OK : UFWISSL_ERROR; }
static bool ConnSSL_LoadServerKey_gnutls(void) { int err; const char *cert_file; err = gnutls_certificate_allocate_credentials(&x509_cred); if (err < 0) { Log(LOG_ERR, "gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err)); return false; } cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile; if (!cert_file) { Log(LOG_NOTICE, "No SSL server key configured, SSL disabled."); return false; } if (array_bytes(&Conf_SSLOptions.KeyFilePassword)) Log(LOG_WARNING, "Ignoring KeyFilePassword: Not supported by GNUTLS."); if (!Load_DH_params()) return false; gnutls_certificate_set_dh_params(x509_cred, dh_params); err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM); if (err < 0) { Log(LOG_ERR, "gnutls_certificate_set_x509_key_file (cert %s, key %s): %s", cert_file, Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", gnutls_strerror(err)); return false; } return true; }
////////////////////////////////////////////////////////////////////// // GnuTlsX509Cred // GnuTlsX509Cred::GnuTlsX509Cred(const char* certificateFile, const char* privateKeyFile) { int ret; log_debug("gnutls_certificate_allocate_credentials"); ret = gnutls_certificate_allocate_credentials(&_x509_cred); if (ret != 0) throw GnuTlsException("gnutls_certificate_allocate_credentials", ret); log_debug("gnutls_certificate_allocate_credentials => " << _x509_cred); // gnutls_certificate_set_x509_trust_file(x509_cred, caFile, GNUTLS_X509_FMT_PEM); // gnutls_certificate_set_x509_crl_file(x509_cred, crlFile, GNUTLS_X509_FMT_PEM); try { log_debug("gnutls_certificate_set_x509_key_file(x509_cred, \"" << certificateFile << "\", \"" << privateKeyFile << "\", GNUTLS_X509_FMT_PEM)"); ret = gnutls_certificate_set_x509_key_file(_x509_cred, certificateFile, privateKeyFile, GNUTLS_X509_FMT_PEM); if (ret < 0) throw GnuTlsException("gnutls_certificate_set_x509_key_file", ret); log_debug("gnutls_certificate_set_dh_params"); gnutls_certificate_set_dh_params(_x509_cred, _init.getDhParams()); } catch (...) { log_debug("gnutls_certificate_free_credentials"); gnutls_certificate_free_credentials(_x509_cred); throw; } }
struct rfbssl_ctx *rfbssl_init_global(char *key, char *cert) { int ret = GNUTLS_E_SUCCESS; struct rfbssl_ctx *ctx = NULL; if (NULL == (ctx = malloc(sizeof(struct rfbssl_ctx)))) { ret = GNUTLS_E_MEMORY_ERROR; } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_global_init())) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_allocate_credentials(&ctx->x509_cred))) { /* */ } else if ((ret = gnutls_certificate_set_x509_trust_file(ctx->x509_cred, cert, GNUTLS_X509_FMT_PEM)) < 0) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_certificate_set_x509_key_file(ctx->x509_cred, cert, key, GNUTLS_X509_FMT_PEM))) { /* */ } else if (!GNUTLS_E_SUCCESS == (ret = generate_dh_params(ctx))) { /* */ #ifdef I_LIKE_RSA_PARAMS_THAT_MUCH } else if (!GNUTLS_E_SUCCESS == (ret = generate_rsa_params(ctx))) { /* */ #endif } else { gnutls_global_set_log_function(rfbssl_log_func); gnutls_global_set_log_level(1); gnutls_certificate_set_dh_params(ctx->x509_cred, ctx->dh_params); /* newly allocated memory should be initialized, at least where it is important */ ctx->peekstart = ctx->peeklen = 0; return ctx; } free(ctx); return NULL; }
void certificate_credentials::set_x509_key_file (const char *certfile, const char *keyfile, gnutls_x509_crt_fmt_t type) { RETWRAP (gnutls_certificate_set_x509_key_file (cred, certfile, keyfile, type)); }
secure::server_t secure::server(const char *certfile, const char *ca) { context *ctx = new context; if(!ctx) return NULL; ctx->error = secure::OK; ctx->connect = GNUTLS_SERVER; ctx->xtype = GNUTLS_CRD_CERTIFICATE; ctx->xcred = NULL; ctx->dh = NULL; gnutls_certificate_allocate_credentials(&ctx->xcred); gnutls_certificate_set_x509_key_file(ctx->xcred, certfile, certfile, GNUTLS_X509_FMT_PEM); if(!ca) return ctx; if(eq(ca, "*")) ca = oscerts(); gnutls_certificate_set_x509_trust_file (ctx->xcred, ca, GNUTLS_X509_FMT_PEM); return ctx; }
void initialize_tls_global(void) { gnutls_global_init (); gnutls_certificate_allocate_credentials (&xcred); gnutls_certificate_set_x509_trust_file (xcred, CACERT, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (xcred, CLIENTCERT, CLIENTKEY, GNUTLS_X509_FMT_PEM); }
void TLSServer::init ( const std::string& ca, const std::string& crl, const std::string& cert, const std::string& key) { _ca = ca; _crl = crl; _cert = cert; _key = key; int ret = gnutls_global_init (); if (ret < 0) throw format ("TLS init error. {1}", gnutls_strerror (ret)); ret = gnutls_certificate_allocate_credentials (&_credentials); if (ret < 0) throw format ("TLS allocation error. {1}", gnutls_strerror (ret)); if (_ca != "" && (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CA file. {1}", gnutls_strerror (ret)); if ( _crl != "" && (ret = gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CRL file. {1}", gnutls_strerror (ret)); if (_cert != "" && _key != "" && (ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CERT file. {1}", gnutls_strerror (ret)); #if GNUTLS_VERSION_NUMBER >= 0x020b00 #if GNUTLS_VERSION_NUMBER >= 0x03000d unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); #else unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); #endif #else unsigned int bits = DH_BITS; #endif gnutls_dh_params_init (&_params); gnutls_dh_params_generate2 (_params, bits); if (_ciphers == "") _ciphers = "NORMAL"; gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL); gnutls_certificate_set_dh_params (_credentials, _params); #if GNUTLS_VERSION_NUMBER >= 0x02090a // The automatic verification for the client certificate with // gnutls_certificate_set_verify_function only works with gnutls // >=2.9.10. So with older versions we should call the verify function // manually after the gnutls handshake. gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif }
void TLSClient::init ( const std::string& ca, const std::string& cert, const std::string& key) { _ca = ca; _cert = cert; _key = key; int ret = gnutls_global_init (); if (ret < 0) throw format ("TLS init error. {1}", gnutls_strerror (ret)); ret = gnutls_certificate_allocate_credentials (&_credentials); if (ret < 0) throw format ("TLS allocation error. {1}", gnutls_strerror (ret)); if (_ca != "" && (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CA file. {1}", gnutls_strerror (ret)); if (_cert != "" && _key != "" && (ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CERT file. {1}", gnutls_strerror (ret)); #if GNUTLS_VERSION_NUMBER >= 0x02090a // The automatic verification for the server certificate with // gnutls_certificate_set_verify_function only works with gnutls // >=2.9.10. So with older versions we should call the verify function // manually after the gnutls handshake. gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif ret = gnutls_init (&_session, GNUTLS_CLIENT); if (ret < 0) throw format ("TLS client init error. {1}", gnutls_strerror (ret)); // Use default priorities unless overridden. if (_ciphers == "") _ciphers = "NORMAL"; const char *err; ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err); if (ret < 0) { if (_debug && ret == GNUTLS_E_INVALID_REQUEST) std::cout << "c: ERROR Priority error at: " << err << "\n"; throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret)); } // Apply the x509 credentials to the current session. ret = gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials); if (ret < 0) throw format ("TLS credentials error. {1}", gnutls_strerror (ret)); }
void relay_network_set_ssl_cert_key (int verbose) { #ifdef HAVE_GNUTLS char *certkey_path, *certkey_path2; int ret; gnutls_certificate_free_credentials (relay_gnutls_x509_cred); gnutls_certificate_allocate_credentials (&relay_gnutls_x509_cred); relay_network_init_ssl_cert_key_ok = 0; certkey_path = weechat_string_expand_home (weechat_config_string (relay_config_network_ssl_cert_key)); if (certkey_path) { certkey_path2 = weechat_string_replace (certkey_path, "%h", weechat_info_get ("weechat_dir", NULL)); if (certkey_path2) { ret = gnutls_certificate_set_x509_key_file (relay_gnutls_x509_cred, certkey_path2, certkey_path2, GNUTLS_X509_FMT_PEM); if (ret >= 0) { relay_network_init_ssl_cert_key_ok = 1; if (verbose) { weechat_printf (NULL, _("%s: SSL certificate and key have been " "set"), RELAY_PLUGIN_NAME); } } else { if (verbose) { weechat_printf (NULL, _("%s%s: warning: no SSL certificate/key " "found (option relay.network.ssl_cert_key)"), weechat_prefix ("error"), RELAY_PLUGIN_NAME); } } free (certkey_path2); } free (certkey_path); } #else /* make C compiler happy */ (void) verbose; #endif }
static gnutls_certificate_credentials_t CreateX509CertCredential(rfbCredential *cred) { gnutls_certificate_credentials_t x509_cred; int ret; if (!cred->x509Credential.x509CACertFile) { rfbClientLog("No CA certificate provided.\n"); return NULL; } if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { rfbClientLog("Cannot allocate credentials: %s.\n", gnutls_strerror(ret)); return NULL; } if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, cred->x509Credential.x509CACertFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load CA credentials: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } if (cred->x509Credential.x509ClientCertFile && cred->x509Credential.x509ClientKeyFile) { if ((ret = gnutls_certificate_set_x509_key_file(x509_cred, cred->x509Credential.x509ClientCertFile, cred->x509Credential.x509ClientKeyFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load client certificate or key: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } } else { rfbClientLog("No client certificate or key provided.\n"); } if (cred->x509Credential.x509CACrlFile) { if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, cred->x509Credential.x509CACrlFile, GNUTLS_X509_FMT_PEM)) < 0) { rfbClientLog("Cannot load CRL: %s.\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials (x509_cred); return NULL; } } else { rfbClientLog("No CRL provided.\n"); } gnutls_certificate_set_dh_params (x509_cred, rfbDHParams); return x509_cred; }
struct cert* loadCert(const char* ca, const char* cert, const char* key) { struct cert* oc = xmalloc(sizeof(struct cert)); gnutls_certificate_allocate_credentials(&oc->cert); if (ca != NULL) gnutls_certificate_set_x509_trust_file(oc->cert, ca, GNUTLS_X509_FMT_PEM); int e1 = gnutls_certificate_set_x509_key_file(oc->cert, cert, key, GNUTLS_X509_FMT_PEM); if (e1 < 0) { return NULL; } gnutls_priority_init(&oc->priority, "PERFORMANCE:%SERVER_PRECEDENCE", NULL); gnutls_certificate_set_dh_params(oc->cert, dh_params); return oc; }
static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd) { gnutls_certificate_credentials_t x509_cred; int ret; if (!vd->tls.x509cacert) { VNC_DEBUG("No CA x509 certificate specified\n"); return NULL; } if (!vd->tls.x509cert) { VNC_DEBUG("No server x509 certificate specified\n"); return NULL; } if (!vd->tls.x509key) { VNC_DEBUG("No server private key specified\n"); return NULL; } if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret)); return NULL; } if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, vd->tls.x509cacert, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } if ((ret = gnutls_certificate_set_x509_key_file (x509_cred, vd->tls.x509cert, vd->tls.x509key, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } if (vd->tls.x509cacrl) { if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, vd->tls.x509cacrl, GNUTLS_X509_FMT_PEM)) < 0) { VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(x509_cred); return NULL; } } gnutls_certificate_set_dh_params (x509_cred, dh_params); return x509_cred; }
static Eina_Bool _ecore_con_ssl_server_privkey_add_gnutls(Ecore_Con_Server *svr, const char *key_file) { SSL_ERROR_CHECK_GOTO_ERROR(gnutls_certificate_set_x509_key_file(svr->cert, svr->cert_file, key_file, GNUTLS_X509_FMT_PEM)); return EINA_TRUE; error: ERR("Could not load certificate/key file!"); return EINA_FALSE; }
static gpointer server_thread (gpointer user_data) { int listener = GPOINTER_TO_INT (user_data), client; gnutls_certificate_credentials creds; gnutls_session_t session; struct sockaddr_in sin; int len; char buf[BUFSIZE]; int status; gnutls_certificate_allocate_credentials (&creds); if (gnutls_certificate_set_x509_key_file (creds, ssl_cert_file, ssl_key_file, GNUTLS_X509_FMT_PEM) != 0) { g_error ("Failed to set SSL certificate and key files " "(%s, %s).", ssl_cert_file, ssl_key_file); } gnutls_certificate_set_dh_params (creds, dh_params); /* Create a new session */ gnutls_init (&session, GNUTLS_SERVER); gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, creds); gnutls_dh_set_prime_bits (session, DH_BITS); /* Wait for client thread to connect */ len = sizeof (sin); client = accept (listener, (struct sockaddr *) &sin, (void *)&len); gnutls_transport_set_ptr (session, GINT_TO_POINTER (client)); /* Initial handshake */ status = gnutls_handshake (session); if (status < 0) g_error ("initial handshake failed: %d", status); /* Synchronous client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* Async client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* That's all, folks. */ gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit (session); close (client); gnutls_certificate_free_credentials (creds); return NULL; }
G_GNUC_COLD void tls_global_init(void) { static const struct { const char * const name; const int major; const int minor; } f = { "tls", 1, 0 }; char *cert_file, *key_file; #if !defined(REMAP_ZALLOC) && !defined(TRACK_MALLOC) && !defined(TRACK_ZALLOC) gnutls_global_set_mem_functions(halloc, halloc, NULL, hrealloc, hfree); #endif if (gnutls_global_init()) { g_error("gnutls_global_init() failed"); } #ifdef USE_TLS_CUSTOM_IO gnutls_global_set_log_level(9); gnutls_global_set_log_function(tls_log_function); #endif /* USE_TLS_CUSTOM_IO */ get_dh_params(); gnutls_certificate_allocate_credentials(&cert_cred); key_file = make_pathname(settings_config_dir(), "key.pem"); cert_file = make_pathname(settings_config_dir(), "cert.pem"); if (file_exists(key_file) && file_exists(cert_file)) { int ret; ret = gnutls_certificate_set_x509_key_file(cert_cred, cert_file, key_file, GNUTLS_X509_FMT_PEM); if (ret < 0) { g_warning("gnutls_certificate_set_x509_key_file() failed: %s", gnutls_strerror(ret)); } else { gnutls_certificate_set_dh_params(cert_cred, get_dh_params()); } } HFREE_NULL(key_file); HFREE_NULL(cert_file); header_features_add(FEATURES_CONNECTIONS, f.name, f.major, f.minor); header_features_add(FEATURES_G2_CONNECTIONS, f.name, f.major, f.minor); header_features_add(FEATURES_DOWNLOADS, f.name, f.major, f.minor); header_features_add(FEATURES_UPLOADS, f.name, f.major, f.minor); }
SSL * SSL_new (SSL_CTX * ctx) { SSL *ssl; int err; ssl = (SSL *) calloc (1, sizeof (SSL)); if (!ssl) return NULL; err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred); if (err < 0) { last_error = err; free (ssl); return NULL; } gnutls_init (&ssl->gnutls_state, ctx->method->connend); gnutls_protocol_set_priority (ssl->gnutls_state, ctx->method->protocol_priority); gnutls_cipher_set_priority (ssl->gnutls_state, ctx->method->cipher_priority); gnutls_compression_set_priority (ssl->gnutls_state, ctx->method->comp_priority); gnutls_kx_set_priority (ssl->gnutls_state, ctx->method->kx_priority); gnutls_mac_set_priority (ssl->gnutls_state, ctx->method->mac_priority); gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, ssl->gnutls_cred); if (ctx->certfile) gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred, ctx->certfile, ctx->certfile_type); if (ctx->keyfile) gnutls_certificate_set_x509_key_file (ssl->gnutls_cred, ctx->certfile, ctx->keyfile, ctx->keyfile_type); ssl->ctx = ctx; ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback; ssl->options = ctx->options; ssl->rfd = (gnutls_transport_ptr_t) - 1; ssl->wfd = (gnutls_transport_ptr_t) - 1; return ssl; }
gtlsClientData::gtlsClientData(std::string const& _caFile, std::string const& _certFile, std::string const& _keyFile) { int ret = 0; gnutls_global_set_log_level(loglevel); gnutls_global_set_log_function(gtlsGeneric::logCallback); gnutls_certificate_allocate_credentials(&cred_); // GNUTLS_NOTICE("Allocted credentials"); // Add the certificate authority used. // GNUTLS_NOTICE("Setting CA, file='" << _caFile << "'"); ret = gnutls_certificate_set_x509_trust_file(cred_, _caFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_trust_file", ret); // GNUTLS_NOTICE("Processed " << ret << " certificates."); // Set the cert and private key. // Set the certificate and priate key pair. // GNUTLS_NOTICE("Setting certificate, file='" << _certFile << "'"); // GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'"); ret = gnutls_certificate_set_x509_key_file(cred_, _certFile.c_str(), _keyFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_key_file", ret); // GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s)."); ret = gnutls_init(&session_, GNUTLS_CLIENT); // printerror("gnutls_init", ret); ret = gnutls_set_default_priority(session_); // printerror("gnutls_set_default_priority", ret); gnutls_dh_set_prime_bits(session_, gtlsGeneric::GNUTLSIF_DH_BITS); const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 }; ret = gnutls_certificate_type_set_priority(session_, cert_type_priority); // printerror("gnutls_certificate_type_set_priority", ret); ret = gnutls_credentials_set(session_, GNUTLS_CRD_CERTIFICATE, cred_); // printerror("gnutls_credentials_set", ret); }
void initialize_tls_global(void) { gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CACERT, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CACRL, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (x509_cred, SERVERCERT, SERVERKEY, GNUTLS_X509_FMT_PEM); gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); gnutls_certificate_set_dh_params (x509_cred, dh_params); }
void ssl_init(struct sockifo* ifo, const char* key, const char* cert, const char* ca, int server) { int rv; rv = gnutls_certificate_allocate_credentials(&ifo->xcred); if (rv < 0) goto out_err; if (cert && *cert) { rv = gnutls_certificate_set_x509_key_file(ifo->xcred, cert, key, GNUTLS_X509_FMT_PEM); if (rv < 0) goto out_err_cred; } if (ca && *ca) { if (!access(ca, R_OK)) { ifo->state.ssl_verify_type = VERIFY_CA; rv = gnutls_certificate_set_x509_trust_file(ifo->xcred, ca, GNUTLS_X509_FMT_PEM); if (rv < 0) goto out_err_cred; } else { ifo->state.ssl_verify_type = VERIFY_FP; ifo->fingerprint = strdup(ca); } } gnutls_certificate_set_dh_params(ifo->xcred, dh_params); rv = gnutls_init(&ifo->ssl, server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (rv < 0) goto out_err_cred; rv = gnutls_set_default_priority(ifo->ssl); if (rv < 0) goto out_err_all; rv = gnutls_credentials_set(ifo->ssl, GNUTLS_CRD_CERTIFICATE, ifo->xcred); if (rv < 0) goto out_err_all; if (server) { gnutls_dh_set_prime_bits(ifo->ssl, 1024); gnutls_certificate_server_set_request(ifo->ssl, GNUTLS_CERT_REQUEST); } gnutls_transport_set_ptr(ifo->ssl, (gnutls_transport_ptr_t)(long) ifo->fd); ifo->state.ssl = SSL_HSHK; if (!ifo->state.connpend) ssl_handshake(ifo); return; out_err_all: gnutls_deinit(ifo->ssl); out_err_cred: gnutls_certificate_free_credentials(ifo->xcred); if (ifo->fingerprint) free(ifo->fingerprint); out_err: esock(ifo, gnutls_strerror(rv)); }
SSL * SSL_new (SSL_CTX * ctx) { SSL *ssl; int err; ssl = (SSL *) calloc (1, sizeof (SSL)); if (!ssl) return NULL; err = gnutls_certificate_allocate_credentials (&ssl->gnutls_cred); if (err < 0) { last_error = err; free (ssl); return NULL; } gnutls_init (&ssl->gnutls_state, ctx->method->connend); gnutls_priority_set_direct (ssl->gnutls_state, ctx->method->priority_string, NULL); gnutls_credentials_set (ssl->gnutls_state, GNUTLS_CRD_CERTIFICATE, ssl->gnutls_cred); if (ctx->certfile) gnutls_certificate_set_x509_trust_file (ssl->gnutls_cred, ctx->certfile, ctx->certfile_type); if (ctx->keyfile) gnutls_certificate_set_x509_key_file (ssl->gnutls_cred, ctx->certfile, ctx->keyfile, ctx->keyfile_type); ssl->ctx = ctx; ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback; ssl->options = ctx->options; ssl->rfd = (gnutls_transport_ptr_t) - 1; ssl->wfd = (gnutls_transport_ptr_t) - 1; ssl->ssl_peek_buffer = NULL; ssl->ssl_peek_buffer_size = ssl->ssl_peek_avail = 0; return ssl; }
void TLSServer::init ( const std::string& ca, const std::string& crl, const std::string& cert, const std::string& key) { _ca = ca; _crl = crl; _cert = cert; _key = key; gnutls_global_init (); gnutls_certificate_allocate_credentials (&_credentials); if (_ca != "" && gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CA file."); if ( _crl != "" && gnutls_certificate_set_x509_crl_file (_credentials, _crl.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CRL file."); if (_cert != "" && _key != "" && gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CERT file."); #if GNUTLS_VERSION_NUMBER >= 0x020b00 #if GNUTLS_VERSION_NUMBER >= 0x03000d unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY); #else unsigned int bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); #endif #else unsigned int bits = DH_BITS; #endif gnutls_dh_params_init (&_params); gnutls_dh_params_generate2 (_params, bits); if (_ciphers == "") _ciphers = "NORMAL"; gnutls_priority_init (&_priorities, _ciphers.c_str (), NULL); gnutls_certificate_set_dh_params (_credentials, _params); #if GNUTLS_VERSION_NUMBER >= 0x02090a gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif }
/* similar to server_init. * * the user of secure server might want to set additional callbacks from * GNUTLS. In particular * gnutls_global_set_mem_functions() * gnutls_global_set_log_function() * Also see the note above ebb_connection_init() about setting gnutls cache * access functions * * cert_file: the filename of a PEM certificate file * * key_file: the filename of a private key. Currently only PKCS-1 encoded * RSA and DSA private keys are accepted. */ int ebb_server_set_secure (ebb_server *server, const char *cert_file, const char *key_file) { server->secure = TRUE; gnutls_global_init(); gnutls_certificate_allocate_credentials(&server->credentials); /* todo gnutls_certificate_free_credentials */ int r = gnutls_certificate_set_x509_key_file( server->credentials , cert_file , key_file , GNUTLS_X509_FMT_PEM ); if(r < 0) { error("loading certificates"); return -1; } return 1; }
void TLSClient::init ( const std::string& ca, const std::string& cert, const std::string& key) { _ca = ca; _cert = cert; _key = key; gnutls_global_init (); gnutls_certificate_allocate_credentials (&_credentials); if (_ca != "" && gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CA file."); if (_cert != "" && _key != "" && gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM) < 0) throw std::string ("Missing CERT file."); #if GNUTLS_VERSION_NUMBER >= 0x02090a gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); #endif gnutls_init (&_session, GNUTLS_CLIENT); // Use default priorities unless overridden. if (_ciphers == "") _ciphers = "NORMAL"; const char *err; int ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err); if (ret < 0) { if (_debug && ret == GNUTLS_E_INVALID_REQUEST) std::cout << "c: ERROR Priority error at: " << err << "\n"; throw std::string ("Error initializing TLS."); } // Apply the x509 credentials to the current session. gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials); }
/** * @short Same as onion_https_set_certificate, but with a va_list * @memberof onion_https_t * * This allows to manage va_lists more easily. * * @see onion_https_set_certificate */ int onion_https_set_certificate_argv(onion_listen_point *ol, onion_ssl_certificate_type type, const char *filename, va_list va){ onion_https *https=(onion_https*)ol->user_data; if (ol->write!=onion_https_write){ ONION_ERROR("Trying to et a certificate on a non HTTPS listen point"); errno=EINVAL; return -1; } int r=0; switch(type&0x0FF){ case O_SSL_CERTIFICATE_CRL: ONION_DEBUG("Setting SSL Certificate CRL"); r=gnutls_certificate_set_x509_crl_file(https->x509_cred, filename, (type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM); break; case O_SSL_CERTIFICATE_KEY: { //va_arg(va, const char *); // Ignore first. const char *keyfile=va_arg(va, const char *); ONION_DEBUG("Setting certificate to %p: cert %s, key %s", ol, filename, keyfile); r=gnutls_certificate_set_x509_key_file(https->x509_cred, filename, keyfile, (type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM); } break; case O_SSL_CERTIFICATE_TRUST: ONION_DEBUG("Setting SSL Certificate Trust"); r=gnutls_certificate_set_x509_trust_file(https->x509_cred, filename, (type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM); break; case O_SSL_CERTIFICATE_PKCS12: { ONION_DEBUG("Setting SSL Certificate PKCS12"); r=gnutls_certificate_set_x509_simple_pkcs12_file(https->x509_cred, filename, (type&O_SSL_DER) ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM, va_arg(va, const char *)); } break; default: r=-1; ONION_ERROR("Set unknown type of certificate: %d",type); } return r; }
gtlsGlobalServerData::gtlsGlobalServerData(std::string const& _CAfile, /*std::string const& _CRLFile,*/ std::string const& _CertFile, std::string const& _keyFile) : cert_cred(0), initialized_(true) { int ret = 0; // Logging. gnutls_global_set_log_level(loglevel); gnutls_global_set_log_function(gtlsGeneric::logCallback); // Allocate the structures used to keep certificates in. ret = gnutls_certificate_allocate_credentials(&cert_cred); // printerror("gnutls_certificate_allocate_credentials", ret); if (ret < 0) { initialized_ = false; } // Set the CA certificate. // GNUTLS_NOTICE("Setting CA, file='" << _CAfile << "'"); ret = gnutls_certificate_set_x509_trust_file(cert_cred, _CAfile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_trust_file", ret); if (ret < 0) { initialized_ = false; } // GNUTLS_NOTICE("Processed " << ret << " certificates."); // Set the certificate and priate key pair. //GNUTLS_NOTICE("Setting certificate, file='" << _CertFile << "'"); //GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'"); ret = gnutls_certificate_set_x509_key_file(cert_cred, _CertFile.c_str(), _keyFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_key_file", ret); if (ret < 0) { initialized_ = false; } // GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s)."); // Generate and set DH params. generate_dh_params(); gnutls_certificate_set_dh_params(cert_cred, dh_params); }
void initializeCertificate() { char* certificatePath = (char*) getStrConf(CERTIFICATE); if(!certificatePath) { Log_fatal("No certificate file specified."); } char* keyPath = (char*) getStrConf(KEY); if(!keyPath) { Log_fatal("No key file specified"); } gnutls_certificate_allocate_credentials(&certificate); int error = gnutls_certificate_set_x509_key_file(certificate, certificatePath, keyPath, GNUTLS_X509_FMT_PEM); if( error != GNUTLS_E_SUCCESS ) { Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath); } }