diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-06 08:59:33 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-06-06 08:59:33 +0000 |
| commit | 58054757e96043d904047beb4c0419c837fed7b2 (patch) | |
| tree | 65e026300278bd81c67f01dba54bcc8aa3049eee | |
| parent | e963b0af50a51542ea510be7c66a37079c6512bf (diff) | |
| download | gnutls-58054757e96043d904047beb4c0419c837fed7b2.tar.gz | |
updated gnutls-cli-debug to print DHE and RSA-EXPORT information if verbose is set. Some other minor fixes.
| -rw-r--r-- | lib/auth_cert.c | 1 | ||||
| -rw-r--r-- | lib/auth_cert.h | 4 | ||||
| -rw-r--r-- | lib/auth_dh_common.h | 4 | ||||
| -rw-r--r-- | lib/gnutls_compress_int.c | 5 | ||||
| -rw-r--r-- | lib/gnutls_state.c | 1 | ||||
| -rw-r--r-- | src/cli.c | 4 | ||||
| -rw-r--r-- | src/common.c | 68 | ||||
| -rw-r--r-- | src/common.h | 1 | ||||
| -rw-r--r-- | src/tests.c | 124 | ||||
| -rw-r--r-- | src/tests.h | 4 | ||||
| -rw-r--r-- | src/tls_test.c | 7 |
11 files changed, 160 insertions, 63 deletions
diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 1415e0bec6..9e67b1a791 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -1211,7 +1211,6 @@ int _gnutls_gen_cert_client_cert_vrfy(gnutls_session session, return ret; } } else { - gnutls_assert(); return 0; } diff --git a/lib/auth_cert.h b/lib/auth_cert.h index cb6bab300e..d024f16e4f 100644 --- a/lib/auth_cert.h +++ b/lib/auth_cert.h @@ -97,9 +97,9 @@ typedef struct { #define gnutls_certificate_credentials certificate_credentials_st* typedef struct rsa_info_st { - opaque modulus[64]; + opaque modulus[65]; size_t modulus_size; - opaque exponent[64]; + opaque exponent[65]; size_t exponent_size; } rsa_info_t; diff --git a/lib/auth_dh_common.h b/lib/auth_dh_common.h index 8d82d3c33c..0da5c59f92 100644 --- a/lib/auth_dh_common.h +++ b/lib/auth_dh_common.h @@ -4,11 +4,11 @@ typedef struct dh_info_st { int secret_bits; - opaque prime[1024]; + opaque prime[1025]; size_t prime_size; opaque generator[16]; size_t generator_size; - opaque public_key[1024]; + opaque public_key[1025]; size_t public_key_size; } dh_info_t; diff --git a/lib/gnutls_compress_int.c b/lib/gnutls_compress_int.c index 7616e9212a..b0c63ee551 100644 --- a/lib/gnutls_compress_int.c +++ b/lib/gnutls_compress_int.c @@ -114,9 +114,8 @@ int err; break; #endif - default: - gnutls_free(ret); - return NULL; + case GNUTLS_COMP_NULL: + break; } return ret; } diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 5abeab791e..7f3d89bf5a 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -475,6 +475,7 @@ int _gnutls_rsa_export_set_pubkey( gnutls_session session, mpi_t exp, mpi_t mod) return GNUTLS_E_INTERNAL_ERROR; info->rsa_export.modulus_size = sizeof( info->rsa_export.modulus); + ret = _gnutls_mpi_print_lz( info->rsa_export.modulus, &info->rsa_export.modulus_size, mod); if (ret < 0) { gnutls_assert(); @@ -85,8 +85,8 @@ static gnutls_certificate_credentials xcred; int protocol_priority[PRI_MAX] = { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; int kx_priority[PRI_MAX] = - { GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS, - GNUTLS_KX_RSA, GNUTLS_KX_SRP, + { GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, + GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP, /* Do not use anonymous authentication, unless you know what that means */ GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_ANON_DH, 0 }; diff --git a/src/common.c b/src/common.c index 2c3bb5fcf7..85b851b2f4 100644 --- a/src/common.c +++ b/src/common.c @@ -44,6 +44,25 @@ static char buffer[5*1024]; const char str_unknown[] = "(unknown)"; +/* Hex encodes the given data. + */ +const char *raw_to_string(const unsigned char *raw, size_t raw_size) +{ + static char buf[1024]; + size_t i; + if (raw_size == 0) return NULL; + + if (raw_size * 3 + 1 >= sizeof(buf)) + return NULL; + + for (i = 0; i < raw_size; i++) { + sprintf(&(buf[i * 3]), "%02X%s", raw[i], (i==raw_size-1)?"":":"); + } + buf[sizeof(buf) - 1] = '\0'; + + return buf; +} + static const char *my_ctime(const time_t * tv) { static char buf[256]; @@ -67,10 +86,9 @@ void print_x509_info(gnutls_session session, const char* hostname) char dn[256]; size_t dn_size; size_t digest_size = sizeof(digest); - unsigned int i, j; + unsigned int j; size_t serial_size = sizeof(serial); - char printable[256]; - char *print; + const char *print; const char* cstr; unsigned int bits, algo; time_t expiret, activet; @@ -153,13 +171,9 @@ void print_x509_info(gnutls_session session, const char* hostname) */ if (gnutls_x509_crt_get_serial(crt, serial, &serial_size) >= 0) { - print = printable; - for (i = 0; i < serial_size; i++) { - sprintf(print, "%.2x ", - (unsigned char) serial[i]); - print += 3; - } - printf(" # serial number: %s\n", printable); + print = raw_to_string( serial, serial_size); + if (print!=NULL) + printf(" # serial number: %s\n", print); } /* Print the fingerprint of the certificate @@ -169,13 +183,9 @@ void print_x509_info(gnutls_session session, const char* hostname) < 0) { fprintf(stderr, "Error in fingerprint calculation: %s\n", gnutls_strerror(ret)); } else { - print = printable; - for (i = 0; i < digest_size; i++) { - sprintf(print, "%.2x ", - (unsigned char) digest[i]); - print += 3; - } - printf(" # fingerprint: %s\n", printable); + print = raw_to_string( digest, digest_size); + if (print != NULL) + printf(" # fingerprint: %s\n", print); } /* Print the version of the X.509 @@ -217,10 +227,8 @@ void print_openpgp_info(gnutls_session session, const char* hostname) char digest[20]; size_t digest_size = sizeof(digest); - unsigned int i; int ret; - char printable[120]; - char *print; + const char *print; const char* cstr; char name[256]; size_t name_len = sizeof(name); @@ -297,12 +305,7 @@ void print_openpgp_info(gnutls_session session, const char* hostname) if (gnutls_openpgp_key_get_fingerprint(crt, digest, &digest_size) >= 0) { - print = printable; - for (i = 0; i < digest_size; i++) { - sprintf(print, "%.2x ", - (unsigned char) digest[i]); - print += 3; - } + print = raw_to_string( digest, digest_size); printf(" # PGP Key version: %d\n", gnutls_openpgp_key_get_version(crt)); @@ -315,7 +318,8 @@ void print_openpgp_info(gnutls_session session, const char* hostname) cstr = SU(gnutls_pk_algorithm_get_name( algo)); printf("%s (%d bits)\n", cstr, bits); - printf(" # PGP Key fingerprint: %s\n", printable); + if (print != NULL) + printf(" # PGP Key fingerprint: %s\n", print); name_len = sizeof(name); if (gnutls_openpgp_key_get_name(crt, 0, name, &name_len) < 0) { @@ -418,16 +422,6 @@ int print_info(gnutls_session session, const char* hostname) print_cert_vrfy(session); - /* Check if we have been using ephemeral Diffie Hellman. - */ - if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { - printf - ("- Ephemeral DH using prime of %d bits, secret key " - "of %d bits, and peer's public key is %d bits.\n", - gnutls_dh_get_prime_bits(session), - gnutls_dh_get_secret_bits(session), - gnutls_dh_get_peers_public_bits(session)); - } } tmp = diff --git a/src/common.h b/src/common.h index 6c8208803f..3003a21ed3 100644 --- a/src/common.h +++ b/src/common.h @@ -35,6 +35,7 @@ void parse_ctypes( char** ctype, int nctype, int * cert_type_priority); void parse_macs( char** macs, int nmacs, int *mac_priority); void parse_ciphers( char** ciphers, int nciphers, int* cipher_priority); void parse_protocols( char** protocols, int protocols_size, int* protocol_priority); +const char *raw_to_string(const unsigned char *raw, size_t raw_size); void sockets_init( void); #ifndef HAVE_INET_NTOP diff --git a/src/tests.c b/src/tests.c index 2b4131259f..029a577b29 100644 --- a/src/tests.c +++ b/src/tests.c @@ -66,15 +66,13 @@ int ret, alert; handshake_output = ret; if (ret < 0 && more_info != 0) { - printf("\n"); if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { alert = gnutls_alert_get( session); + printf("\n"); printf("*** Received alert [%d]: %s\n", alert, gnutls_alert_get_name( alert)); } - printf( "*** Handshake has failed\n"); - GERR(ret); } if (ret < 0) return GFAILED; @@ -220,7 +218,13 @@ int ret; } #endif -int test_export( gnutls_session session) { +static int export_true = 0; +static gnutls_datum exp = { NULL, 0 }, mod = {NULL, 0}; + +int test_export( gnutls_session session) +{ +int ret; + ADD_ALL_COMP(session); ADD_ALL_CERTTYPES(session); ADD_ALL_PROTOCOLS(session); @@ -230,10 +234,64 @@ int test_export( gnutls_session session) { ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); - return do_handshake( session); + ret = do_handshake( session); + + if (ret == SUCCEED) { + export_true = 1; + gnutls_rsa_export_get_pubkey( session, &exp, &mod); + } + + return ret; } -int test_dhe( gnutls_session session) { +int test_export_info( gnutls_session session) +{ +int ret2, ret; +gnutls_datum exp2, mod2; +const char* print; + + if (more_info == 0) return SUCCEED; + if (export_true == 0) return GFAILED; + + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + + ADD_KX(session, GNUTLS_KX_RSA_EXPORT); + ADD_CIPHER(session, GNUTLS_CIPHER_ARCFOUR_40); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + + printf("\n"); + if (ret == SUCCEED) { + ret2 = gnutls_rsa_export_get_pubkey( session, &exp2, &mod2); + if (ret2 >= 0) { + print = raw_to_string( exp2.data, exp2.size); + if (print) + printf(" Exponent [%d bits]: %s\n", exp2.size*8, print); + + print = raw_to_string( mod2.data, mod2.size); + if (print) + printf(" Modulus [%d bits]: %s\n", mod2.size*8, print); + + if (mod2.size != mod.size || exp2.size != exp.size || + memcmp( mod2.data, mod.data, mod.size) != 0 || + memcmp( exp2.data, exp.data, exp.size) != 0) { + printf(" (server uses different public keys per connection)\n"); + } + } + } + + return ret; + +} + +static gnutls_datum pubkey = { NULL , 0 }; + +int test_dhe( gnutls_session session) +{ int ret; ADD_ALL_CIPHERS(session); @@ -248,16 +306,53 @@ int ret; ret = do_handshake( session); dh_bits = gnutls_dh_get_prime_bits( session); if (dh_bits < 0) dh_bits = 0; + + gnutls_dh_get_pubkey( session, &pubkey); return ret; } -int test_dhe_bits( gnutls_session session) { +int test_dhe_group( gnutls_session session) +{ +int ret, ret2; +gnutls_datum gen, prime, pubkey2; +const char* print; + + if (more_info == 0) return SUCCEED; - if (dh_bits == 0) return GFAILED; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); - printf( " %d", dh_bits); - return SUCCEED; + ADD_KX2(session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + + printf("\n"); + ret2 = gnutls_dh_get_group( session, &gen, &prime); + if (ret2 >= 0) { + print = raw_to_string( gen.data, gen.size); + if (print) + printf(" Generator [%d bits]: %s\n", gen.size*8, print); + + print = raw_to_string( prime.data, prime.size); + if (print) + printf(" Prime [%d bits]: %s\n", prime.size*8, print); + + gnutls_dh_get_pubkey( session, &pubkey2); + print = raw_to_string( pubkey2.data, pubkey2.size); + if (print) + printf(" Pubkey [%d bits]: %s\n", pubkey2.size*8, print); + + if (pubkey2.data && pubkey2.size == pubkey.size && + memcmp( pubkey.data, pubkey2.data, pubkey.size)==0) { + printf(" (public key seems to be static among sessions)\n"); + } + } + return ret; } int test_ssl3( gnutls_session session) @@ -789,6 +884,8 @@ extern char* hostname; int test_certificate( gnutls_session session) { int ret; + if (more_info == 0) return SUCCEED; + ADD_ALL_CIPHERS(session); ADD_ALL_COMP(session); ADD_ALL_CERTTYPES(session); @@ -818,6 +915,8 @@ char issuer_dn[256]; int i, ret; size_t len; + if (more_info == 0) return -1; + /* Print the server's trusted CAs */ printf("\n"); @@ -847,6 +946,8 @@ int test_server_cas( gnutls_session session) { int ret; + if (more_info == 0) return SUCCEED; + ADD_ALL_CIPHERS(session); ADD_ALL_COMP(session); ADD_ALL_CERTTYPES(session); @@ -858,8 +959,9 @@ int ret; gnutls_certificate_client_set_retrieve_function( xcred, cert_callback); ret = do_handshake( session); - if (ret ==GFAILED) return ret; + gnutls_certificate_client_set_retrieve_function( xcred, NULL); + if (ret ==GFAILED) return ret; return SUCCEED; } diff --git a/src/tests.h b/src/tests.h index 6a4125a9a3..8eafd3f775 100644 --- a/src/tests.h +++ b/src/tests.h @@ -4,9 +4,10 @@ int test_srp( gnutls_session state); int test_export( gnutls_session state); +int test_export_info( gnutls_session state); int test_hello_extension( gnutls_session state); int test_dhe( gnutls_session state); -int test_dhe_bits( gnutls_session state); +int test_dhe_group( gnutls_session state); int test_ssl3( gnutls_session state); int test_aes( gnutls_session state); int test_md5( gnutls_session state); @@ -36,5 +37,4 @@ int test_lzo( gnutls_session session); int _test_srp_username_callback( gnutls_session session, unsigned int times, char** username, char** password); -#define GERR(ret) fprintf(stderr, "*** Error: %s\n", gnutls_strerror(ret)) diff --git a/src/tls_test.c b/src/tls_test.c index 0ace0f064c..10dc01e734 100644 --- a/src/tls_test.c +++ b/src/tls_test.c @@ -103,12 +103,13 @@ static const TLS_TEST tls_tests[] = { */ { "whether the server supports session resumption", test_session_resume2, "yes", "no", "dunno"}, { "for export-grade ciphersuite support", test_export, "yes", "no", "dunno" }, + { "for export-grade ciphersuite info", test_export_info, "", "N/A", "N/A" }, #ifdef ENABLE_ANON { "for anonymous authentication support", test_anonymous, "yes", "no", "dunno"}, - { "for anonymous Diffie Hellman prime size", test_dhe_bits, "", "N/A", "N/A" }, + { "for anonymous Diffie Hellman group info", test_dhe_group, "", "N/A", "N/A" }, #endif { "for ephemeral Diffie Hellman support", test_dhe, "yes", "no", "dunno" }, - { "for ephemeral Diffie Hellman prime size", test_dhe_bits, "", "N/A", "N/A" }, + { "for ephemeral Diffie Hellman group info", test_dhe_group, "", "N/A", "N/A" }, { "for AES cipher support (TLS extension)", test_aes, "yes", "no", "dunno"}, { "for 3DES cipher support", test_3des, "yes", "no", "dunno"}, { "for ARCFOUR 128 cipher support", test_arcfour, "yes", "no", "dunno"}, @@ -216,7 +217,7 @@ int main(int argc, char **argv) /* if neither of SSL3 and TLSv1 are supported, exit */ if (i > 3 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0) { - fprintf(stderr, "%d %d %d\n", tls1_1_ok,tls1_ok,ssl3_ok); + fprintf(stderr, "\nServer does not support none of SSL 3.0, TLS 1.0 and TLS 1.1\n"); break; } |