//general tls stuff------------------------------------------------------------- static gnutls_session_t initialize_tls_session(bool sServer, gnutls_srp_client_credentials_t &cClient, const struct sockaddr *aAddress, socklen_t lLength, const char *aActual) { gnutls_session_t session; gnutls_init(&session, sServer? GNUTLS_SERVER : GNUTLS_CLIENT); if (use_srp_auth) { gnutls_priority_set_direct(session, sServer? "NORMAL:+SRP" : "PERFORMANCE:+SRP", NULL); if (!sServer) set_client_passwd(cClient, aAddress, lLength, aActual); gnutls_credentials_set(session, GNUTLS_CRD_SRP, sServer? (void*) srp_server : (void*) cClient); } else { gnutls_priority_set_direct(session, sServer? "NORMAL:+ANON-DH" : "PERFORMANCE:+ANON-DH", NULL); gnutls_credentials_set(session, GNUTLS_CRD_ANON, credentials); } gnutls_dh_set_prime_bits(session, 1024); gnutls_transport_set_push_function(session, (gnutls_push_func) &write_wrapper); gnutls_transport_set_pull_function(session, (gnutls_pull_func) &read_wrapper); return session; }
static gnutls_session_t initialize_tls_session (struct params_res *params) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct (session, "NONE:+VERS-TLS-ALL:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); if (params->enable_db) { gnutls_db_set_retrieve_function (session, wrap_db_fetch); gnutls_db_set_remove_function (session, wrap_db_delete); gnutls_db_set_store_function (session, wrap_db_store); gnutls_db_set_ptr (session, NULL); } if (params->enable_session_ticket_server) gnutls_session_ticket_enable_server (session, &session_ticket_key); return session; }
bool CTlsSocket::InitSession() { int res = gnutls_init(&m_session, GNUTLS_CLIENT); if (res) { LogError(res, _T("gnutls_init")); Uninit(); return false; } // Even though the name gnutls_db_set_cache_expiration // implies expiration of some cache, it also governs // the actual session lifetime, independend whether the // session is cached or not. gnutls_db_set_cache_expiration(m_session, 100000000); res = gnutls_priority_set_direct(m_session, ciphers, 0); if (res) { LogError(res, _T("gnutls_priority_set_direct")); Uninit(); return false; } gnutls_dh_set_prime_bits(m_session, 512); gnutls_credentials_set(m_session, GNUTLS_CRD_CERTIFICATE, m_certCredentials); // Setup transport functions gnutls_transport_set_push_function(m_session, PushFunction); gnutls_transport_set_pull_function(m_session, PullFunction); gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this); return true; }
gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); if (TLS_SESSION_CACHE != 0) { gnutls_db_set_retrieve_function (session, wrap_db_fetch); gnutls_db_set_remove_function (session, wrap_db_delete); gnutls_db_set_store_function (session, wrap_db_store); gnutls_db_set_ptr (session, NULL); } return session; }
void rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen) { new_F->type |= RB_FD_SSL; new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); new_F->accept = rb_malloc(sizeof(struct acceptdata)); new_F->accept->callback = F->accept->callback; new_F->accept->data = F->accept->data; rb_settimeout(new_F, 10, rb_ssl_timeout, NULL); memcpy(&new_F->accept->S, st, addrlen); new_F->accept->addrlen = addrlen; gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER); gnutls_set_default_priority(SSL_P(new_F)); gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509); gnutls_dh_set_prime_bits(SSL_P(new_F), 1024); gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F)); if (do_ssl_handshake(F, rb_ssl_tryaccept)) { struct acceptdata *ad = F->accept; F->accept = NULL; ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); rb_free(ad); } }
void rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout) { struct ssl_connect *sconn; if (F == NULL) return; sconn = rb_malloc(sizeof(struct ssl_connect)); sconn->data = data; sconn->callback = callback; sconn->timeout = timeout; F->connect = rb_malloc(sizeof(struct conndata)); F->connect->callback = callback; F->connect->data = data; F->type |= RB_FD_SSL; F->ssl = rb_malloc(sizeof(gnutls_session_t)); gnutls_init(F->ssl, GNUTLS_CLIENT); gnutls_set_default_priority(SSL_P(F)); gnutls_dh_set_prime_bits(SSL_P(F), 1024); gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); if (do_ssl_handshake(F, rb_ssl_tryconn_cb)) { rb_ssl_connect_realcb(F, RB_OK, sconn); } }
static void rb_ssl_tryconn(rb_fde_t *F, int status, void *data) { struct ssl_connect *sconn = data; if (status != RB_OK) { rb_ssl_connect_realcb(F, status, sconn); return; } F->type |= RB_FD_SSL; rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); F->ssl = rb_malloc(sizeof(gnutls_session_t)); gnutls_init(F->ssl, GNUTLS_CLIENT); gnutls_set_default_priority(SSL_P(F)); gnutls_dh_set_prime_bits(SSL_P(F), 1024); gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); if (do_ssl_handshake(F, rb_ssl_tryconn_cb)) { rb_ssl_connect_realcb(F, RB_OK, sconn); } }
bool gtlsServerData::initSession(gnutls_session_t & _session) { bool status = true; int ret = 0; // Create a session. ret = gnutls_init (&_session, GNUTLS_SERVER); if (ret < 0) { initialized_ = false; } // printerror("gnutls_init", ret); // Set the default priority. ret = gnutls_set_default_priority(_session); if (ret < 0) { initialized_ = false; } // printerror("gnutls_set_default_priority", ret); ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, gtlsglobalserverdata_->cert_cred); if (ret < 0) { initialized_ = false; } // printerror("gnutls_credentials_set", ret); gnutls_certificate_server_set_request(_session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits(_session, gtlsGeneric::GNUTLSIF_DH_BITS); // GNUTLS_NOTICE("Created new TLS session with id = " << _session); return status; }
SslSocket::SslSocket(SslDriver *driver, struct ev_loop *loop, int fd, int af) : x0::Socket(loop, fd, af), #ifndef XZERO_NDEBUG ctime_(ev_now(loop)), #endif driver_(driver), context_(nullptr), session_() { TRACE("SslSocket()"); setSecure(true); setState(Handshake); GNUTLS_CHECK( gnutls_init(&session_, GNUTLS_SERVER) ); gnutls_handshake_set_post_client_hello_function(session_, &SslSocket::onClientHello); gnutls_certificate_server_set_request(session_, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits(session_, 1024); gnutls_session_enable_compatibility_mode(session_); gnutls_session_set_ptr(session_, this); gnutls_transport_set_ptr(session_, reinterpret_cast<gnutls_transport_ptr_t>(handle())); driver_->initialize(this); }
static gnutls_session_t initialize_tls_session (struct params_res *params) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); if (params->enable_db) { gnutls_db_set_retrieve_function (session, wrap_db_fetch); gnutls_db_set_remove_function (session, wrap_db_delete); gnutls_db_set_store_function (session, wrap_db_store); gnutls_db_set_ptr (session, NULL); } #ifdef ENABLE_SESSION_TICKET if (params->enable_session_ticket_server) gnutls_session_ticket_enable_server (session, &session_ticket_key); #endif return session; }
void rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout) { gnutls_session_t *ssl; new_F->type |= RB_FD_SSL; ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); new_F->accept = rb_malloc(sizeof(struct acceptdata)); new_F->accept->callback = cb; new_F->accept->data = data; rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL); new_F->accept->addrlen = 0; gnutls_init(ssl, GNUTLS_SERVER); gnutls_set_default_priority(*ssl); gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509); gnutls_dh_set_prime_bits(*ssl, 1024); gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd); if (do_ssl_handshake(new_F, rb_ssl_tryaccept)) { struct acceptdata *ad = new_F->accept; new_F->accept = NULL; ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); rb_free(ad); } }
gnutls_session initialize_tls_session (int sd, char* CN) { int ret; gnutls_session session; gnutls_init (&session, GNUTLS_SERVER); gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE); gnutls_dh_set_prime_bits (session, DH_BITS); gnutls_transport_set_ptr (session, (gnutls_transport_ptr) GINT_TO_POINTER(sd)); ret = gnutls_handshake (session); if (ret < 0) { close (sd); gnutls_deinit (session); quorum_log(LOG_WARNING,"handshake failed"); return NULL; } if (verify_certificate(session,CN) < 0) { return NULL; } return session; }
/** Set up the given session with the settings in this profile */ void SetupSession(gnutls_session_t sess) { priority.SetupSession(sess); x509cred.SetupSession(sess); gnutls_dh_set_prime_bits(sess, min_dh_bits); // Request client certificate if we are a server, no-op if we're a client gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST); }
static gpointer server_thread (gpointer user_data) { int listener = GPOINTER_TO_INT (user_data), client; gnutls_certificate_credentials creds; gnutls_session_t session; struct sockaddr_in sin; int len; char buf[BUFSIZE]; int status; gnutls_certificate_allocate_credentials (&creds); if (gnutls_certificate_set_x509_key_file (creds, ssl_cert_file, ssl_key_file, GNUTLS_X509_FMT_PEM) != 0) { g_error ("Failed to set SSL certificate and key files " "(%s, %s).", ssl_cert_file, ssl_key_file); } gnutls_certificate_set_dh_params (creds, dh_params); /* Create a new session */ gnutls_init (&session, GNUTLS_SERVER); gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, creds); gnutls_dh_set_prime_bits (session, DH_BITS); /* Wait for client thread to connect */ len = sizeof (sin); client = accept (listener, (struct sockaddr *) &sin, (void *)&len); gnutls_transport_set_ptr (session, GINT_TO_POINTER (client)); /* Initial handshake */ status = gnutls_handshake (session); if (status < 0) g_error ("initial handshake failed: %d", status); /* Synchronous client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* Async client test. */ server_read (session, buf, BUFSIZE); server_write (session, buf, BUFSIZE); /* That's all, folks. */ gnutls_bye (session, GNUTLS_SHUT_WR); gnutls_deinit (session); close (client); gnutls_certificate_free_credentials (creds); return NULL; }
/* initializes a gnutls_session with some defaults. */ static gnutls_session init_tls_session (const char *hostname) { gnutls_session session; gnutls_init (&session, GNUTLS_CLIENT); /* allow the use of private ciphersuites. */ if (disable_extensions == 0) { gnutls_handshake_set_private_extensions (session, 1); gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, strlen (hostname)); gnutls_certificate_type_set_priority (session, cert_type_priority); } gnutls_cipher_set_priority (session, cipher_priority); gnutls_compression_set_priority (session, comp_priority); gnutls_kx_set_priority (session, kx_priority); gnutls_protocol_set_priority (session, protocol_priority); gnutls_mac_set_priority (session, mac_priority); gnutls_dh_set_prime_bits (session, 512); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); gnutls_credentials_set (session, GNUTLS_CRD_PSK, psk_cred); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); gnutls_certificate_client_set_retrieve_function (xcred, cert_callback); /* send the fingerprint */ if (fingerprint != 0) gnutls_openpgp_send_key (session, GNUTLS_OPENPGP_KEY_FINGERPRINT); /* use the max record size extension */ if (record_max_size > 0 && disable_extensions == 0) { if (gnutls_record_set_max_size (session, record_max_size) < 0) { fprintf (stderr, "Cannot set the maximum record size to %d.\n", record_max_size); fprintf (stderr, "Possible values: 512, 1024, 2048, 4096.\n"); exit (1); } } return session; }
void anon_tls_server (evcom_stream *stream) { gnutls_session_t session; stream->data = session; int r = gnutls_init(&session, GNUTLS_SERVER); assert(r == 0); gnutls_set_default_priority(session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set(session, GNUTLS_CRD_ANON, server_credentials); gnutls_dh_set_prime_bits(session, DH_BITS); evcom_stream_set_secure_session(stream, session); }
static bool ConnSSL_Init_SSL(CONNECTION *c) { int ret; assert(c != NULL); #ifdef HAVE_LIBSSL if (!ssl_ctx) { Log(LOG_ERR, "Cannot init ssl_ctx: OpenSSL initialization failed at startup"); return false; } assert(c->ssl_state.ssl == NULL); c->ssl_state.ssl = SSL_new(ssl_ctx); if (!c->ssl_state.ssl) { LogOpenSSLError("SSL_new()", NULL); return false; } ret = SSL_set_fd(c->ssl_state.ssl, c->sock); if (ret != 1) { LogOpenSSLError("SSL_set_fd()", NULL); ConnSSL_Free(c); return false; } #endif #ifdef HAVE_LIBGNUTLS ret = gnutls_set_default_priority(c->ssl_state.gnutls_session); if (ret < 0) { Log(LOG_ERR, "gnutls_set_default_priority: %s", gnutls_strerror(ret)); ConnSSL_Free(c); return false; } /* * The intermediate (long) cast is here to avoid a warning like: * "cast to pointer from integer of different size" on 64-bit platforms. * There doesn't seem to be an alternate GNUTLS API we could use instead, see e.g. * http://www.mail-archive.com/[email protected]/msg00286.html */ gnutls_transport_set_ptr(c->ssl_state.gnutls_session, (gnutls_transport_ptr_t) (long) c->sock); ret = gnutls_credentials_set(c->ssl_state.gnutls_session, GNUTLS_CRD_CERTIFICATE, x509_cred); if (ret < 0) { Log(LOG_ERR, "gnutls_credentials_set: %s", gnutls_strerror(ret)); ConnSSL_Free(c); return false; } gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN); #endif Conn_OPTION_ADD(c, CONN_SSL); return true; }
void GnuTlsStream::handshake(const GnuTlsServer& server) { log_debug("gnutls_init(session, GNUTLS_SERVER)"); int ret = gnutls_init(&_session, GNUTLS_SERVER); if (ret != 0) throw GnuTlsException("gnutls_init", ret); log_debug("gnutls_set_default_priority"); ret = gnutls_set_default_priority(_session); if (ret != 0) throw GnuTlsException("gnutls_set_default_priority", ret); log_debug("gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, " << server.getCred() << ')'); ret = gnutls_credentials_set(_session, GNUTLS_CRD_CERTIFICATE, server.getCred()); if (ret != 0) throw GnuTlsException("gnutls_credentials_set", ret); log_debug("gnutls_dh_set_prime_bits(session, 1024)"); gnutls_dh_set_prime_bits(_session, 1024); _fdInfo.fd = getFd(); _fdInfo.timeout = getTimeout(); log_debug("gnutls_transport_set_ptr(ptr)"); gnutls_transport_set_ptr(_session, static_cast<gnutls_transport_ptr_t>(&_fdInfo)); log_debug("gnutls_transport_set_pull_function()"); gnutls_transport_set_pull_function(_session, pull_func); log_debug("gnutls_transport_set_push_function()"); gnutls_transport_set_push_function(_session, push_func); // non-blocking/with timeout _fdInfo.timeout = 10000; log_debug("gnutls_handshake"); ret = gnutls_handshake(_session); log_debug("gnutls_handshake => " << ret); if (ret != 0) throw GnuTlsException("gnutls_handshake", ret); _connected = true; _fdInfo.timeout = getTimeout(); log_debug("ssl-handshake was completed"); }
gtlsClientData::gtlsClientData(std::string const& _caFile, std::string const& _certFile, std::string const& _keyFile) { int ret = 0; gnutls_global_set_log_level(loglevel); gnutls_global_set_log_function(gtlsGeneric::logCallback); gnutls_certificate_allocate_credentials(&cred_); // GNUTLS_NOTICE("Allocted credentials"); // Add the certificate authority used. // GNUTLS_NOTICE("Setting CA, file='" << _caFile << "'"); ret = gnutls_certificate_set_x509_trust_file(cred_, _caFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_trust_file", ret); // GNUTLS_NOTICE("Processed " << ret << " certificates."); // Set the cert and private key. // Set the certificate and priate key pair. // GNUTLS_NOTICE("Setting certificate, file='" << _certFile << "'"); // GNUTLS_NOTICE("Setting private key, file='" << _keyFile << "'"); ret = gnutls_certificate_set_x509_key_file(cred_, _certFile.c_str(), _keyFile.c_str(), GNUTLS_X509_FMT_PEM); // printerror("gnutls_certificate_set_x509_key_file", ret); // GNUTLS_NOTICE("Processed " << ret << " certificate/key pair(s)."); ret = gnutls_init(&session_, GNUTLS_CLIENT); // printerror("gnutls_init", ret); ret = gnutls_set_default_priority(session_); // printerror("gnutls_set_default_priority", ret); gnutls_dh_set_prime_bits(session_, gtlsGeneric::GNUTLSIF_DH_BITS); const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 }; ret = gnutls_certificate_type_set_priority(session_, cert_type_priority); // printerror("gnutls_certificate_type_set_priority", ret); ret = gnutls_credentials_set(session_, GNUTLS_CRD_CERTIFICATE, cred_); // printerror("gnutls_credentials_set", ret); }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set_direct (session, "NORMAL:+ANON-DH", NULL); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); return session; }
void ssl_init(struct sockifo* ifo, const char* key, const char* cert, const char* ca, int server) { int rv; rv = gnutls_certificate_allocate_credentials(&ifo->xcred); if (rv < 0) goto out_err; if (cert && *cert) { rv = gnutls_certificate_set_x509_key_file(ifo->xcred, cert, key, GNUTLS_X509_FMT_PEM); if (rv < 0) goto out_err_cred; } if (ca && *ca) { if (!access(ca, R_OK)) { ifo->state.ssl_verify_type = VERIFY_CA; rv = gnutls_certificate_set_x509_trust_file(ifo->xcred, ca, GNUTLS_X509_FMT_PEM); if (rv < 0) goto out_err_cred; } else { ifo->state.ssl_verify_type = VERIFY_FP; ifo->fingerprint = strdup(ca); } } gnutls_certificate_set_dh_params(ifo->xcred, dh_params); rv = gnutls_init(&ifo->ssl, server ? GNUTLS_SERVER : GNUTLS_CLIENT); if (rv < 0) goto out_err_cred; rv = gnutls_set_default_priority(ifo->ssl); if (rv < 0) goto out_err_all; rv = gnutls_credentials_set(ifo->ssl, GNUTLS_CRD_CERTIFICATE, ifo->xcred); if (rv < 0) goto out_err_all; if (server) { gnutls_dh_set_prime_bits(ifo->ssl, 1024); gnutls_certificate_server_set_request(ifo->ssl, GNUTLS_CERT_REQUEST); } gnutls_transport_set_ptr(ifo->ssl, (gnutls_transport_ptr_t)(long) ifo->fd); ifo->state.ssl = SSL_HSHK; if (!ifo->state.connpend) ssl_handshake(ifo); return; out_err_all: gnutls_deinit(ifo->ssl); out_err_cred: gnutls_certificate_free_credentials(ifo->xcred); if (ifo->fingerprint) free(ifo->fingerprint); out_err: esock(ifo, gnutls_strerror(rv)); }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set_direct (session, "NORMAL", NULL); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits (session, DH_BITS); return session; }
static gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); gnutls_dh_set_prime_bits (session, DH_BITS); return session; }
void InitSession(StreamSocket* user, bool me_server) { issl_session* session = &sessions[user->GetFd()]; gnutls_init(&session->sess, me_server ? GNUTLS_SERVER : GNUTLS_CLIENT); session->socket = user; #ifdef GNUTLS_NEW_PRIO_API gnutls_priority_set(session->sess, priority); #endif gnutls_credentials_set(session->sess, GNUTLS_CRD_CERTIFICATE, x509_cred); gnutls_dh_set_prime_bits(session->sess, dh_bits); gnutls_transport_set_ptr(session->sess, reinterpret_cast<gnutls_transport_ptr_t>(session)); gnutls_transport_set_push_function(session->sess, gnutls_push_wrapper); gnutls_transport_set_pull_function(session->sess, gnutls_pull_wrapper); if (me_server) gnutls_certificate_server_set_request(session->sess, GNUTLS_CERT_REQUEST); // Request client certificate if any. Handshake(session, user); }
gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits (session, DH_BITS); return session; }
static gnutls_session_t initialize_tls_session(void) { gnutls_session_t session; gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. Moved to later on to be able to test re-handshakes. gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); */ gnutls_dh_set_prime_bits(session, DH_BITS); return session; }
static gnutls_session_t initialize_tls_session(void) { gnutls_session_t session; gnutls_init(&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults * are adequate. */ gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, pgp_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST); gnutls_dh_set_prime_bits(session, DH_BITS); return session; }
bool GnuTLSServerAnon::init( const std::string&, const std::string&, const StringList& ) { const int protocolPriority[] = { GNUTLS_TLS1, 0 }; const int kxPriority[] = { GNUTLS_KX_ANON_DH, 0 }; const int cipherPriority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 }; const int compPriority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; const int macPriority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; if( m_initLib && gnutls_global_init() != 0 ) return false; if( gnutls_anon_allocate_server_credentials( &m_anoncred ) < 0 ) return false; generateDH(); gnutls_anon_set_server_dh_params( m_anoncred, m_dhParams ); if( gnutls_init( m_session, GNUTLS_SERVER ) != 0 ) return false; gnutls_protocol_set_priority( *m_session, protocolPriority ); gnutls_cipher_set_priority( *m_session, cipherPriority ); gnutls_compression_set_priority( *m_session, compPriority ); gnutls_kx_set_priority( *m_session, kxPriority ); gnutls_mac_set_priority( *m_session, macPriority ); gnutls_credentials_set( *m_session, GNUTLS_CRD_ANON, m_anoncred ); gnutls_dh_set_prime_bits( *m_session, m_dhBits ); gnutls_transport_set_ptr( *m_session, (gnutls_transport_ptr_t)this ); gnutls_transport_set_push_function( *m_session, pushFunc ); gnutls_transport_set_pull_function( *m_session, pullFunc ); m_valid = true; return true; }
void doit (void) { /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; const gnutls_datum_t p3 = { (void *) pkcs3, strlen (pkcs3) }; static gnutls_dh_params_t dh_params; gnutls_session_t server; int sret, cret; /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_session_t client; /* Need to enable anonymous KX specifically. */ char buffer[MAX_BUF + 1]; ssize_t ns; int ret, transferred = 0, msglen; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (99); /* Init server */ gnutls_anon_allocate_server_credentials (&s_anoncred); gnutls_dh_params_init (&dh_params); gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM); gnutls_anon_set_server_dh_params (s_anoncred, dh_params); gnutls_init (&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK); ret = gnutls_priority_set_direct (server, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); if (ret < 0) exit(1); gnutls_credentials_set (server, GNUTLS_CRD_ANON, s_anoncred); gnutls_dh_set_prime_bits (server, 1024); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_pull_timeout_function (server, server_pull_timeout_func); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_anon_allocate_client_credentials (&c_anoncred); gnutls_init (&client, GNUTLS_CLIENT|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK); cret = gnutls_priority_set_direct (client, "NONE:+VERS-DTLS1.0:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH", NULL); if (cret < 0) exit(1); gnutls_credentials_set (client, GNUTLS_CRD_ANON, c_anoncred); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_pull_timeout_function (client, client_pull_timeout_func); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); handshake = 1; HANDSHAKE(client, server); handshake = 0; if (debug) success ("Handshake established\n"); do { ret = gnutls_record_send (client, MSG, strlen (MSG)); } while(ret == GNUTLS_E_AGAIN); //success ("client: sent %d\n", ns); msglen = strlen(MSG); TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF); if (debug) fputs ("\n", stdout); gnutls_bye (client, GNUTLS_SHUT_WR); gnutls_bye (server, GNUTLS_SHUT_WR); gnutls_deinit (client); gnutls_deinit (server); gnutls_anon_free_client_credentials (c_anoncred); gnutls_anon_free_server_credentials (s_anoncred); gnutls_dh_params_deinit (dh_params); gnutls_global_deinit (); }
/* tls_negotiate: After TLS state has been initialised, attempt to negotiate * TLS over the wire, including certificate checks. */ static int tls_negotiate (CONNECTION * conn) { tlssockdata *data; int err; size_t nproto = 0; /* number of tls/ssl protocols */ data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata)); conn->sockdata = data; err = gnutls_certificate_allocate_credentials (&data->xcred); if (err < 0) { FREE(&conn->sockdata); mutt_error ("gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err)); mutt_sleep (2); return -1; } gnutls_certificate_set_x509_trust_file (data->xcred, SslCertFile, GNUTLS_X509_FMT_PEM); /* ignore errors, maybe file doesn't exist yet */ if (SslCACertFile) { gnutls_certificate_set_x509_trust_file (data->xcred, SslCACertFile, GNUTLS_X509_FMT_PEM); } if (SslClientCert) { dprint (2, (debugfile, "Using client certificate %s\n", SslClientCert)); gnutls_certificate_set_x509_key_file (data->xcred, SslClientCert, SslClientCert, GNUTLS_X509_FMT_PEM); } #if HAVE_DECL_GNUTLS_VERIFY_DISABLE_TIME_CHECKS /* disable checking certificate activation/expiration times in gnutls, we do the checks ourselves */ gnutls_certificate_set_verify_flags(data->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS); #endif if ((err = gnutls_init(&data->state, GNUTLS_CLIENT))) { mutt_error ("gnutls_handshake: %s", gnutls_strerror(err)); mutt_sleep (2); goto fail; } /* set socket */ gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd); if (option(OPTTLSV1_2)) protocol_priority[nproto++] = GNUTLS_TLS1_2; if (option(OPTTLSV1_1)) protocol_priority[nproto++] = GNUTLS_TLS1_1; if (option(OPTTLSV1)) protocol_priority[nproto++] = GNUTLS_TLS1; if (option(OPTSSLV3)) protocol_priority[nproto++] = GNUTLS_SSL3; protocol_priority[nproto] = 0; /* disable TLS/SSL protocols as needed */ if (nproto == 0) { mutt_error (_("All available protocols for TLS/SSL connection disabled")); goto fail; } /* else use the list set above */ /* We use default priorities (see gnutls documentation), except for protocol version */ gnutls_set_default_priority (data->state); gnutls_protocol_set_priority (data->state, protocol_priority); if (SslDHPrimeBits > 0) { gnutls_dh_set_prime_bits (data->state, SslDHPrimeBits); } /* gnutls_set_cred (data->state, GNUTLS_ANON, NULL); */ gnutls_credentials_set (data->state, GNUTLS_CRD_CERTIFICATE, data->xcred); err = gnutls_handshake(data->state); while (err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED) { err = gnutls_handshake(data->state); } if (err < 0) { if (err == GNUTLS_E_FATAL_ALERT_RECEIVED) { mutt_error("gnutls_handshake: %s(%s)", gnutls_strerror(err), gnutls_alert_get_name(gnutls_alert_get(data->state))); } else { mutt_error("gnutls_handshake: %s", gnutls_strerror(err)); } mutt_sleep (2); goto fail; } if (!tls_check_certificate(conn)) goto fail; /* set Security Strength Factor (SSF) for SASL */ /* NB: gnutls_cipher_get_key_size() returns key length in bytes */ conn->ssf = gnutls_cipher_get_key_size (gnutls_cipher_get (data->state)) * 8; tls_get_client_cert (conn); if (!option(OPTNOCURSES)) { mutt_message (_("SSL/TLS connection using %s (%s/%s/%s)"), gnutls_protocol_get_name (gnutls_protocol_get_version (data->state)), gnutls_kx_get_name (gnutls_kx_get (data->state)), gnutls_cipher_get_name (gnutls_cipher_get (data->state)), gnutls_mac_get_name (gnutls_mac_get (data->state))); mutt_sleep (0); } return 0; fail: gnutls_certificate_free_credentials (data->xcred); gnutls_deinit (data->state); FREE(&conn->sockdata); return -1; }