diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-03-01 13:10:39 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-03-01 13:10:39 +0000 |
| commit | d792019ada0e64d4cb24b2f43c7404c51fed0550 (patch) | |
| tree | 7c1a62d0fc5370bba58be7f14d9f84c7c51b799d | |
| parent | 76699d66c0020076ecb62f4b43e59bd538ede730 (diff) | |
| download | gnutls-d792019ada0e64d4cb24b2f43c7404c51fed0550.tar.gz | |
Updated cli and server to read certificate and keys from command line
parameters. client, client-debug and server are now being installed.
| -rw-r--r-- | src/Makefile.am | 25 | ||||
| -rw-r--r-- | src/cli-gaa.c | 250 | ||||
| -rw-r--r-- | src/cli-gaa.h | 22 | ||||
| -rw-r--r-- | src/cli.c | 925 | ||||
| -rw-r--r-- | src/cli.gaa | 35 | ||||
| -rw-r--r-- | src/common.h | 2 | ||||
| -rw-r--r-- | src/crypt.c | 1 | ||||
| -rw-r--r-- | src/serv-gaa.c | 290 | ||||
| -rw-r--r-- | src/serv-gaa.h | 44 | ||||
| -rw-r--r-- | src/serv.c | 1050 | ||||
| -rw-r--r-- | src/serv.gaa | 39 | ||||
| -rw-r--r-- | src/tls_test-gaa.c | 2 | ||||
| -rw-r--r-- | src/tls_test.gaa | 2 |
13 files changed, 1655 insertions, 1032 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index ce60e8027a..50a9157c01 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -5,26 +5,29 @@ SUBDIRS = srp x509 openpgp INCLUDES = -I../lib -noinst_PROGRAMS = serv cli srpcrypt prime asn1c CertificateExample CrlExample tls_test -serv_SOURCES = serv.c common.c serv-gaa.c -serv_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) -srpcrypt_SOURCES = crypt-gaa.c crypt.c -srpcrypt_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) +bin_PROGRAMS = gnutls-serv gnutls-cli gnutls-srpcrypt gnutls-cli-debug +gnutls_serv_SOURCES = serv-gaa.c serv.c common.c +gnutls_serv_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) +gnutls_srpcrypt_SOURCES = crypt-gaa.c crypt.c +gnutls_srpcrypt_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) +gnutls_cli_SOURCES = cli-gaa.c cli.c common.c +gnutls_cli_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) +gnutls_cli_debug_SOURCES = tls_test-gaa.c tls_test.c tests.c +gnutls_cli_debug_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) + + + +noinst_PROGRAMS = prime asn1c CertificateExample CrlExample prime_SOURCES = prime-gaa.c prime.c prime_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) -cli_SOURCES = cli.c common.c cli-gaa.c -cli_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) -tls_test_SOURCES = tls_test.c tls_test-gaa.c tests.c -tls_test_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) - CertificateExample_SOURCES = CertificateExample.c CertificateExample_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) CrlExample_SOURCES = CrlExample.c CrlExample_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) - asn1c_SOURCES = asn1c.c asn1c_LDADD = ../lib/libgnutls.la $(LIBGCRYPT_LIBS) + crypt-gaa.c: crypt.gaa gaa crypt.gaa -o crypt-gaa.c -i crypt-gaa.h prime-gaa.c: prime.gaa diff --git a/src/cli-gaa.c b/src/cli-gaa.c index e5f3037c8b..7ac724b379 100644 --- a/src/cli-gaa.c +++ b/src/cli-gaa.c @@ -1,7 +1,7 @@ /* File generated by GAA 1.6.0b3 */ #define GAA_NO_WIN32 -#line 54 "cli.gaa" +#line 85 "cli.gaa" /* C declarations */ @@ -109,7 +109,7 @@ void __gaa_helpsingle(char short_name, char *name, void gaa_help(void) { - printf("cli help\nUsage: cli [options] hostname""\n"); + printf("gnutls-cli help\nUsage: gnutls-cli [options] hostname""\n"); __gaa_helpsingle('r', "resume", "", "Connect, establish a session. Connect again and resume this session."); __gaa_helpsingle('f', "fingerprint", "", "Send the openpgp fingerprint, instead of the key."); __gaa_helpsingle('p', "port", """integer"" ", "The port to connect to."); @@ -120,6 +120,15 @@ void gaa_help(void) __gaa_helpsingle(0, "macs", """mac1 mac2..."" ", "MACs to enable."); __gaa_helpsingle(0, "kx", """kx1 kx2..."" ", "Key exchange methods to enable."); __gaa_helpsingle(0, "ctypes", """certType1 certType2..."" ", "Certificate types to enable."); + __gaa_helpsingle(0, "cafile", """FILE"" ", "Certificate file to use."); + __gaa_helpsingle(0, "pgpkeyfile", """FILE"" ", "PGP Key file to use."); + __gaa_helpsingle(0, "pgpkeyring", """FILE"" ", "PGP Key ring file to use."); + __gaa_helpsingle(0, "pgptrustdb", """FILE"" ", "PGP trustdb file to use."); + __gaa_helpsingle(0, "pgpcertfile", """FILE"" ", "PGP Public Key (certificate) file to use."); + __gaa_helpsingle(0, "x509keyfile", """FILE"" ", "X.509 key file to use."); + __gaa_helpsingle(0, "x509certfile", """FILE"" ", "X.509 Certificate file to use."); + __gaa_helpsingle(0, "srpusername", """NAME"" ", "SRP username to use."); + __gaa_helpsingle(0, "srppasswd", """PASSWD"" ", "SRP password to use."); __gaa_helpsingle('l', "list", "", "Print a list of the supported algorithms and modes."); __gaa_helpsingle('h', "help", "", "prints this help"); @@ -136,10 +145,28 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 45 "cli.gaa" +#line 72 "cli.gaa" char **rest_args; -#line 44 "cli.gaa" +#line 71 "cli.gaa" int nrest_args; +#line 64 "cli.gaa" + char *srp_passwd; +#line 61 "cli.gaa" + char *srp_username; +#line 58 "cli.gaa" + char *x509_certfile; +#line 55 "cli.gaa" + char *x509_keyfile; +#line 52 "cli.gaa" + char *pgp_certfile; +#line 49 "cli.gaa" + char *pgp_trustdb; +#line 46 "cli.gaa" + char *pgp_keyring; +#line 43 "cli.gaa" + char *pgp_keyfile; +#line 40 "cli.gaa" + char *x509_cafile; #line 37 "cli.gaa" char **ctype; #line 36 "cli.gaa" @@ -226,19 +253,28 @@ int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 12 +#define GAA_NB_OPTION 21 #define GAAOPTID_help 1 #define GAAOPTID_list 2 -#define GAAOPTID_ctypes 3 -#define GAAOPTID_kx 4 -#define GAAOPTID_macs 5 -#define GAAOPTID_comp 6 -#define GAAOPTID_protocols 7 -#define GAAOPTID_ciphers 8 -#define GAAOPTID_recordsize 9 -#define GAAOPTID_port 10 -#define GAAOPTID_fingerprint 11 -#define GAAOPTID_resume 12 +#define GAAOPTID_srppasswd 3 +#define GAAOPTID_srpusername 4 +#define GAAOPTID_x509certfile 5 +#define GAAOPTID_x509keyfile 6 +#define GAAOPTID_pgpcertfile 7 +#define GAAOPTID_pgptrustdb 8 +#define GAAOPTID_pgpkeyring 9 +#define GAAOPTID_pgpkeyfile 10 +#define GAAOPTID_cafile 11 +#define GAAOPTID_ctypes 12 +#define GAAOPTID_kx 13 +#define GAAOPTID_macs 14 +#define GAAOPTID_comp 15 +#define GAAOPTID_protocols 16 +#define GAAOPTID_ciphers 17 +#define GAAOPTID_recordsize 18 +#define GAAOPTID_port 19 +#define GAAOPTID_fingerprint 20 +#define GAAOPTID_resume 21 #line 168 "gaa.skel" @@ -425,6 +461,60 @@ float gaa_getfloat(char *arg) } /* option structures */ +struct GAAOPTION_srppasswd +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_srpusername +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_x509certfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_x509keyfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgpcertfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgptrustdb +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgpkeyring +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgpkeyfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_cafile +{ + char* arg1; + int size1; +}; + struct GAAOPTION_ctypes { char** arg1; @@ -509,6 +599,15 @@ int gaa_get_option_num(char *str, int status) switch(status) { case GAA_LETTER_OPTION: + GAA_CHECK1STR("", GAAOPTID_srppasswd); + GAA_CHECK1STR("", GAAOPTID_srpusername); + GAA_CHECK1STR("", GAAOPTID_x509certfile); + GAA_CHECK1STR("", GAAOPTID_x509keyfile); + GAA_CHECK1STR("", GAAOPTID_pgpcertfile); + GAA_CHECK1STR("", GAAOPTID_pgptrustdb); + GAA_CHECK1STR("", GAAOPTID_pgpkeyring); + GAA_CHECK1STR("", GAAOPTID_pgpkeyfile); + GAA_CHECK1STR("", GAAOPTID_cafile); GAA_CHECK1STR("", GAAOPTID_ctypes); GAA_CHECK1STR("", GAAOPTID_kx); GAA_CHECK1STR("", GAAOPTID_macs); @@ -529,6 +628,15 @@ int gaa_get_option_num(char *str, int status) case GAA_WORD_OPTION: GAA_CHECKSTR("help", GAAOPTID_help); GAA_CHECKSTR("list", GAAOPTID_list); + GAA_CHECKSTR("srppasswd", GAAOPTID_srppasswd); + GAA_CHECKSTR("srpusername", GAAOPTID_srpusername); + GAA_CHECKSTR("x509certfile", GAAOPTID_x509certfile); + GAA_CHECKSTR("x509keyfile", GAAOPTID_x509keyfile); + GAA_CHECKSTR("pgpcertfile", GAAOPTID_pgpcertfile); + GAA_CHECKSTR("pgptrustdb", GAAOPTID_pgptrustdb); + GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring); + GAA_CHECKSTR("pgpkeyfile", GAAOPTID_pgpkeyfile); + GAA_CHECKSTR("cafile", GAAOPTID_cafile); GAA_CHECKSTR("ctypes", GAAOPTID_ctypes); GAA_CHECKSTR("kx", GAAOPTID_kx); GAA_CHECKSTR("macs", GAAOPTID_macs); @@ -551,6 +659,15 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { int OK = 0; int gaa_last_non_option; + struct GAAOPTION_srppasswd GAATMP_srppasswd; + struct GAAOPTION_srpusername GAATMP_srpusername; + struct GAAOPTION_x509certfile GAATMP_x509certfile; + struct GAAOPTION_x509keyfile GAATMP_x509keyfile; + struct GAAOPTION_pgpcertfile GAATMP_pgpcertfile; + struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb; + struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring; + struct GAAOPTION_pgpkeyfile GAATMP_pgpkeyfile; + struct GAAOPTION_cafile GAATMP_cafile; struct GAAOPTION_ctypes GAATMP_ctypes; struct GAAOPTION_kx GAATMP_kx; struct GAAOPTION_macs GAATMP_macs; @@ -581,18 +698,108 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_help: OK = 0; -#line 42 "cli.gaa" +#line 69 "cli.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_list: OK = 0; -#line 41 "cli.gaa" +#line 68 "cli.gaa" { print_list(); exit(0); ;}; return GAA_OK; break; + case GAAOPTID_srppasswd: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1); + gaa_index++; +#line 65 "cli.gaa" +{ gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_srpusername: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srpusername.arg1, gaa_getstr, GAATMP_srpusername.size1); + gaa_index++; +#line 62 "cli.gaa" +{ gaaval->srp_username = GAATMP_srpusername.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_x509certfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, GAATMP_x509certfile.size1); + gaa_index++; +#line 59 "cli.gaa" +{ gaaval->x509_certfile = GAATMP_x509certfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_x509keyfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, GAATMP_x509keyfile.size1); + gaa_index++; +#line 56 "cli.gaa" +{ gaaval->x509_keyfile = GAATMP_x509keyfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgpcertfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, GAATMP_pgpcertfile.size1); + gaa_index++; +#line 53 "cli.gaa" +{ gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgptrustdb: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, GAATMP_pgptrustdb.size1); + gaa_index++; +#line 50 "cli.gaa" +{ gaaval->pgp_keyring = GAATMP_pgptrustdb.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgpkeyring: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, GAATMP_pgpkeyring.size1); + gaa_index++; +#line 47 "cli.gaa" +{ gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgpkeyfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, GAATMP_pgpkeyfile.size1); + gaa_index++; +#line 44 "cli.gaa" +{ gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_cafile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_cafile.arg1, gaa_getstr, GAATMP_cafile.size1); + gaa_index++; +#line 41 "cli.gaa" +{ gaaval->x509_cafile = GAATMP_cafile.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_ctypes: OK = 0; GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); @@ -677,7 +884,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) break; case GAA_REST: GAA_LIST_FILL(GAAREST_tmp.arg1, gaa_getstr, char*, GAAREST_tmp.size1); -#line 46 "cli.gaa" +#line 73 "cli.gaa" { gaaval->rest_args = GAAREST_tmp.arg1; gaaval->nrest_args = GAAREST_tmp.size1 ;}; return GAA_OK; @@ -705,11 +912,14 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 48 "cli.gaa" +#line 75 "cli.gaa" { gaaval->resume=0; gaaval->port=443; gaaval->rest_args=NULL; gaaval->nrest_args=0; gaaval->ciphers=NULL; gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; gaaval->record_size=0; - gaaval->fingerprint=0; ;}; + gaaval->fingerprint=0; gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; + gaaval->x509_cafile = NULL; gaaval->pgp_keyfile=NULL; gaaval->pgp_certfile=NULL; + gaaval->x509_keyfile=NULL; gaaval->x509_certfile=NULL; + gaaval->srp_username=NULL; gaaval->srp_passwd=NULL; ;}; } inited = 1; diff --git a/src/cli-gaa.h b/src/cli-gaa.h index d141d7e450..a6a723fee2 100644 --- a/src/cli-gaa.h +++ b/src/cli-gaa.h @@ -8,10 +8,28 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 45 "cli.gaa" +#line 72 "cli.gaa" char **rest_args; -#line 44 "cli.gaa" +#line 71 "cli.gaa" int nrest_args; +#line 64 "cli.gaa" + char *srp_passwd; +#line 61 "cli.gaa" + char *srp_username; +#line 58 "cli.gaa" + char *x509_certfile; +#line 55 "cli.gaa" + char *x509_keyfile; +#line 52 "cli.gaa" + char *pgp_certfile; +#line 49 "cli.gaa" + char *pgp_trustdb; +#line 46 "cli.gaa" + char *pgp_keyring; +#line 43 "cli.gaa" + char *pgp_keyfile; +#line 40 "cli.gaa" + char *x509_cafile; #line 37 "cli.gaa" char **ctype; #line 36 "cli.gaa" @@ -32,7 +32,7 @@ #include <signal.h> #include <netdb.h> #include <common.h> -#include <cli-gaa.h> +#include "cli-gaa.h" #ifndef SHUT_WR # define SHUT_WR 1 @@ -49,18 +49,32 @@ /* global stuff here */ int resume; -char *hostname=NULL; +char *hostname = NULL; int port; int record_max_size; int fingerprint; +char *srp_passwd; +char *srp_username; +char *pgp_keyfile; +char *pgp_certfile; +char *pgp_keyring; +char *pgp_trustdb; +char *x509_keyfile; +char *x509_certfile; +char *x509_cafile; +char *x509_crlfile = NULL; + + int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; int kx_priority[16] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, -GNUTLS_KX_ANON_DH, 0 }; + GNUTLS_KX_ANON_DH, 0 +}; int cipher_priority[16] = { GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_3DES_CBC, -GNUTLS_CIPHER_ARCFOUR, 0 }; + GNUTLS_CIPHER_ARCFOUR, 0 +}; int comp_priority[16] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; int mac_priority[16] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; int cert_type_priority[16] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; @@ -68,46 +82,48 @@ int cert_type_priority[16] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; /* end of global stuff */ #define MAX(X,Y) (X >= Y ? X : Y); -#define CAFILE "x509/ca.pem" -#define CRLFILE NULL -#define CLIKEYFILE2 "x509/clikey-dsa.pem" -#define CLICERTFILE2 "x509/clicert-dsa.pem" +#define DEFAULT_X509_CAFILE "x509/ca.pem" +#define DEFAULT_X509_KEYFILE2 "x509/clikey-dsa.pem" +#define DEFAULT_X509_CERTFILE2 "x509/clicert-dsa.pem" -#define CLIKEYFILE1 "x509/clikey.pem" -#define CLICERTFILE1 "x509/clicert.pem" +#define DEFAULT_X509_KEYFILE "x509/clikey.pem" +#define DEFAULT_X509_CERTFILE "x509/clicert.pem" -#define CLIKEYFILE_PGP "openpgp/cli_sec.asc" -#define CLICERTFILE_PGP "openpgp/cli_pub.asc" -#define CLIRINGFILE_PGP "openpgp/cli_ring.gpg" +#define DEFAULT_PGP_KEYFILE "openpgp/cli_sec.asc" +#define DEFAULT_PGP_CERTFILE "openpgp/cli_pub.asc" +#define DEFAULT_PGP_KEYRING "openpgp/cli_ring.gpg" + +#define DEFAULT_SRP_USERNAME "test" +#define DEFAULT_SRP_PASSWD "test" static int cert_callback(GNUTLS_STATE state, const gnutls_datum * client_certs, int ncerts, const gnutls_datum * req_ca_cert, int nreqs) { - if (client_certs == NULL) { - return 0; /* means the we will only be called again + if (client_certs == NULL) { + return 0; /* means the we will only be called again * if the library cannot determine which * certificate to send */ - } + } #if 0 - /* here we should prompt the user and ask him - * which certificate to choose. Too bored to - * implement that. --nmav - */ - for (i = 0; i < ncerts; i++) { - fprintf(stderr, "%s.", client_cert->common_name); - fprintf(stderr, "%s\n", issuer_cert->common_name); - } - for (i = 0; i < nreqs; i++) { - fprintf(stderr, "%s.", req_ca_cert->common_name); - } - fprintf(stderr, "\n"); - return 0; + /* here we should prompt the user and ask him + * which certificate to choose. Too bored to + * implement that. --nmav + */ + for (i = 0; i < ncerts; i++) { + fprintf(stderr, "%s.", client_cert->common_name); + fprintf(stderr, "%s\n", issuer_cert->common_name); + } + for (i = 0; i < nreqs; i++) { + fprintf(stderr, "%s.", req_ca_cert->common_name); + } + fprintf(stderr, "\n"); + return 0; #endif - return -1; /* send no certificate to the peer */ + return -1; /* send no certificate to the peer */ } @@ -115,445 +131,464 @@ static void gaa_parser(int argc, char **argv); int main(int argc, char **argv) { - int err, ret; - int sd, ii, i; - struct sockaddr_in sa; - GNUTLS_STATE state; - char buffer[MAX_BUF + 1]; - char *session; - char *session_id; - int session_size, alert; - int session_id_size; - char *tmp_session_id; - int tmp_session_id_size; - fd_set rset; - int maxfd; - struct timeval tv; - int user_term = 0; - GNUTLS_SRP_CLIENT_CREDENTIALS cred; - GNUTLS_ANON_CLIENT_CREDENTIALS anon_cred; - GNUTLS_CERTIFICATE_CLIENT_CREDENTIALS xcred; - struct hostent *server_host; - - gaa_parser(argc, argv); - - signal(SIGPIPE, SIG_IGN); - - if (gnutls_global_init() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } - - printf("Resolving '%s'...\n", hostname); - /* get server name */ - server_host = gethostbyname(hostname); - if (server_host == NULL) { - fprintf(stderr, "Cannot resolve %s\n", hostname); - exit(1); - } - - /* X509 stuff */ - if (gnutls_certificate_allocate_sc(&xcred) < 0) { /* space for 2 certificates */ - fprintf(stderr, "memory error\n"); - exit(1); - } - - ret = - gnutls_certificate_set_x509_trust_file(xcred, CAFILE, CRLFILE); - if (ret < 0) { - fprintf(stderr, "Error setting the x509 trust file\n"); - exit(1); - } - - ret = - gnutls_certificate_set_x509_key_file(xcred, CLICERTFILE1, - CLIKEYFILE1); - if (ret < 0) { - fprintf(stderr, "Error setting the x509 key file\n"); - exit(1); - } - - ret = - gnutls_certificate_set_x509_key_file(xcred, CLICERTFILE2, - CLIKEYFILE2); - if (ret < 0) { - fprintf(stderr, "Error setting the x509 key file\n"); - exit(1); - } - - ret = - gnutls_certificate_set_openpgp_key_file(xcred, CLICERTFILE_PGP, - CLIKEYFILE_PGP); - if (ret < 0) { - fprintf(stderr, "Error setting the OpenPGP key file\n"); - } - - ret = - gnutls_certificate_set_openpgp_keyring_file(xcred, - CLIRINGFILE_PGP); - if (ret < 0) { - fprintf(stderr, - "Error setting the OpenPGP keyring file\n"); - } + int err, ret; + int sd, ii, i; + struct sockaddr_in sa; + GNUTLS_STATE state; + char buffer[MAX_BUF + 1]; + char *session; + char *session_id; + int session_size, alert; + int session_id_size; + char *tmp_session_id; + int tmp_session_id_size; + fd_set rset; + int maxfd; + struct timeval tv; + int user_term = 0; + GNUTLS_SRP_CLIENT_CREDENTIALS cred; + GNUTLS_ANON_CLIENT_CREDENTIALS anon_cred; + GNUTLS_CERTIFICATE_CLIENT_CREDENTIALS xcred; + struct hostent *server_host; + + gaa_parser(argc, argv); + + signal(SIGPIPE, SIG_IGN); + + if (gnutls_global_init() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } + + printf("Resolving '%s'...\n", hostname); + /* get server name */ + server_host = gethostbyname(hostname); + if (server_host == NULL) { + fprintf(stderr, "Cannot resolve %s\n", hostname); + exit(1); + } + + /* X509 stuff */ + if (gnutls_certificate_allocate_sc(&xcred) < 0) { /* space for 2 certificates */ + fprintf(stderr, "memory error\n"); + exit(1); + } + + if (x509_cafile != NULL) { + ret = + gnutls_certificate_set_x509_trust_file(xcred, x509_cafile, + x509_crlfile); + if (ret < 0) { + fprintf(stderr, "Error setting the x509 trust file\n"); + exit(1); + } + } + + if (x509_certfile != NULL) { + ret = + gnutls_certificate_set_x509_key_file(xcred, x509_certfile, + x509_keyfile); + if (ret < 0) { + fprintf(stderr, "Error setting the x509 key files ('%s', '%s'\n", + x509_certfile, x509_keyfile); + exit(1); + } + } + + if (pgp_certfile != NULL) { + ret = + gnutls_certificate_set_openpgp_key_file(xcred, pgp_certfile, + pgp_keyfile); + if (ret < 0) { + fprintf(stderr, "Error setting the x509 key files ('%s', '%s'\n", + pgp_certfile, pgp_keyfile); + } + } + + if (pgp_keyring != NULL) { + ret = + gnutls_certificate_set_openpgp_keyring_file(xcred, pgp_keyring); + if (ret < 0) { + fprintf(stderr, "Error setting the OpenPGP keyring file\n"); + } + } + + if (pgp_trustdb != NULL) { + gnutls_certificate_set_openpgp_trustdb(xcred, pgp_trustdb); + } /* gnutls_certificate_client_callback_func( xcred, cert_callback); */ - /* SRP stuff */ - if (gnutls_srp_allocate_client_sc(&cred) < 0) { - fprintf(stderr, "memory error\n"); - exit(1); - } - gnutls_srp_set_client_cred(cred, "test", "test"); + /* SRP stuff */ + if (gnutls_srp_allocate_client_sc(&cred) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } + gnutls_srp_set_client_cred(cred, srp_username, srp_passwd); - /* ANON stuff */ - if (gnutls_anon_allocate_client_sc(&anon_cred) < 0) { - fprintf(stderr, "memory error\n"); - exit(1); - } + /* ANON stuff */ + if (gnutls_anon_allocate_client_sc(&anon_cred) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } - sd = socket(AF_INET, SOCK_STREAM, 0); - ERR(sd, "socket"); + sd = socket(AF_INET, SOCK_STREAM, 0); + ERR(sd, "socket"); - memset(&sa, '\0', sizeof(sa)); - sa.sin_family = AF_INET; - sa.sin_port = htons(port); + memset(&sa, '\0', sizeof(sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons(port); - sa.sin_addr.s_addr = *((unsigned int *) server_host->h_addr); + sa.sin_addr.s_addr = *((unsigned int *) server_host->h_addr); - inet_ntop(AF_INET, &sa.sin_addr, buffer, MAX_BUF); - fprintf(stderr, "Connecting to '%s'...\n", buffer); + inet_ntop(AF_INET, &sa.sin_addr, buffer, MAX_BUF); + fprintf(stderr, "Connecting to '%s'...\n", buffer); - err = connect(sd, (SA *) & sa, sizeof(sa)); - ERR(err, "connect"); + err = connect(sd, (SA *) & sa, sizeof(sa)); + ERR(err, "connect"); - for (i=0;i<2;i++) { - gnutls_init(&state, GNUTLS_CLIENT); + for (i = 0; i < 2; i++) { + gnutls_init(&state, GNUTLS_CLIENT); - if (i == 1) { - gnutls_session_set_data(state, session, session_size); - free(session); - } + if (i == 1) { + gnutls_session_set_data(state, session, session_size); + free(session); + } - gnutls_cipher_set_priority(state, cipher_priority); - gnutls_compression_set_priority(state, comp_priority); - gnutls_kx_set_priority(state, kx_priority); - gnutls_protocol_set_priority(state, protocol_priority); - gnutls_mac_set_priority(state, mac_priority); - gnutls_cert_type_set_priority(state, cert_type_priority); + gnutls_cipher_set_priority(state, cipher_priority); + gnutls_compression_set_priority(state, comp_priority); + gnutls_kx_set_priority(state, kx_priority); + gnutls_protocol_set_priority(state, protocol_priority); + gnutls_mac_set_priority(state, mac_priority); + gnutls_cert_type_set_priority(state, cert_type_priority); - gnutls_dh_set_prime_bits(state, 1024); + gnutls_dh_set_prime_bits(state, 1024); - gnutls_cred_set(state, GNUTLS_CRD_ANON, anon_cred); - gnutls_cred_set(state, GNUTLS_CRD_SRP, cred); - gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, xcred); + gnutls_cred_set(state, GNUTLS_CRD_ANON, anon_cred); + gnutls_cred_set(state, GNUTLS_CRD_SRP, cred); + gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, xcred); - /* send the fingerprint */ - if (fingerprint!=0) - gnutls_openpgp_send_key( state, GNUTLS_OPENPGP_KEY_FINGERPRINT); + /* send the fingerprint */ + if (fingerprint != 0) + gnutls_openpgp_send_key(state, GNUTLS_OPENPGP_KEY_FINGERPRINT); - /* use the max record size extension */ - if (record_max_size > 0) { - if (gnutls_record_set_max_size(state, record_max_size) < 0) { - fprintf(stderr, "Cannot set the maximum record size to %d.\n", record_max_size); - exit(1); - } - } + /* use the max record size extension */ + if (record_max_size > 0) { + if (gnutls_record_set_max_size(state, record_max_size) < 0) { + fprintf(stderr, "Cannot set the maximum record size to %d.\n", + record_max_size); + exit(1); + } + } /* This TLS extension may break old implementations. */ - gnutls_transport_set_ptr(state, sd); - do { - ret = gnutls_handshake(state); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - - if (ret < 0) { - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED - || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { - alert = gnutls_alert_get( state); - printf("*** Received alert [%d]: %s\n", - alert, gnutls_alert_get_name( alert)); - } - fprintf(stderr, "*** Handshake has failed\n"); - gnutls_perror(ret); - gnutls_deinit(state); - return 1; - } else { - printf("- Handshake was completed\n"); - } - - if (i == 1) { /* resume */ - /* check if we actually resumed the previous session */ - - gnutls_session_get_id(state, NULL, &tmp_session_id_size); - tmp_session_id = malloc(tmp_session_id_size); - gnutls_session_get_id(state, tmp_session_id, &tmp_session_id_size); - - if (memcmp(tmp_session_id, session_id, session_id_size) == - 0) { - printf("- Previous session was resumed\n"); - } else { - fprintf(stderr, - "*** Previous session was NOT resumed\n"); - } - free(tmp_session_id); - free(session_id); - } - - - - if (resume!=0 && i==0) { - - gnutls_session_get_data(state, NULL, &session_size); - session = malloc(session_size); - gnutls_session_get_data(state, session, &session_size); - - gnutls_session_get_id(state, NULL, &session_id_size); - session_id = malloc(session_id_size); - gnutls_session_get_id(state, session_id, &session_id_size); - - /* print some information */ - print_info(state); - - printf("- Disconnecting\n"); - do { - ret = gnutls_bye(state, GNUTLS_SHUT_RDWR); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - - shutdown(sd, SHUT_WR); - close(sd); - - gnutls_deinit(state); - - printf - ("\n\n- Connecting again- trying to resume previous session\n"); - sd = socket(AF_INET, SOCK_STREAM, 0); - ERR(sd, "socket"); - - err = connect(sd, (SA *) & sa, sizeof(sa)); - ERR(err, "connect"); - } else { - break; - } - - } + gnutls_transport_set_ptr(state, sd); + do { + ret = gnutls_handshake(state); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + + if (ret < 0) { + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED + || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { + alert = gnutls_alert_get(state); + printf("*** Received alert [%d]: %s\n", + alert, gnutls_alert_get_name(alert)); + } + fprintf(stderr, "*** Handshake has failed\n"); + gnutls_perror(ret); + gnutls_deinit(state); + return 1; + } else { + printf("- Handshake was completed\n"); + } + + if (i == 1) { /* resume */ + /* check if we actually resumed the previous session */ + + gnutls_session_get_id(state, NULL, &tmp_session_id_size); + tmp_session_id = malloc(tmp_session_id_size); + gnutls_session_get_id(state, tmp_session_id, + &tmp_session_id_size); + + if (memcmp(tmp_session_id, session_id, session_id_size) == 0) { + printf("- Previous session was resumed\n"); + } else { + fprintf(stderr, "*** Previous session was NOT resumed\n"); + } + free(tmp_session_id); + free(session_id); + } + + + + if (resume != 0 && i == 0) { + + gnutls_session_get_data(state, NULL, &session_size); + session = malloc(session_size); + gnutls_session_get_data(state, session, &session_size); + + gnutls_session_get_id(state, NULL, &session_id_size); + session_id = malloc(session_id_size); + gnutls_session_get_id(state, session_id, &session_id_size); + + /* print some information */ + print_info(state); + + printf("- Disconnecting\n"); + do { + ret = gnutls_bye(state, GNUTLS_SHUT_RDWR); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + + shutdown(sd, SHUT_WR); + close(sd); + + gnutls_deinit(state); + + printf + ("\n\n- Connecting again- trying to resume previous session\n"); + sd = socket(AF_INET, SOCK_STREAM, 0); + ERR(sd, "socket"); + + err = connect(sd, (SA *) & sa, sizeof(sa)); + ERR(err, "connect"); + } else { + break; + } + + } /* print some information */ - print_info(state); - - printf("\n- Simple Client Mode:\n\n"); - - FD_ZERO(&rset); - for (;;) { - FD_SET(fileno(stdin), &rset); - FD_SET(sd, &rset); - - maxfd = MAX(fileno(stdin), sd); - tv.tv_sec = 3; - tv.tv_usec = 0; - select(maxfd + 1, &rset, NULL, NULL, &tv); - - if (FD_ISSET(sd, &rset)) { - bzero(buffer, MAX_BUF + 1); - do { - ret = gnutls_record_recv(state, buffer, MAX_BUF); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - /* remove new line */ - - if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { - if (ret == 0) { - printf - ("- Peer has closed the GNUTLS connection\n"); - break; - } else { - fprintf(stderr, - "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", - ret); - break; - } - } else { - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED - || ret == - GNUTLS_E_FATAL_ALERT_RECEIVED) - printf("* Received alert [%d]\n", - gnutls_alert_get - (state)); - if (ret == GNUTLS_E_REHANDSHAKE) { - - /* There is a race condition here. If application - * data is sent after the rehandshake request, - * the server thinks we ignored his request. - * This is a bad design of this client. - */ - printf - ("* Received rehandshake request\n"); - /* gnutls_alert_send( state, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */ - do { - ret = - gnutls_handshake - (state); - } while (ret == GNUTLS_E_AGAIN - || ret == - GNUTLS_E_INTERRUPTED); - - if (ret == 0) - printf - ("* Rehandshake was performed\n"); - else { - printf - ("* Rehandshake Failed [%d]\n", - ret); - } - } - if (ret > 0) { - printf("- Received[%d]: ", ret); - for (ii = 0; ii < ret; ii++) { - fputc(buffer[ii], stdout); - } - fputs("\n", stdout); - } - } - if (user_term != 0) - break; - } - - if (FD_ISSET(fileno(stdin), &rset)) { - if (fgets(buffer, MAX_BUF, stdin) == NULL) { - do { - ret = - gnutls_bye(state, - GNUTLS_SHUT_WR); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - user_term = 1; - continue; - } - do { - ret = - gnutls_record_send(state, buffer, - strlen(buffer)); - } while (ret == GNUTLS_E_AGAIN - || ret == GNUTLS_E_INTERRUPTED); - if (ret > 0) - printf("- Sent: %d bytes\n", ret); - else - GERR( ret); - - } - } - if (user_term != 0) - do - ret = gnutls_bye(state, GNUTLS_SHUT_RDWR); - while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - - shutdown(sd, SHUT_RDWR); /* no more receptions */ - close(sd); - - gnutls_deinit(state); - - gnutls_srp_free_client_sc(cred); - gnutls_certificate_free_sc(xcred); - gnutls_anon_free_client_sc(anon_cred); - - gnutls_global_deinit(); - - return 0; + print_info(state); + + printf("\n- Simple Client Mode:\n\n"); + + FD_ZERO(&rset); + for (;;) { + FD_SET(fileno(stdin), &rset); + FD_SET(sd, &rset); + + maxfd = MAX(fileno(stdin), sd); + tv.tv_sec = 3; + tv.tv_usec = 0; + select(maxfd + 1, &rset, NULL, NULL, &tv); + + if (FD_ISSET(sd, &rset)) { + bzero(buffer, MAX_BUF + 1); + do { + ret = gnutls_record_recv(state, buffer, MAX_BUF); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + /* remove new line */ + + if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { + if (ret == 0) { + printf("- Peer has closed the GNUTLS connection\n"); + break; + } else { + fprintf(stderr, + "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", + ret); + break; + } + } else { + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED + || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) + printf("* Received alert [%d]\n", gnutls_alert_get(state)); + if (ret == GNUTLS_E_REHANDSHAKE) { + + /* There is a race condition here. If application + * data is sent after the rehandshake request, + * the server thinks we ignored his request. + * This is a bad design of this client. + */ + printf("* Received rehandshake request\n"); + /* gnutls_alert_send( state, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */ + do { + ret = gnutls_handshake(state); + } while (ret == GNUTLS_E_AGAIN + || ret == GNUTLS_E_INTERRUPTED); + + if (ret == 0) + printf("* Rehandshake was performed\n"); + else { + printf("* Rehandshake Failed [%d]\n", ret); + } + } + if (ret > 0) { + printf("- Received[%d]: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); + } + fputs("\n", stdout); + } + } + if (user_term != 0) + break; + } + + if (FD_ISSET(fileno(stdin), &rset)) { + if (fgets(buffer, MAX_BUF, stdin) == NULL) { + do { + ret = gnutls_bye(state, GNUTLS_SHUT_WR); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + user_term = 1; + continue; + } + do { + ret = gnutls_record_send(state, buffer, strlen(buffer)); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + if (ret > 0) + printf("- Sent: %d bytes\n", ret); + else + GERR(ret); + + } + } + if (user_term != 0) + do + ret = gnutls_bye(state, GNUTLS_SHUT_RDWR); + while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + + shutdown(sd, SHUT_RDWR); /* no more receptions */ + close(sd); + + gnutls_deinit(state); + + gnutls_srp_free_client_sc(cred); + gnutls_certificate_free_sc(xcred); + gnutls_anon_free_client_sc(anon_cred); + + gnutls_global_deinit(); + + return 0; } static gaainfo info; void gaa_parser(int argc, char **argv) { - int i, j; - - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, "Error in the arguments. Use the --help or -h parameters to get more information.\n"); - exit(1); - } - - resume = info.resume; - port = info.port; - record_max_size = info.record_size; - fingerprint = info.fingerprint; - - if (info.nrest_args==0) hostname="localhost"; - else hostname = info.rest_args[0]; - - if (info.proto != NULL && info.nproto > 0) { - for (j = i = 0; i < info.nproto; i++) { - if (strncasecmp(info.proto[i], "SSL", 3) == 0) - protocol_priority[j++] = GNUTLS_SSL3; - if (strncasecmp(info.proto[i], "TLS", 3) == 0) - protocol_priority[j++] = GNUTLS_TLS1; - } - protocol_priority[j] = 0; - } - - if (info.ciphers != NULL && info.nciphers > 0) { - for (j = i = 0; i < info.nciphers; i++) { - if (strncasecmp(info.ciphers[i], "RIJ", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_RIJNDAEL_128_CBC; - if (strncasecmp(info.ciphers[i], "TWO", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_TWOFISH_128_CBC; - if (strncasecmp(info.ciphers[i], "3DE", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_3DES_CBC; - if (strncasecmp(info.ciphers[i], "ARC", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_ARCFOUR; - } - cipher_priority[j] = 0; - } - - if (info.macs != NULL && info.nmacs > 0) { - for (j = i = 0; i < info.nmacs; i++) { - if (strncasecmp(info.macs[i], "MD5", 3) == 0) - mac_priority[j++] = GNUTLS_MAC_MD5; - if (strncasecmp(info.macs[i], "SHA", 3) == 0) - mac_priority[j++] = GNUTLS_MAC_SHA; - } - mac_priority[j] = 0; - } - - if (info.ctype != NULL && info.nctype > 0) { - for (j = i = 0; i < info.nctype; i++) { - if (strncasecmp(info.ctype[i], "OPE", 3) == 0) - cert_type_priority[j++] = - GNUTLS_CRT_OPENPGP; - if (strncasecmp(info.ctype[i], "X", 1) == 0) - cert_type_priority[j++] = GNUTLS_CRT_X509; - } - cert_type_priority[j] = 0; - } - - if (info.kx != NULL && info.nkx > 0) { - for (j = i = 0; i < info.nkx; i++) { - if (strncasecmp(info.kx[i], "SRP", 3) == 0) - kx_priority[j++] = GNUTLS_KX_SRP; - if (strncasecmp(info.kx[i], "RSA", 3) == 0) - kx_priority[j++] = GNUTLS_KX_RSA; - if (strncasecmp(info.kx[i], "DHE_RSA", 7) == 0) - kx_priority[j++] = GNUTLS_KX_DHE_RSA; - if (strncasecmp(info.kx[i], "DHE_DSS", 7) == 0) - kx_priority[j++] = GNUTLS_KX_DHE_DSS; - if (strncasecmp(info.kx[i], "ANON", 4) == 0) - kx_priority[j++] = GNUTLS_KX_ANON_DH; - } - kx_priority[j] = 0; - } - - if (info.comp != NULL && info.ncomp > 0) { - for (j = i = 0; i < info.ncomp; i++) { - if (strncasecmp(info.comp[i], "NUL", 3) == 0) - comp_priority[j++] = GNUTLS_COMP_NULL; - if (strncasecmp(info.comp[i], "ZLI", 1) == 0) - comp_priority[j++] = GNUTLS_COMP_ZLIB; - } - comp_priority[j] = 0; - } + int i, j; + + if (gaa(argc, argv, &info) != -1) { + fprintf(stderr, + "Error in the arguments. Use the --help or -h parameters to get more information.\n"); + exit(1); + } + + resume = info.resume; + port = info.port; + record_max_size = info.record_size; + fingerprint = info.fingerprint; + + if (info.x509_certfile != NULL) + x509_certfile = info.x509_certfile; + else + x509_certfile = DEFAULT_X509_CERTFILE; + + if (info.x509_keyfile != NULL) + x509_keyfile = info.x509_keyfile; + else + x509_keyfile = DEFAULT_X509_KEYFILE; + + if (info.x509_cafile != NULL) + x509_cafile = info.x509_certfile; + else + x509_cafile = DEFAULT_X509_CAFILE; + + if (info.pgp_certfile != NULL) + pgp_certfile = info.pgp_certfile; + else + pgp_certfile = DEFAULT_PGP_CERTFILE; + + if (info.pgp_keyfile != NULL) + pgp_keyfile = info.pgp_keyfile; + else + pgp_keyfile = DEFAULT_PGP_KEYFILE; + + if (info.srp_passwd != NULL) + srp_passwd = info.srp_passwd; + else + srp_passwd = DEFAULT_SRP_PASSWD; + + if (info.srp_username != NULL) + srp_username = info.srp_username; + else + srp_username = DEFAULT_SRP_USERNAME; + + pgp_keyring = info.pgp_keyring; + pgp_trustdb = info.pgp_trustdb; + + if (info.nrest_args == 0) + hostname = "localhost"; + else + hostname = info.rest_args[0]; + + if (info.proto != NULL && info.nproto > 0) { + for (j = i = 0; i < info.nproto; i++) { + if (strncasecmp(info.proto[i], "SSL", 3) == 0) + protocol_priority[j++] = GNUTLS_SSL3; + if (strncasecmp(info.proto[i], "TLS", 3) == 0) + protocol_priority[j++] = GNUTLS_TLS1; + } + protocol_priority[j] = 0; + } + + if (info.ciphers != NULL && info.nciphers > 0) { + for (j = i = 0; i < info.nciphers; i++) { + if (strncasecmp(info.ciphers[i], "RIJ", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC; + if (strncasecmp(info.ciphers[i], "TWO", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_TWOFISH_128_CBC; + if (strncasecmp(info.ciphers[i], "3DE", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_3DES_CBC; + if (strncasecmp(info.ciphers[i], "ARC", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_ARCFOUR; + } + cipher_priority[j] = 0; + } + + if (info.macs != NULL && info.nmacs > 0) { + for (j = i = 0; i < info.nmacs; i++) { + if (strncasecmp(info.macs[i], "MD5", 3) == 0) + mac_priority[j++] = GNUTLS_MAC_MD5; + if (strncasecmp(info.macs[i], "SHA", 3) == 0) + mac_priority[j++] = GNUTLS_MAC_SHA; + } + mac_priority[j] = 0; + } + + if (info.ctype != NULL && info.nctype > 0) { + for (j = i = 0; i < info.nctype; i++) { + if (strncasecmp(info.ctype[i], "OPE", 3) == 0) + cert_type_priority[j++] = GNUTLS_CRT_OPENPGP; + if (strncasecmp(info.ctype[i], "X", 1) == 0) + cert_type_priority[j++] = GNUTLS_CRT_X509; + } + cert_type_priority[j] = 0; + } + + if (info.kx != NULL && info.nkx > 0) { + for (j = i = 0; i < info.nkx; i++) { + if (strncasecmp(info.kx[i], "SRP", 3) == 0) + kx_priority[j++] = GNUTLS_KX_SRP; + if (strncasecmp(info.kx[i], "RSA", 3) == 0) + kx_priority[j++] = GNUTLS_KX_RSA; + if (strncasecmp(info.kx[i], "DHE_RSA", 7) == 0) + kx_priority[j++] = GNUTLS_KX_DHE_RSA; + if (strncasecmp(info.kx[i], "DHE_DSS", 7) == 0) + kx_priority[j++] = GNUTLS_KX_DHE_DSS; + if (strncasecmp(info.kx[i], "ANON", 4) == 0) + kx_priority[j++] = GNUTLS_KX_ANON_DH; + } + kx_priority[j] = 0; + } + + if (info.comp != NULL && info.ncomp > 0) { + for (j = i = 0; i < info.ncomp; i++) { + if (strncasecmp(info.comp[i], "NUL", 3) == 0) + comp_priority[j++] = GNUTLS_COMP_NULL; + if (strncasecmp(info.comp[i], "ZLI", 1) == 0) + comp_priority[j++] = GNUTLS_COMP_ZLIB; + } + comp_priority[j] = 0; + } } - diff --git a/src/cli.gaa b/src/cli.gaa index f27ab67914..8718f61d71 100644 --- a/src/cli.gaa +++ b/src/cli.gaa @@ -1,4 +1,4 @@ -helpnode "cli help\nUsage: cli [options] hostname" +helpnode "gnutls-cli help\nUsage: gnutls-cli [options] hostname" #int resume; option (r, resume) { $resume = 1 } "Connect, establish a session. Connect again and resume this session." @@ -37,6 +37,33 @@ option (kx) *STR "kx1 kx2..." { $kx = $1; $nkx = @1 } "Key exchange methods to e #char **ctype; option (ctypes) *STR "certType1 certType2..." { $ctype = $1; $nctype = @1 } "Certificate types to enable." +#char *x509_cafile; +option (cafile) STR "FILE" { $x509_cafile = $1 } "Certificate file to use." + +#char *pgp_keyfile; +option (pgpkeyfile) STR "FILE" { $pgp_keyfile = $1 } "PGP Key file to use." + +#char *pgp_keyring; +option (pgpkeyring) STR "FILE" { $pgp_keyring = $1 } "PGP Key ring file to use." + +#char *pgp_trustdb; +option (pgptrustdb) STR "FILE" { $pgp_keyring = $1 } "PGP trustdb file to use." + +#char *pgp_certfile; +option (pgpcertfile) STR "FILE" { $pgp_certfile = $1 } "PGP Public Key (certificate) file to use." + +#char *x509_keyfile; +option (x509keyfile) STR "FILE" { $x509_keyfile = $1 } "X.509 key file to use." + +#char *x509_certfile; +option (x509certfile) STR "FILE" { $x509_certfile = $1 } "X.509 Certificate file to use." + +#char *srp_username; +option (srpusername) STR "NAME" { $srp_username = $1 } "SRP username to use." + +#char *srp_passwd; +option (srppasswd) STR "PASSWD" { $srp_passwd = $1 } "SRP password to use." + option (l, list) { print_list(); exit(0); } "Print a list of the supported algorithms and modes." option (h, help) { gaa_help(); exit(0); } "prints this help" @@ -48,7 +75,11 @@ rest *STR "hostname" { $rest_args = $1; $nrest_args = @1 } init { $resume=0; $port=443; $rest_args=NULL; $nrest_args=0; $ciphers=NULL; $kx=NULL; $comp=NULL; $macs=NULL; $ctype=NULL; $nciphers=0; $nkx=0; $ncomp=0; $nmacs=0; $nctype = 0; $record_size=0; - $fingerprint=0; } + $fingerprint=0; $pgp_trustdb=NULL; $pgp_keyring=NULL; + $x509_cafile = NULL; $pgp_keyfile=NULL; $pgp_certfile=NULL; + $x509_keyfile=NULL; $x509_certfile=NULL; + $srp_username=NULL; $srp_passwd=NULL; } + ## diff --git a/src/common.h b/src/common.h index 19709f970e..60094bf1f8 100644 --- a/src/common.h +++ b/src/common.h @@ -1,7 +1,7 @@ #define PORT 5556 #define SERVER "127.0.0.1" -#include <gnutls.h> +#include "../lib/gnutls.h" int print_info( GNUTLS_STATE state); int print_list(void);
\ No newline at end of file diff --git a/src/crypt.c b/src/crypt.c index 7446a8476c..f4640d51ee 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -26,6 +26,7 @@ #include "../lib/gnutls_int.h" #include "../lib/gnutls_srp.h" #include "../lib/crypt.h" +#include "../lib/gnutls_mem.h" #include "../lib/auth_srp_passwd.h" #include "crypt-gaa.h" #include <pwd.h> diff --git a/src/serv-gaa.c b/src/serv-gaa.c index 36ec5528b0..fadb538f44 100644 --- a/src/serv-gaa.c +++ b/src/serv-gaa.c @@ -1,7 +1,7 @@ /* File generated by GAA 1.6.0b3 */ #define GAA_NO_WIN32 -#line 45 "serv.gaa" +#line 80 "serv.gaa" #include <common.h> #include <stdio.h> @@ -107,10 +107,20 @@ void __gaa_helpsingle(char short_name, char *name, void gaa_help(void) { - printf("serv help\nUsage: serv [options]""\n"); + printf("gnutls-serv help\nUsage: gnutls-serv [options]""\n"); __gaa_helpsingle('g', "generate", "", "Generate Diffie Hellman Parameters."); __gaa_helpsingle('p', "port", """integer"" ", "The port to connect to."); __gaa_helpsingle(0, "http", "", "Act as an HTTP Server."); + __gaa_helpsingle(0, "cafile", """FILE"" ", "Certificate file to use."); + __gaa_helpsingle(0, "pgpkeyring", """FILE"" ", "PGP Key ring file to use."); + __gaa_helpsingle(0, "pgptrustdb", """FILE"" ", "PGP trustdb file to use."); + __gaa_helpsingle(0, "pgpkeyfile", """FILE"" ", "PGP Key file to use."); + __gaa_helpsingle(0, "pgpcertfile", """FILE"" ", "PGP Public Key (certificate) file to use."); + __gaa_helpsingle(0, "x509keyfile", """FILE"" ", "X.509 key file to use."); + __gaa_helpsingle(0, "x509certfile", """FILE"" ", "X.509 Certificate file to use."); + __gaa_helpsingle(0, "pgpkeyserver", """FILE"" ", "PGP Keyserver to use."); + __gaa_helpsingle(0, "srppasswd", """FILE"" ", "SRP password file to use."); + __gaa_helpsingle(0, "srppasswdconf", """FILE"" ", "SRP password conf file to use."); __gaa_helpsingle(0, "ciphers", """cipher1 cipher2..."" ", "Ciphers to enable."); __gaa_helpsingle(0, "protocols", """protocol1 protocol2..."" ", "Protocols to enable."); __gaa_helpsingle(0, "comp", """comp1 comp2..."" ", "Compression methods to enable."); @@ -133,30 +143,50 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 33 "serv.gaa" +#line 64 "serv.gaa" char **ctype; -#line 32 "serv.gaa" +#line 63 "serv.gaa" int nctype; -#line 29 "serv.gaa" +#line 60 "serv.gaa" char **kx; -#line 28 "serv.gaa" +#line 59 "serv.gaa" int nkx; -#line 25 "serv.gaa" +#line 56 "serv.gaa" char **macs; -#line 24 "serv.gaa" +#line 55 "serv.gaa" int nmacs; -#line 21 "serv.gaa" +#line 52 "serv.gaa" char **comp; -#line 20 "serv.gaa" +#line 51 "serv.gaa" int ncomp; -#line 17 "serv.gaa" +#line 48 "serv.gaa" char **proto; -#line 16 "serv.gaa" +#line 47 "serv.gaa" int nproto; -#line 13 "serv.gaa" +#line 44 "serv.gaa" char **ciphers; -#line 12 "serv.gaa" +#line 43 "serv.gaa" int nciphers; +#line 39 "serv.gaa" + char *srp_passwd_conf; +#line 36 "serv.gaa" + char *srp_passwd; +#line 33 "serv.gaa" + char *pgp_keyserver; +#line 30 "serv.gaa" + char *x509_certfile; +#line 27 "serv.gaa" + char *x509_keyfile; +#line 24 "serv.gaa" + char *pgp_certfile; +#line 21 "serv.gaa" + char *pgp_keyfile; +#line 18 "serv.gaa" + char *pgp_trustdb; +#line 15 "serv.gaa" + char *pgp_keyring; +#line 12 "serv.gaa" + char *x509_cafile; #line 9 "serv.gaa" int http; #line 6 "serv.gaa" @@ -217,7 +247,7 @@ int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 11 +#define GAA_NB_OPTION 21 #define GAAOPTID_help 1 #define GAAOPTID_list 2 #define GAAOPTID_ctypes 3 @@ -226,9 +256,19 @@ int gaa_error = 0; #define GAAOPTID_comp 6 #define GAAOPTID_protocols 7 #define GAAOPTID_ciphers 8 -#define GAAOPTID_http 9 -#define GAAOPTID_port 10 -#define GAAOPTID_generate 11 +#define GAAOPTID_srppasswdconf 9 +#define GAAOPTID_srppasswd 10 +#define GAAOPTID_pgpkeyserver 11 +#define GAAOPTID_x509certfile 12 +#define GAAOPTID_x509keyfile 13 +#define GAAOPTID_pgpcertfile 14 +#define GAAOPTID_pgpkeyfile 15 +#define GAAOPTID_pgptrustdb 16 +#define GAAOPTID_pgpkeyring 17 +#define GAAOPTID_cafile 18 +#define GAAOPTID_http 19 +#define GAAOPTID_port 20 +#define GAAOPTID_generate 21 #line 168 "gaa.skel" @@ -451,6 +491,66 @@ struct GAAOPTION_ciphers int size1; }; +struct GAAOPTION_srppasswdconf +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_srppasswd +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgpkeyserver +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_x509certfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_x509keyfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgpcertfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgpkeyfile +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgptrustdb +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_pgpkeyring +{ + char* arg1; + int size1; +}; + +struct GAAOPTION_cafile +{ + char* arg1; + int size1; +}; + struct GAAOPTION_port { int arg1; @@ -492,6 +592,16 @@ int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_comp); GAA_CHECK1STR("", GAAOPTID_protocols); GAA_CHECK1STR("", GAAOPTID_ciphers); + GAA_CHECK1STR("", GAAOPTID_srppasswdconf); + GAA_CHECK1STR("", GAAOPTID_srppasswd); + GAA_CHECK1STR("", GAAOPTID_pgpkeyserver); + GAA_CHECK1STR("", GAAOPTID_x509certfile); + GAA_CHECK1STR("", GAAOPTID_x509keyfile); + GAA_CHECK1STR("", GAAOPTID_pgpcertfile); + GAA_CHECK1STR("", GAAOPTID_pgpkeyfile); + GAA_CHECK1STR("", GAAOPTID_pgptrustdb); + GAA_CHECK1STR("", GAAOPTID_pgpkeyring); + GAA_CHECK1STR("", GAAOPTID_cafile); GAA_CHECK1STR("p", GAAOPTID_port); case GAA_MULTIPLE_OPTION: #line 375 "gaa.skel" @@ -511,6 +621,16 @@ int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("comp", GAAOPTID_comp); GAA_CHECKSTR("protocols", GAAOPTID_protocols); GAA_CHECKSTR("ciphers", GAAOPTID_ciphers); + GAA_CHECKSTR("srppasswdconf", GAAOPTID_srppasswdconf); + GAA_CHECKSTR("srppasswd", GAAOPTID_srppasswd); + GAA_CHECKSTR("pgpkeyserver", GAAOPTID_pgpkeyserver); + GAA_CHECKSTR("x509certfile", GAAOPTID_x509certfile); + GAA_CHECKSTR("x509keyfile", GAAOPTID_x509keyfile); + GAA_CHECKSTR("pgpcertfile", GAAOPTID_pgpcertfile); + GAA_CHECKSTR("pgpkeyfile", GAAOPTID_pgpkeyfile); + GAA_CHECKSTR("pgptrustdb", GAAOPTID_pgptrustdb); + GAA_CHECKSTR("pgpkeyring", GAAOPTID_pgpkeyring); + GAA_CHECKSTR("cafile", GAAOPTID_cafile); GAA_CHECKSTR("http", GAAOPTID_http); GAA_CHECKSTR("port", GAAOPTID_port); GAA_CHECKSTR("generate", GAAOPTID_generate); @@ -532,6 +652,16 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) struct GAAOPTION_comp GAATMP_comp; struct GAAOPTION_protocols GAATMP_protocols; struct GAAOPTION_ciphers GAATMP_ciphers; + struct GAAOPTION_srppasswdconf GAATMP_srppasswdconf; + struct GAAOPTION_srppasswd GAATMP_srppasswd; + struct GAAOPTION_pgpkeyserver GAATMP_pgpkeyserver; + struct GAAOPTION_x509certfile GAATMP_x509certfile; + struct GAAOPTION_x509keyfile GAATMP_x509keyfile; + struct GAAOPTION_pgpcertfile GAATMP_pgpcertfile; + struct GAAOPTION_pgpkeyfile GAATMP_pgpkeyfile; + struct GAAOPTION_pgptrustdb GAATMP_pgptrustdb; + struct GAAOPTION_pgpkeyring GAATMP_pgpkeyring; + struct GAAOPTION_cafile GAATMP_cafile; struct GAAOPTION_port GAATMP_port; #line 393 "gaa.skel" @@ -555,14 +685,14 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_help: OK = 0; -#line 38 "serv.gaa" +#line 69 "serv.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_list: OK = 0; -#line 37 "serv.gaa" +#line 68 "serv.gaa" { print_list(); exit(0); ;}; return GAA_OK; @@ -570,7 +700,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_ctypes: OK = 0; GAA_LIST_FILL(GAATMP_ctypes.arg1, gaa_getstr, char*, GAATMP_ctypes.size1); -#line 34 "serv.gaa" +#line 65 "serv.gaa" { gaaval->ctype = GAATMP_ctypes.arg1; gaaval->nctype = GAATMP_ctypes.size1 ;}; return GAA_OK; @@ -578,7 +708,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_kx: OK = 0; GAA_LIST_FILL(GAATMP_kx.arg1, gaa_getstr, char*, GAATMP_kx.size1); -#line 30 "serv.gaa" +#line 61 "serv.gaa" { gaaval->kx = GAATMP_kx.arg1; gaaval->nkx = GAATMP_kx.size1 ;}; return GAA_OK; @@ -586,7 +716,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_macs: OK = 0; GAA_LIST_FILL(GAATMP_macs.arg1, gaa_getstr, char*, GAATMP_macs.size1); -#line 26 "serv.gaa" +#line 57 "serv.gaa" { gaaval->macs = GAATMP_macs.arg1; gaaval->nmacs = GAATMP_macs.size1 ;}; return GAA_OK; @@ -594,7 +724,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_comp: OK = 0; GAA_LIST_FILL(GAATMP_comp.arg1, gaa_getstr, char*, GAATMP_comp.size1); -#line 22 "serv.gaa" +#line 53 "serv.gaa" { gaaval->comp = GAATMP_comp.arg1; gaaval->ncomp = GAATMP_comp.size1 ;}; return GAA_OK; @@ -602,7 +732,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_protocols: OK = 0; GAA_LIST_FILL(GAATMP_protocols.arg1, gaa_getstr, char*, GAATMP_protocols.size1); -#line 18 "serv.gaa" +#line 49 "serv.gaa" { gaaval->proto = GAATMP_protocols.arg1; gaaval->nproto = GAATMP_protocols.size1 ;}; return GAA_OK; @@ -610,11 +740,111 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) case GAAOPTID_ciphers: OK = 0; GAA_LIST_FILL(GAATMP_ciphers.arg1, gaa_getstr, char*, GAATMP_ciphers.size1); -#line 14 "serv.gaa" +#line 45 "serv.gaa" { gaaval->ciphers = GAATMP_ciphers.arg1; gaaval->nciphers = GAATMP_ciphers.size1 ;}; return GAA_OK; break; + case GAAOPTID_srppasswdconf: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srppasswdconf.arg1, gaa_getstr, GAATMP_srppasswdconf.size1); + gaa_index++; +#line 40 "serv.gaa" +{ gaaval->srp_passwd_conf = GAATMP_srppasswdconf.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_srppasswd: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_srppasswd.arg1, gaa_getstr, GAATMP_srppasswd.size1); + gaa_index++; +#line 37 "serv.gaa" +{ gaaval->srp_passwd = GAATMP_srppasswd.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgpkeyserver: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyserver.arg1, gaa_getstr, GAATMP_pgpkeyserver.size1); + gaa_index++; +#line 34 "serv.gaa" +{ gaaval->pgp_keyserver = GAATMP_pgpkeyserver.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_x509certfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509certfile.arg1, gaa_getstr, GAATMP_x509certfile.size1); + gaa_index++; +#line 31 "serv.gaa" +{ gaaval->x509_certfile = GAATMP_x509certfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_x509keyfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_x509keyfile.arg1, gaa_getstr, GAATMP_x509keyfile.size1); + gaa_index++; +#line 28 "serv.gaa" +{ gaaval->x509_keyfile = GAATMP_x509keyfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgpcertfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpcertfile.arg1, gaa_getstr, GAATMP_pgpcertfile.size1); + gaa_index++; +#line 25 "serv.gaa" +{ gaaval->pgp_certfile = GAATMP_pgpcertfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgpkeyfile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyfile.arg1, gaa_getstr, GAATMP_pgpkeyfile.size1); + gaa_index++; +#line 22 "serv.gaa" +{ gaaval->pgp_keyfile = GAATMP_pgpkeyfile.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgptrustdb: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgptrustdb.arg1, gaa_getstr, GAATMP_pgptrustdb.size1); + gaa_index++; +#line 19 "serv.gaa" +{ gaaval->pgp_keyring = GAATMP_pgptrustdb.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_pgpkeyring: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_pgpkeyring.arg1, gaa_getstr, GAATMP_pgpkeyring.size1); + gaa_index++; +#line 16 "serv.gaa" +{ gaaval->pgp_keyring = GAATMP_pgpkeyring.arg1 ;}; + + return GAA_OK; + break; + case GAAOPTID_cafile: + OK = 0; + GAA_TESTMOREARGS; + GAA_FILL(GAATMP_cafile.arg1, gaa_getstr, GAATMP_cafile.size1); + gaa_index++; +#line 13 "serv.gaa" +{ gaaval->x509_cafile = GAATMP_cafile.arg1 ;}; + + return GAA_OK; + break; case GAAOPTID_http: OK = 0; #line 10 "serv.gaa" @@ -662,10 +892,14 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 40 "serv.gaa" +#line 71 "serv.gaa" { gaaval->generate=0; gaaval->port=5556; gaaval->http=0; gaaval->ciphers=NULL; gaaval->kx=NULL; gaaval->comp=NULL; gaaval->macs=NULL; gaaval->ctype=NULL; gaaval->nciphers=0; - gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; ;}; + gaaval->nkx=0; gaaval->ncomp=0; gaaval->nmacs=0; gaaval->nctype = 0; + gaaval->x509_cafile = NULL; gaaval->pgp_keyfile=NULL; gaaval->pgp_certfile=NULL; + gaaval->x509_keyfile=NULL; gaaval->x509_certfile=NULL; gaaval->pgp_keyserver=NULL; + gaaval->srp_passwd=NULL; gaaval->srp_passwd_conf=NULL; + gaaval->pgp_trustdb=NULL; gaaval->pgp_keyring=NULL; ;}; } inited = 1; diff --git a/src/serv-gaa.h b/src/serv-gaa.h index 2f91a0075a..11237e39fa 100644 --- a/src/serv-gaa.h +++ b/src/serv-gaa.h @@ -8,30 +8,50 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 33 "serv.gaa" +#line 64 "serv.gaa" char **ctype; -#line 32 "serv.gaa" +#line 63 "serv.gaa" int nctype; -#line 29 "serv.gaa" +#line 60 "serv.gaa" char **kx; -#line 28 "serv.gaa" +#line 59 "serv.gaa" int nkx; -#line 25 "serv.gaa" +#line 56 "serv.gaa" char **macs; -#line 24 "serv.gaa" +#line 55 "serv.gaa" int nmacs; -#line 21 "serv.gaa" +#line 52 "serv.gaa" char **comp; -#line 20 "serv.gaa" +#line 51 "serv.gaa" int ncomp; -#line 17 "serv.gaa" +#line 48 "serv.gaa" char **proto; -#line 16 "serv.gaa" +#line 47 "serv.gaa" int nproto; -#line 13 "serv.gaa" +#line 44 "serv.gaa" char **ciphers; -#line 12 "serv.gaa" +#line 43 "serv.gaa" int nciphers; +#line 39 "serv.gaa" + char *srp_passwd_conf; +#line 36 "serv.gaa" + char *srp_passwd; +#line 33 "serv.gaa" + char *pgp_keyserver; +#line 30 "serv.gaa" + char *x509_certfile; +#line 27 "serv.gaa" + char *x509_keyfile; +#line 24 "serv.gaa" + char *pgp_certfile; +#line 21 "serv.gaa" + char *pgp_keyfile; +#line 18 "serv.gaa" + char *pgp_trustdb; +#line 15 "serv.gaa" + char *pgp_keyring; +#line 12 "serv.gaa" + char *x509_cafile; #line 9 "serv.gaa" int http; #line 6 "serv.gaa" diff --git a/src/serv.c b/src/serv.c index be2f1fece4..0228753329 100644 --- a/src/serv.c +++ b/src/serv.c @@ -28,24 +28,10 @@ #include <string.h> #include <unistd.h> #include "../lib/gnutls.h" -#include <common.h> +#include "common.h" #include <signal.h> -#include <serv-gaa.h> +#include "serv-gaa.h" -#define KEYFILE1 "x509/key.pem" -#define CERTFILE1 "x509/cert.pem" - -#define KEYFILE2 "x509/key-dsa.pem" -#define CERTFILE2 "x509/cert-dsa.pem" - -#define PGP_KEYFILE "openpgp/sec.asc" -#define PGP_CERTFILE "openpgp/pub.asc" - -#define CAFILE "x509/ca.pem" -#define CRLFILE NULL - -#define SRP_PASSWD "srp/tpasswd" -#define SRP_PASSWD_CONF "srp/tpasswd.conf" /* konqueror cannot handle sending the page in multiple * pieces. @@ -56,6 +42,18 @@ static int generate = 0; static int http = 0; static int port = 0; +char *srp_passwd; +char *srp_passwd_conf; +char *pgp_keyring; +char *pgp_trustdb; +char *pgp_keyserver; +char *pgp_keyfile; +char *pgp_certfile; +char *x509_keyfile; +char *x509_certfile; +char *x509_cafile; +char *x509_crlfile = NULL; + /* end of globals */ /* This is a sample TCP echo server. @@ -96,87 +94,88 @@ GNUTLS_DH_PARAMS dh_params; static int generate_dh_primes(void) { - gnutls_datum prime, generator; - int i = 0; - - if (gnutls_dh_params_init( &dh_params) < 0) { - fprintf(stderr, "Error in dh parameter initialization\n"); - exit(1); - } - - do { - /* Generate Diffie Hellman parameters - for use with DHE - * kx algorithms. These should be discarded and regenerated - * once a day, once a week or once a month. Depends on the - * security requirements. - */ - printf - ("Generating Diffie Hellman parameters [%d]. Please wait...", - prime_nums[i]); - fflush(stdout); - - if (gnutls_dh_params_generate - (&prime, &generator, prime_nums[i]) < 0) { - fprintf(stderr, "Error in prime generation\n"); - exit(1); - } - - if (gnutls_dh_params_set - (dh_params, prime, generator, prime_nums[i]) < 0) { - fprintf(stderr, "Error in prime replacement\n"); - exit(1); - } - free(prime.data); - free(generator.data); - - } while (prime_nums[++i] != 0); - - return 0; + gnutls_datum prime, generator; + int i = 0; + + if (gnutls_dh_params_init(&dh_params) < 0) { + fprintf(stderr, "Error in dh parameter initialization\n"); + exit(1); + } + + do { + /* Generate Diffie Hellman parameters - for use with DHE + * kx algorithms. These should be discarded and regenerated + * once a day, once a week or once a month. Depends on the + * security requirements. + */ + printf + ("Generating Diffie Hellman parameters [%d]. Please wait...", + prime_nums[i]); + fflush(stdout); + + if (gnutls_dh_params_generate(&prime, &generator, prime_nums[i]) < 0) { + fprintf(stderr, "Error in prime generation\n"); + exit(1); + } + + if (gnutls_dh_params_set + (dh_params, prime, generator, prime_nums[i]) < 0) { + fprintf(stderr, "Error in prime replacement\n"); + exit(1); + } + free(prime.data); + free(generator.data); + + } while (prime_nums[++i] != 0); + + return 0; } int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; int kx_priority[16] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, -GNUTLS_KX_ANON_DH, 0 }; + GNUTLS_KX_ANON_DH, 0 +}; int cipher_priority[16] = { GNUTLS_CIPHER_RIJNDAEL_128_CBC, GNUTLS_CIPHER_3DES_CBC, -GNUTLS_CIPHER_ARCFOUR, 0 }; + GNUTLS_CIPHER_ARCFOUR, 0 +}; int comp_priority[16] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 }; int mac_priority[16] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 }; int cert_type_priority[16] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 }; GNUTLS_STATE initialize_state(void) { - GNUTLS_STATE state; - int ret; + GNUTLS_STATE state; + int ret; - gnutls_init(&state, GNUTLS_SERVER); - if ((ret = gnutls_db_set_name(state, "gnutls-rsm.db")) < 0) - fprintf(stderr, - "*** DB error (%d). Resuming will not be possible.\n\n", - ret); + gnutls_init(&state, GNUTLS_SERVER); + if ((ret = gnutls_db_set_name(state, "gnutls-rsm.db")) < 0) + fprintf(stderr, + "*** DB error (%d). Resuming will not be possible.\n\n", + ret); - /* null cipher is here only for debuging - * purposes. - */ - gnutls_cipher_set_priority(state, cipher_priority); - gnutls_compression_set_priority(state, comp_priority); - gnutls_kx_set_priority(state, kx_priority); - gnutls_protocol_set_priority(state, protocol_priority); - gnutls_mac_set_priority(state, mac_priority); - gnutls_cert_type_set_priority(state, cert_type_priority); + /* null cipher is here only for debuging + * purposes. + */ + gnutls_cipher_set_priority(state, cipher_priority); + gnutls_compression_set_priority(state, comp_priority); + gnutls_kx_set_priority(state, kx_priority); + gnutls_protocol_set_priority(state, protocol_priority); + gnutls_mac_set_priority(state, mac_priority); + gnutls_cert_type_set_priority(state, cert_type_priority); - gnutls_dh_set_prime_bits(state, DEFAULT_PRIME_BITS); + gnutls_dh_set_prime_bits(state, DEFAULT_PRIME_BITS); - gnutls_cred_set(state, GNUTLS_CRD_ANON, dh_cred); - gnutls_cred_set(state, GNUTLS_CRD_SRP, srp_cred); - gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, cert_cred); + gnutls_cred_set(state, GNUTLS_CRD_ANON, dh_cred); + gnutls_cred_set(state, GNUTLS_CRD_SRP, srp_cred); + gnutls_cred_set(state, GNUTLS_CRD_CERTIFICATE, cert_cred); - gnutls_mac_set_priority(state, mac_priority); + gnutls_mac_set_priority(state, mac_priority); - gnutls_certificate_server_set_request(state, GNUTLS_CERT_REQUEST); + gnutls_certificate_server_set_request(state, GNUTLS_CERT_REQUEST); - return state; + return state; } /* Creates html with the current state information. @@ -184,67 +183,66 @@ GNUTLS_STATE initialize_state(void) #define tmp2 &http_buffer[strlen(http_buffer)] void peer_print_info(GNUTLS_STATE state) { - const char *tmp; - unsigned char sesid[32]; - int sesid_size, i; - - /* print session_id */ - gnutls_session_get_id(state, sesid, &sesid_size); - sprintf(tmp2, "\n<p>Session ID: <i>"); - for (i = 0; i < sesid_size; i++) - sprintf(tmp2, "%.2X", sesid[i]); - sprintf(tmp2, "</i></p>\n"); - - /* Here unlike print_info() we use the kx algorithm to distinguish - * the functions to call. - */ - - /* print srp specific data */ - if (gnutls_kx_get(state) == GNUTLS_KX_SRP) { - sprintf(tmp2, "<p>Connected as user '%s'.</p>\n", - gnutls_srp_server_get_username(state)); - } - - if (gnutls_kx_get(state) == GNUTLS_KX_ANON_DH) { - sprintf(tmp2, - "<p> Connect using anonymous DH (prime of %d bits)</p>\n", - gnutls_dh_get_prime_bits(state)); - } - - /* print state information */ - strcat(http_buffer, "<P>\n"); - - tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state)); - sprintf(tmp2, "Protocol version: <b>%s</b><br>\n", tmp); - - if (gnutls_auth_get_type(state) == GNUTLS_CRD_CERTIFICATE) { - tmp = - gnutls_cert_type_get_name(gnutls_cert_type_get(state)); - sprintf(tmp2, "Certificate Type: <b>%s</b><br>\n", tmp); - } - - tmp = gnutls_kx_get_name(gnutls_kx_get(state)); - sprintf(tmp2, "Key Exchange: <b>%s</b><br>\n", tmp); - - if (gnutls_kx_get(state) == GNUTLS_KX_DHE_RSA - || gnutls_kx_get(state) == GNUTLS_KX_DHE_DSS) { - sprintf(tmp2, - "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", - gnutls_dh_get_prime_bits(state)); - } - - tmp = gnutls_compression_get_name(gnutls_compression_get(state)); - sprintf(tmp2, "Compression: <b>%s</b><br>\n", tmp); - - tmp = gnutls_cipher_get_name(gnutls_cipher_get(state)); - sprintf(tmp2, "Cipher: <b>%s</b><br>\n", tmp); - - tmp = gnutls_mac_get_name(gnutls_mac_get(state)); - sprintf(tmp2, "MAC: <b>%s</b><br>\n", tmp); - - strcat(http_buffer, "</P>\n"); - - return; + const char *tmp; + unsigned char sesid[32]; + int sesid_size, i; + + /* print session_id */ + gnutls_session_get_id(state, sesid, &sesid_size); + sprintf(tmp2, "\n<p>Session ID: <i>"); + for (i = 0; i < sesid_size; i++) + sprintf(tmp2, "%.2X", sesid[i]); + sprintf(tmp2, "</i></p>\n"); + + /* Here unlike print_info() we use the kx algorithm to distinguish + * the functions to call. + */ + + /* print srp specific data */ + if (gnutls_kx_get(state) == GNUTLS_KX_SRP) { + sprintf(tmp2, "<p>Connected as user '%s'.</p>\n", + gnutls_srp_server_get_username(state)); + } + + if (gnutls_kx_get(state) == GNUTLS_KX_ANON_DH) { + sprintf(tmp2, + "<p> Connect using anonymous DH (prime of %d bits)</p>\n", + gnutls_dh_get_prime_bits(state)); + } + + /* print state information */ + strcat(http_buffer, "<P>\n"); + + tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state)); + sprintf(tmp2, "Protocol version: <b>%s</b><br>\n", tmp); + + if (gnutls_auth_get_type(state) == GNUTLS_CRD_CERTIFICATE) { + tmp = gnutls_cert_type_get_name(gnutls_cert_type_get(state)); + sprintf(tmp2, "Certificate Type: <b>%s</b><br>\n", tmp); + } + + tmp = gnutls_kx_get_name(gnutls_kx_get(state)); + sprintf(tmp2, "Key Exchange: <b>%s</b><br>\n", tmp); + + if (gnutls_kx_get(state) == GNUTLS_KX_DHE_RSA + || gnutls_kx_get(state) == GNUTLS_KX_DHE_DSS) { + sprintf(tmp2, + "Ephemeral DH using prime of <b>%d</b> bits.<br>\n", + gnutls_dh_get_prime_bits(state)); + } + + tmp = gnutls_compression_get_name(gnutls_compression_get(state)); + sprintf(tmp2, "Compression: <b>%s</b><br>\n", tmp); + + tmp = gnutls_cipher_get_name(gnutls_cipher_get(state)); + sprintf(tmp2, "Cipher: <b>%s</b><br>\n", tmp); + + tmp = gnutls_mac_get_name(gnutls_mac_get(state)); + sprintf(tmp2, "MAC: <b>%s</b><br>\n", tmp); + + strcat(http_buffer, "</P>\n"); + + return; } /* actually something like readline. @@ -252,399 +250,437 @@ void peer_print_info(GNUTLS_STATE state) */ int read_request(GNUTLS_STATE state, char *data, int data_size, int rnl) { - int n, rc, nl = 0; - char c, *ptr, p1 = 0, p2 = 0; - - ptr = data; - for (n = 1; n < data_size; n++) { - do { - rc = gnutls_record_recv(state, &c, 1); - } while (rc == GNUTLS_E_INTERRUPTED - || rc == GNUTLS_E_AGAIN); - - if (rc == 1) { - *ptr++ = c; - if (c == '\n' && rnl == 1) - break; - - if (c == '\n' && p1 == '\r' && p2 == '\n') { - nl++; - if (nl == 1) - break; - } - p2 = p1; - p1 = c; - - } else if (rc == 0) { - if (n == 1) - return 0; - else - break; - } else { - return rc; - } - } - - *ptr = 0; - return n; + int n, rc, nl = 0; + char c, *ptr, p1 = 0, p2 = 0; + + ptr = data; + for (n = 1; n < data_size; n++) { + do { + rc = gnutls_record_recv(state, &c, 1); + } while (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN); + + if (rc == 1) { + *ptr++ = c; + if (c == '\n' && rnl == 1) + break; + + if (c == '\n' && p1 == '\r' && p2 == '\n') { + nl++; + if (nl == 1) + break; + } + p2 = p1; + p1 = c; + + } else if (rc == 0) { + if (n == 1) + return 0; + else + break; + } else { + return rc; + } + } + + *ptr = 0; + return n; } + void check_alert(GNUTLS_STATE state, int ret) { - int last_alert; - - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED - || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { - last_alert = gnutls_alert_get(state); - if (last_alert == GNUTLS_A_NO_RENEGOTIATION && - ret == GNUTLS_E_WARNING_ALERT_RECEIVED) - printf - ("* Received NO_RENEGOTIATION alert. Client Does not support renegotiation.\n"); - else - printf("* Received alert '%d'.\n", ret); - } + int last_alert; + + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED + || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { + last_alert = gnutls_alert_get(state); + if (last_alert == GNUTLS_A_NO_RENEGOTIATION && + ret == GNUTLS_E_WARNING_ALERT_RECEIVED) + printf + ("* Received NO_RENEGOTIATION alert. Client Does not support renegotiation.\n"); + else + printf("* Received alert '%d'.\n", ret); + } } static void gaa_parser(int argc, char **argv); int main(int argc, char **argv) { - int err, listen_sd, i; - int sd, ret; - struct sockaddr_in sa_serv; - struct sockaddr_in sa_cli; - int client_len; - char topbuf[512]; - GNUTLS_STATE state; - char buffer[MAX_BUF + 1]; - int optval = 1; - char name[256]; - - signal(SIGPIPE, SIG_IGN); - - gaa_parser(argc, argv); - - if (http == 1) { - strcpy(name, "HTTP Server"); - } else { - strcpy(name, "Echo Server"); - } - - if (gnutls_global_init() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } - - /* Note that servers must generate parameters for - * Diffie Hellman. See gnutls_dh_params_generate(), and - * gnutls_dh_params_set(). - */ - if (generate != 0) - generate_dh_primes(); - - if (gnutls_certificate_allocate_sc(&cert_cred) < 0) { - fprintf(stderr, "memory error\n"); - exit(1); - } - - if (gnutls_certificate_set_x509_trust_file - (cert_cred, CAFILE, CRLFILE) < 0) { - fprintf(stderr, - "X509 PARSE ERROR\nDid you have ca.pem?\n"); - exit(1); - } - - if (gnutls_certificate_set_openpgp_key_file - (cert_cred, PGP_CERTFILE, PGP_KEYFILE) < 0) { - fprintf(stderr, - "Error while reading the OpenPGP key pair\n"); - } - - gnutls_certificate_set_openpgp_keyserver(cert_cred, "wwwkeys.pgp.net", 0); - - if (gnutls_certificate_set_x509_key_file - (cert_cred, CERTFILE1, KEYFILE1) < 0) { - fprintf(stderr, - "X509 PARSE ERROR\nDid you have key.pem and cert.pem?\n"); - exit(1); - } - - if (gnutls_certificate_set_x509_key_file - (cert_cred, CERTFILE2, KEYFILE2) < 0) { - fprintf(stderr, - "X509 PARSE ERROR\nDid you have key.pem and cert.pem?\n"); - exit(1); - } - - if (generate!=0) - if (gnutls_certificate_set_dh_params(cert_cred, dh_params) < 0) { - fprintf(stderr, - "Error while setting DH parameters\n"); - exit(1); - } - - /* this is a password file (created with the included srpcrypt utility) - * Read README.crypt prior to using SRP. - */ - gnutls_srp_allocate_server_sc(&srp_cred); - gnutls_srp_set_server_cred_file(srp_cred, SRP_PASSWD, - SRP_PASSWD_CONF); - - gnutls_anon_allocate_server_sc(&dh_cred); - if (generate!=0) - gnutls_anon_set_server_dh_params( dh_cred, dh_params); - - listen_sd = socket(AF_INET, SOCK_STREAM, 0); - ERR(listen_sd, "socket"); - - memset(&sa_serv, '\0', sizeof(sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons(port); /* Server Port number */ - - setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, - sizeof(int)); - err = bind(listen_sd, (SA *) & sa_serv, sizeof(sa_serv)); - ERR(err, "bind"); - err = listen(listen_sd, 1024); - ERR(err, "listen"); - - printf("%s ready. Listening to port '%d'.\n\n", name, port); - - client_len = sizeof(sa_cli); - - for (;;) { - state = initialize_state(); - - sd = accept(listen_sd, (SA *) & sa_cli, &client_len); - - printf("- connection from %s, port %d\n", - inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf, - sizeof(topbuf)), ntohs(sa_cli.sin_port)); - - - gnutls_transport_set_ptr(state, sd); - do { - ret = gnutls_handshake(state); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - - if (ret < 0) { - close(sd); - gnutls_deinit(state); - fprintf(stderr, - "*** Handshake has failed (%s)\n\n", - gnutls_strerror(ret)); - check_alert(state, ret); - continue; - } - printf("- Handshake was completed\n"); - - print_info(state); - - i = 0; - for (;;) { - bzero(buffer, MAX_BUF + 1); - ret = - read_request(state, buffer, MAX_BUF, - (http == 0) ? 1 : 2); - - if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { - fflush(stdout); - if (ret == 0) { - printf - ("\n- Peer has closed the GNUTLS connection\n"); - fflush(stdout); - break; - } else { - fprintf(stderr, - "\n*** Received corrupted data(%d). Closing the connection.\n\n", - ret); - break; - } - - } - - if (ret > 0) { - if (http == 0) { - printf - ("* Read %d bytes from client.\n", - strlen(buffer)); - do { - ret = - gnutls_record_send(state, - buffer, - strlen - (buffer)); - } while (ret == - GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - printf - ("* Wrote %d bytes to client.\n", - ret); - } else { - strcpy(http_buffer, HTTP_BEGIN); - peer_print_info(state); - strcat(http_buffer, HTTP_END); - do { - ret = - gnutls_record_send(state, - http_buffer, - strlen - (http_buffer)); - } while (ret == - GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - - printf - ("- Served request. Closing connection.\n"); - break; - } - } - i++; + int err, listen_sd, i; + int sd, ret; + struct sockaddr_in sa_serv; + struct sockaddr_in sa_cli; + int client_len; + char topbuf[512]; + GNUTLS_STATE state; + char buffer[MAX_BUF + 1]; + int optval = 1; + char name[256]; + + signal(SIGPIPE, SIG_IGN); + + gaa_parser(argc, argv); + + if (http == 1) { + strcpy(name, "HTTP Server"); + } else { + strcpy(name, "Echo Server"); + } + + if (gnutls_global_init() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } + + /* Note that servers must generate parameters for + * Diffie Hellman. See gnutls_dh_params_generate(), and + * gnutls_dh_params_set(). + */ + if (generate != 0) + generate_dh_primes(); + + if (gnutls_certificate_allocate_sc(&cert_cred) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } + + if (x509_cafile != NULL) + if (gnutls_certificate_set_x509_trust_file + (cert_cred, x509_cafile, x509_crlfile) < 0) { + fprintf(stderr, "Error reading '%s'\n", x509_cafile); + exit(1); + } + + if (pgp_keyring != NULL) { + ret = + gnutls_certificate_set_openpgp_keyring_file(cert_cred, pgp_keyring); + if (ret < 0) { + fprintf(stderr, "Error setting the OpenPGP keyring file\n"); + } + } + + if (pgp_trustdb != NULL) { + gnutls_certificate_set_openpgp_trustdb(cert_cred, pgp_trustdb); + } + + if (pgp_certfile != NULL) + if (gnutls_certificate_set_openpgp_key_file + (cert_cred, pgp_certfile, pgp_keyfile) < 0) { + fprintf(stderr, + "Error while reading the OpenPGP key pair ('%s', '%s')\n", + pgp_certfile, pgp_keyfile); + } + + gnutls_certificate_set_openpgp_keyserver(cert_cred, pgp_keyserver, 0); + + if (x509_certfile != NULL) + if (gnutls_certificate_set_x509_key_file + (cert_cred, x509_certfile, x509_keyfile) < 0) { + fprintf(stderr, + "Error reading '%s' or '%s'\n", x509_certfile, + x509_keyfile); + exit(1); + } + + if (generate != 0) + if (gnutls_certificate_set_dh_params(cert_cred, dh_params) < 0) { + fprintf(stderr, "Error while setting DH parameters\n"); + exit(1); + } + + /* this is a password file (created with the included srpcrypt utility) + * Read README.crypt prior to using SRP. + */ + gnutls_srp_allocate_server_sc(&srp_cred); + gnutls_srp_set_server_cred_file(srp_cred, srp_passwd, srp_passwd_conf); + + gnutls_anon_allocate_server_sc(&dh_cred); + if (generate != 0) + gnutls_anon_set_server_dh_params(dh_cred, dh_params); + + listen_sd = socket(AF_INET, SOCK_STREAM, 0); + ERR(listen_sd, "socket"); + + memset(&sa_serv, '\0', sizeof(sa_serv)); + sa_serv.sin_family = AF_INET; + sa_serv.sin_addr.s_addr = INADDR_ANY; + sa_serv.sin_port = htons(port); /* Server Port number */ + + setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(int)); + err = bind(listen_sd, (SA *) & sa_serv, sizeof(sa_serv)); + ERR(err, "bind"); + err = listen(listen_sd, 1024); + ERR(err, "listen"); + + printf("%s ready. Listening to port '%d'.\n\n", name, port); + + client_len = sizeof(sa_cli); + + for (;;) { + state = initialize_state(); + + sd = accept(listen_sd, (SA *) & sa_cli, &client_len); + + printf("- connection from %s, port %d\n", + inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf, + sizeof(topbuf)), ntohs(sa_cli.sin_port)); + + + gnutls_transport_set_ptr(state, sd); + do { + ret = gnutls_handshake(state); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + + if (ret < 0) { + close(sd); + gnutls_deinit(state); + fprintf(stderr, + "*** Handshake has failed (%s)\n\n", + gnutls_strerror(ret)); + check_alert(state, ret); + continue; + } + printf("- Handshake was completed\n"); + + print_info(state); + + i = 0; + for (;;) { + bzero(buffer, MAX_BUF + 1); + ret = read_request(state, buffer, MAX_BUF, (http == 0) ? 1 : 2); + + if (gnutls_error_is_fatal(ret) == 1 || ret == 0) { + fflush(stdout); + if (ret == 0) { + printf("\n- Peer has closed the GNUTLS connection\n"); + fflush(stdout); + break; + } else { + fprintf(stderr, + "\n*** Received corrupted data(%d). Closing the connection.\n\n", + ret); + break; + } + + } + + if (ret > 0) { + if (http == 0) { + printf("* Read %d bytes from client.\n", strlen(buffer)); + do { + ret = gnutls_record_send(state, buffer, strlen(buffer)); + } while (ret == + GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + printf("* Wrote %d bytes to client.\n", ret); + } else { + strcpy(http_buffer, HTTP_BEGIN); + peer_print_info(state); + strcat(http_buffer, HTTP_END); + do { + ret = + gnutls_record_send(state, + http_buffer, strlen(http_buffer)); + } while (ret == + GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + + printf("- Served request. Closing connection.\n"); + break; + } + } + i++; #ifdef RENEGOTIATE - if (i == 20) { - do { - ret = gnutls_rehandshake(state); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - - printf("* Requesting rehandshake.\n"); - /* continue handshake proccess */ - do { - ret = gnutls_handshake(state); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - printf("* Rehandshake returned %d\n", ret); - } + if (i == 20) { + do { + ret = gnutls_rehandshake(state); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + + printf("* Requesting rehandshake.\n"); + /* continue handshake proccess */ + do { + ret = gnutls_handshake(state); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + printf("* Rehandshake returned %d\n", ret); + } #endif - check_alert(state, ret); + check_alert(state, ret); - if (http != 0) { - break; /* close the connection */ - } - } - printf("\n"); - do { - ret = gnutls_bye(state, GNUTLS_SHUT_WR); - } while (ret == GNUTLS_E_INTERRUPTED - || ret == GNUTLS_E_AGAIN); - /* do not wait for - * the peer to close the connection. - */ - close(sd); - gnutls_deinit(state); + if (http != 0) { + break; /* close the connection */ + } + } + printf("\n"); + do { + ret = gnutls_bye(state, GNUTLS_SHUT_WR); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); + /* do not wait for + * the peer to close the connection. + */ + close(sd); + gnutls_deinit(state); - } - close(listen_sd); + } + close(listen_sd); - gnutls_certificate_free_sc(cert_cred); - gnutls_srp_free_server_sc(srp_cred); - gnutls_anon_free_server_sc(dh_cred); + gnutls_certificate_free_sc(cert_cred); + gnutls_srp_free_server_sc(srp_cred); + gnutls_anon_free_server_sc(dh_cred); - gnutls_global_deinit(); + gnutls_global_deinit(); - return 0; + return 0; } +#define DEFAULT_X509_KEYFILE "x509/key.pem" +#define DEFAULT_X509_CERTFILE "x509/cert.pem" + +#define DEFAULT_X509_KEYFILE2 "x509/key-dsa.pem" +#define DEFAULT_X509_CERTFILE2 "x509/cert-dsa.pem" + +#define DEFAULT_PGP_KEYFILE "openpgp/sec.asc" +#define DEFAULT_PGP_CERTFILE "openpgp/pub.asc" + +#define DEFAULT_X509_CAFILE "x509/ca.pem" +#define DEFAULT_X509_CRLFILE NULL; + +#define DEFAULT_SRP_PASSWD "srp/tpasswd" +#define DEFAULT_SRP_PASSWD_CONF "srp/tpasswd.conf" static gaainfo info; void gaa_parser(int argc, char **argv) { - int i, j; - - if (gaa(argc, argv, &info) != -1) { - fprintf(stderr, "Error in the arguments.\n"); - exit(1); - } - - if (info.http == 0) - http = 0; - else - http = 1; - - if (info.generate == 0) - generate = 0; - else - generate = 1; - - port = info.port; - - if (info.proto != NULL && info.nproto > 0) { - for (j = i = 0; i < info.nproto; i++) { - if (strncasecmp(info.proto[i], "SSL", 3) == 0) - protocol_priority[j++] = GNUTLS_SSL3; - if (strncasecmp(info.proto[i], "TLS", 3) == 0) - protocol_priority[j++] = GNUTLS_TLS1; - } - protocol_priority[j] = 0; - } - - if (info.ciphers != NULL && info.nciphers > 0) { - for (j = i = 0; i < info.nciphers; i++) { - if (strncasecmp(info.ciphers[i], "RIJ", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_RIJNDAEL_128_CBC; - if (strncasecmp(info.ciphers[i], "TWO", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_TWOFISH_128_CBC; - if (strncasecmp(info.ciphers[i], "3DE", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_3DES_CBC; - if (strncasecmp(info.ciphers[i], "ARC", 3) == 0) - cipher_priority[j++] = - GNUTLS_CIPHER_ARCFOUR; - } - cipher_priority[j] = 0; - } - - if (info.macs != NULL && info.nmacs > 0) { - for (j = i = 0; i < info.nmacs; i++) { - if (strncasecmp(info.macs[i], "MD5", 3) == 0) - mac_priority[j++] = GNUTLS_MAC_MD5; - if (strncasecmp(info.macs[i], "SHA", 3) == 0) - mac_priority[j++] = GNUTLS_MAC_SHA; - } - mac_priority[j] = 0; - } - - if (info.ctype != NULL && info.nctype > 0) { - for (j = i = 0; i < info.nctype; i++) { - if (strncasecmp(info.ctype[i], "OPE", 3) == 0) - cert_type_priority[j++] = - GNUTLS_CRT_OPENPGP; - if (strncasecmp(info.ctype[i], "X", 1) == 0) - cert_type_priority[j++] = GNUTLS_CRT_X509; - } - cert_type_priority[j] = 0; - } - - if (info.kx != NULL && info.nkx > 0) { - for (j = i = 0; i < info.nkx; i++) { - if (strncasecmp(info.kx[i], "SRP", 3) == 0) - kx_priority[j++] = GNUTLS_KX_SRP; - if (strncasecmp(info.kx[i], "RSA", 3) == 0) - kx_priority[j++] = GNUTLS_KX_RSA; - if (strncasecmp(info.kx[i], "DHE_RSA", 7) == 0) - kx_priority[j++] = GNUTLS_KX_DHE_RSA; - if (strncasecmp(info.kx[i], "DHE_DSS", 7) == 0) - kx_priority[j++] = GNUTLS_KX_DHE_DSS; - if (strncasecmp(info.kx[i], "ANON", 4) == 0) - kx_priority[j++] = GNUTLS_KX_ANON_DH; - } - kx_priority[j] = 0; - } - - if (info.comp != NULL && info.ncomp > 0) { - for (j = i = 0; i < info.ncomp; i++) { - if (strncasecmp(info.comp[i], "NUL", 3) == 0) - comp_priority[j++] = GNUTLS_COMP_NULL; - if (strncasecmp(info.comp[i], "ZLI", 1) == 0) - comp_priority[j++] = GNUTLS_COMP_ZLIB; - } - comp_priority[j] = 0; - } + int i, j; + + if (gaa(argc, argv, &info) != -1) { + fprintf(stderr, + "Error in the arguments. Use the --help or -h parameters to get more information.\n"); + exit(1); + } + + if (info.http == 0) + http = 0; + else + http = 1; + + if (info.generate == 0) + generate = 0; + else + generate = 1; + + port = info.port; + + if (info.x509_certfile != NULL) + x509_certfile = info.x509_certfile; + else + x509_certfile = DEFAULT_X509_CERTFILE; + + if (info.x509_keyfile != NULL) + x509_keyfile = info.x509_keyfile; + else + x509_keyfile = DEFAULT_X509_KEYFILE; + + if (info.x509_cafile != NULL) + x509_cafile = info.x509_certfile; + else + x509_cafile = DEFAULT_X509_CAFILE; + + if (info.pgp_certfile != NULL) + pgp_certfile = info.pgp_certfile; + else + pgp_certfile = DEFAULT_PGP_CERTFILE; + + if (info.pgp_keyfile != NULL) + pgp_keyfile = info.pgp_keyfile; + else + pgp_keyfile = DEFAULT_PGP_KEYFILE; + + pgp_keyserver = info.pgp_keyserver; + + if (info.srp_passwd != NULL) + srp_passwd = info.srp_passwd; + else + srp_passwd = DEFAULT_SRP_PASSWD; + + if (info.srp_passwd_conf != NULL) + srp_passwd_conf = info.srp_passwd_conf; + else + srp_passwd_conf = DEFAULT_SRP_PASSWD_CONF; + + pgp_keyring = info.pgp_keyring; + pgp_trustdb = info.pgp_trustdb; + + if (info.proto != NULL && info.nproto > 0) { + for (j = i = 0; i < info.nproto; i++) { + if (strncasecmp(info.proto[i], "SSL", 3) == 0) + protocol_priority[j++] = GNUTLS_SSL3; + if (strncasecmp(info.proto[i], "TLS", 3) == 0) + protocol_priority[j++] = GNUTLS_TLS1; + } + protocol_priority[j] = 0; + } + + if (info.ciphers != NULL && info.nciphers > 0) { + for (j = i = 0; i < info.nciphers; i++) { + if (strncasecmp(info.ciphers[i], "RIJ", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC; + if (strncasecmp(info.ciphers[i], "TWO", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_TWOFISH_128_CBC; + if (strncasecmp(info.ciphers[i], "3DE", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_3DES_CBC; + if (strncasecmp(info.ciphers[i], "ARC", 3) == 0) + cipher_priority[j++] = GNUTLS_CIPHER_ARCFOUR; + } + cipher_priority[j] = 0; + } + + if (info.macs != NULL && info.nmacs > 0) { + for (j = i = 0; i < info.nmacs; i++) { + if (strncasecmp(info.macs[i], "MD5", 3) == 0) + mac_priority[j++] = GNUTLS_MAC_MD5; + if (strncasecmp(info.macs[i], "SHA", 3) == 0) + mac_priority[j++] = GNUTLS_MAC_SHA; + } + mac_priority[j] = 0; + } + + if (info.ctype != NULL && info.nctype > 0) { + for (j = i = 0; i < info.nctype; i++) { + if (strncasecmp(info.ctype[i], "OPE", 3) == 0) + cert_type_priority[j++] = GNUTLS_CRT_OPENPGP; + if (strncasecmp(info.ctype[i], "X", 1) == 0) + cert_type_priority[j++] = GNUTLS_CRT_X509; + } + cert_type_priority[j] = 0; + } + + if (info.kx != NULL && info.nkx > 0) { + for (j = i = 0; i < info.nkx; i++) { + if (strncasecmp(info.kx[i], "SRP", 3) == 0) + kx_priority[j++] = GNUTLS_KX_SRP; + if (strncasecmp(info.kx[i], "RSA", 3) == 0) + kx_priority[j++] = GNUTLS_KX_RSA; + if (strncasecmp(info.kx[i], "DHE_RSA", 7) == 0) + kx_priority[j++] = GNUTLS_KX_DHE_RSA; + if (strncasecmp(info.kx[i], "DHE_DSS", 7) == 0) + kx_priority[j++] = GNUTLS_KX_DHE_DSS; + if (strncasecmp(info.kx[i], "ANON", 4) == 0) + kx_priority[j++] = GNUTLS_KX_ANON_DH; + } + kx_priority[j] = 0; + } + + if (info.comp != NULL && info.ncomp > 0) { + for (j = i = 0; i < info.ncomp; i++) { + if (strncasecmp(info.comp[i], "NUL", 3) == 0) + comp_priority[j++] = GNUTLS_COMP_NULL; + if (strncasecmp(info.comp[i], "ZLI", 1) == 0) + comp_priority[j++] = GNUTLS_COMP_ZLIB; + } + comp_priority[j] = 0; + } + + } diff --git a/src/serv.gaa b/src/serv.gaa index d6afdb6788..35212faedf 100644 --- a/src/serv.gaa +++ b/src/serv.gaa @@ -1,4 +1,4 @@ -helpnode "serv help\nUsage: serv [options]" +helpnode "gnutls-serv help\nUsage: gnutls-serv [options]" #int generate; option (g, generate) { $generate = 1 } "Generate Diffie Hellman Parameters." @@ -9,6 +9,37 @@ option (p, port) INT "integer" { $port = $1 } "The port to connect to." #int http; option (http) { $http = 1 } "Act as an HTTP Server." +#char *x509_cafile; +option (cafile) STR "FILE" { $x509_cafile = $1 } "Certificate file to use." + +#char *pgp_keyring; +option (pgpkeyring) STR "FILE" { $pgp_keyring = $1 } "PGP Key ring file to use." + +#char *pgp_trustdb; +option (pgptrustdb) STR "FILE" { $pgp_keyring = $1 } "PGP trustdb file to use." + +#char *pgp_keyfile; +option (pgpkeyfile) STR "FILE" { $pgp_keyfile = $1 } "PGP Key file to use." + +#char *pgp_certfile; +option (pgpcertfile) STR "FILE" { $pgp_certfile = $1 } "PGP Public Key (certificate) file to use." + +#char *x509_keyfile; +option (x509keyfile) STR "FILE" { $x509_keyfile = $1 } "X.509 key file to use." + +#char *x509_certfile; +option (x509certfile) STR "FILE" { $x509_certfile = $1 } "X.509 Certificate file to use." + +#char *pgp_keyserver; +option (pgpkeyserver) STR "FILE" { $pgp_keyserver = $1 } "PGP Keyserver to use." + +#char *srp_passwd; +option (srppasswd) STR "FILE" { $srp_passwd = $1 } "SRP password file to use." + +#char *srp_passwd_conf; +option (srppasswdconf) STR "FILE" { $srp_passwd_conf = $1 } "SRP password conf file to use." + + #int nciphers; #char **ciphers; option (ciphers) *STR "cipher1 cipher2..." { $ciphers = $1; $nciphers = @1 } "Ciphers to enable." @@ -39,7 +70,11 @@ option (h, help) { gaa_help(); exit(0); } "prints this help" init { $generate=0; $port=5556; $http=0; $ciphers=NULL; $kx=NULL; $comp=NULL; $macs=NULL; $ctype=NULL; $nciphers=0; - $nkx=0; $ncomp=0; $nmacs=0; $nctype = 0; } + $nkx=0; $ncomp=0; $nmacs=0; $nctype = 0; + $x509_cafile = NULL; $pgp_keyfile=NULL; $pgp_certfile=NULL; + $x509_keyfile=NULL; $x509_certfile=NULL; $pgp_keyserver=NULL; + $srp_passwd=NULL; $srp_passwd_conf=NULL; + $pgp_trustdb=NULL; $pgp_keyring=NULL; } ## diff --git a/src/tls_test-gaa.c b/src/tls_test-gaa.c index d6d068e3b2..5d1a62433e 100644 --- a/src/tls_test-gaa.c +++ b/src/tls_test-gaa.c @@ -104,7 +104,7 @@ void __gaa_helpsingle(char short_name, char *name, void gaa_help(void) { - printf("tls_test help\nUsage: tls_test [options] hostname""\n"); + printf("gnutls-cli-debug help\nUsage: gnutls-cli-debug [options] hostname""\n"); __gaa_helpsingle('p', "port", """integer"" ", "The port to connect to."); __gaa_helpsingle('h', "help", "", "prints this help"); diff --git a/src/tls_test.gaa b/src/tls_test.gaa index de04bd7478..571e059956 100644 --- a/src/tls_test.gaa +++ b/src/tls_test.gaa @@ -1,4 +1,4 @@ -helpnode "tls_test help\nUsage: tls_test [options] hostname" +helpnode "gnutls-cli-debug help\nUsage: gnutls-cli-debug [options] hostname" #int pp; option (p, port) INT "integer" { $pp = $1 } "The port to connect to." |