diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-08-02 01:43:04 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-08-02 01:43:04 +0000 |
| commit | f56ad1729fcc64ae1e2d3dbd12811a9847187ac0 (patch) | |
| tree | 5853a889461577f52374560448220f148699a441 /doc | |
| parent | dd2b711e9797c1183884b678527911532bdbfc09 (diff) | |
| download | gnutls-f56ad1729fcc64ae1e2d3dbd12811a9847187ac0.tar.gz | |
documentation fixes
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/tex/ex1.tex | 294 | ||||
| -rw-r--r-- | doc/tex/ex2.tex | 248 | ||||
| -rw-r--r-- | doc/tex/ex3.tex | 98 | ||||
| -rw-r--r-- | doc/tex/gnutls.tex | 19 | ||||
| -rw-r--r-- | doc/tex/serv1.tex | 360 | ||||
| -rw-r--r-- | doc/tex/srp1.tex | 235 |
6 files changed, 632 insertions, 622 deletions
diff --git a/doc/tex/ex1.tex b/doc/tex/ex1.tex index dc7ccba9f7..375fa499a7 100644 --- a/doc/tex/ex1.tex +++ b/doc/tex/ex1.tex @@ -16,153 +16,153 @@ int main() { - const char *PORT = "443"; - const char *SERVER = "127.0.0.1"; - int err, ret; - int sd, ii; - struct sockaddr_in sa; - GNUTLS_STATE state; - char buffer[MAX_BUF + 1]; - X509PKI_CLIENT_CREDENTIALS xcred; - /* variables used in session resuming */ - int t; - char *session; - char *session_id; - int session_size; - int session_id_size; - char *tmp_session_id; - int tmp_session_id_size; - - if (gnutls_global_init() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } - /* X509 stuff */ - if (gnutls_allocate_x509_client_sc(&xcred, 0) < 0) { /* no client private key */ - fprintf(stderr, "memory error\n"); - exit(1); - } - gnutls_set_x509_client_trust(xcred, CAFILE, CRLFILE); - - for (t = 0; t < 2; t++) { /* connect 2 times to the server */ - - sd = socket(AF_INET, SOCK_STREAM, 0); - memset(&sa, '\0', sizeof(sa)); - sa.sin_family = AF_INET; - sa.sin_port = htons(atoi(PORT)); - inet_pton(AF_INET, SERVER, &sa.sin_addr); - - err = connect(sd, (SA *) & sa, sizeof(sa)); - if (err < 0) { - fprintf(stderr, "Connect error"); - exit(1); - } - gnutls_init(&state, GNUTLS_CLIENT); - gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); - gnutls_set_cipher_priority(state, GNUTLS_3DES_CBC, GNUTLS_ARCFOUR, 0); - gnutls_set_compression_priority(state, GNUTLS_NULL_COMPRESSION, 0); - gnutls_set_kx_priority(state, GNUTLS_KX_RSA, 0); - gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); - - - gnutls_set_cred(state, GNUTLS_X509PKI, xcred); - gnutls_x509_set_cn(state, "www.host.com"); - - - if (t > 0) { /* if this is not the first time we connect */ - gnutls_set_current_session(state, session, session_size); - free(session); - } - /* Perform the TLS handshake - */ - ret = gnutls_handshake(sd, state); - - if (ret < 0) { - fprintf(stderr, "*** Handshake failed\n"); - gnutls_perror(ret); - goto end; - } else { - printf("- Handshake was completed\n"); - } - - if (t == 0) { /* the first time we connect */ - /* get the session data size */ - gnutls_get_current_session(state, NULL, &session_size); - session = malloc(session_size); - - /* put session data to the session variable */ - gnutls_get_current_session(state, session, &session_size); - - /* keep the current session ID. This is only needed - * in order to check if the server actually resumed this - * connection. - */ - gnutls_get_current_session_id(state, NULL, &session_id_size); - session_id = malloc(session_id_size); - gnutls_get_current_session_id(state, session_id, &session_id_size); - - } else { /* the second time we connect */ - - /* check if we actually resumed the previous session */ - gnutls_get_current_session_id(state, NULL, &tmp_session_id_size); - tmp_session_id = malloc(tmp_session_id_size); - gnutls_get_current_session_id(state, tmp_session_id, &tmp_session_id_size); - - if (memcmp(tmp_session_id, session_id, session_id_size) == 0) { - printf("- Previous session was resumed\n"); - } else { - fprintf(stderr, "*** Previous session was NOT resumed\n"); - } - free(tmp_session_id); - free(session_id); - } - - /* This function is defined in a previous example - */ - print_info(state); - - gnutls_write(sd, state, MSG, strlen(MSG)); - - ret = gnutls_read(sd, state, buffer, MAX_BUF); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { - if (ret == 0) { - printf("- Peer has closed the GNUTLS connection\n"); - goto end; - } else { - fprintf(stderr, "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", - ret); - goto end; - } - } else { - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) - printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); - if (ret == GNUTLS_E_GOT_HELLO_REQUEST) - printf("* Received HelloRequest message (server asked to rehandshake)\n"); - } - - if (ret > 0) { - printf("- Received %d bytes: ", ret); - for (ii = 0; ii < ret; ii++) { - fputc(buffer[ii], stdout); - } - fputs("\n", stdout); - } - gnutls_bye(sd, state, 0); - - end: - - shutdown(sd, SHUT_RDWR); /* no more receptions */ - close(sd); - - gnutls_deinit(state); - - } /* for() */ - - gnutls_free_x509_client_sc(xcred); - - gnutls_global_deinit(); - - return 0; + const char *PORT = "443"; + const char *SERVER = "127.0.0.1"; + int err, ret; + int sd, ii; + struct sockaddr_in sa; + GNUTLS_STATE state; + char buffer[MAX_BUF + 1]; + X509PKI_CLIENT_CREDENTIALS xcred; + /* variables used in session resuming */ + int t; + char *session; + char *session_id; + int session_size; + int session_id_size; + char *tmp_session_id; + int tmp_session_id_size; + + if (gnutls_global_init() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } + /* X509 stuff */ + if (gnutls_allocate_x509_client_sc(&xcred, 0) < 0) { /* no client private key */ + fprintf(stderr, "memory error\n"); + exit(1); + } + gnutls_set_x509_client_trust(xcred, CAFILE, CRLFILE); + + for (t = 0; t < 2; t++) { /* connect 2 times to the server */ + + sd = socket(AF_INET, SOCK_STREAM, 0); + memset(&sa, '\0', sizeof(sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons(atoi(PORT)); + inet_pton(AF_INET, SERVER, &sa.sin_addr); + + err = connect(sd, (SA *) & sa, sizeof(sa)); + if (err < 0) { + fprintf(stderr, "Connect error"); + exit(1); + } + gnutls_init(&state, GNUTLS_CLIENT); + gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); + gnutls_set_cipher_priority(state, GNUTLS_3DES_CBC, GNUTLS_ARCFOUR, 0); + gnutls_set_compression_priority(state, GNUTLS_NULL_COMPRESSION, 0); + gnutls_set_kx_priority(state, GNUTLS_KX_RSA, 0); + gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); + + + gnutls_set_cred(state, GNUTLS_X509PKI, xcred); + gnutls_x509_set_cn(state, "www.host.com"); + + + if (t > 0) { /* if this is not the first time we connect */ + gnutls_set_current_session(state, session, session_size); + free(session); + } + /* Perform the TLS handshake + */ + ret = gnutls_handshake(sd, state); + + if (ret < 0) { + fprintf(stderr, "*** Handshake failed\n"); + gnutls_perror(ret); + goto end; + } else { + printf("- Handshake was completed\n"); + } + + if (t == 0) { /* the first time we connect */ + /* get the session data size */ + gnutls_get_current_session(state, NULL, &session_size); + session = malloc(session_size); + + /* put session data to the session variable */ + gnutls_get_current_session(state, session, &session_size); + + /* keep the current session ID. This is only needed + * in order to check if the server actually resumed this + * connection. + */ + gnutls_get_current_session_id(state, NULL, &session_id_size); + session_id = malloc(session_id_size); + gnutls_get_current_session_id(state, session_id, &session_id_size); + + } else { /* the second time we connect */ + + /* check if we actually resumed the previous session */ + gnutls_get_current_session_id(state, NULL, &tmp_session_id_size); + tmp_session_id = malloc(tmp_session_id_size); + gnutls_get_current_session_id(state, tmp_session_id, &tmp_session_id_size); + + if (memcmp(tmp_session_id, session_id, session_id_size) == 0) { + printf("- Previous session was resumed\n"); + } else { + fprintf(stderr, "*** Previous session was NOT resumed\n"); + } + free(tmp_session_id); + free(session_id); + } + + /* This function was defined in a previous example + */ + print_info(state); + + gnutls_write(sd, state, MSG, strlen(MSG)); + + ret = gnutls_read(sd, state, buffer, MAX_BUF); + if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (ret == 0) { + printf("- Peer has closed the GNUTLS connection\n"); + goto end; + } else { + fprintf(stderr, "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", + ret); + goto end; + } + } else { + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) + printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); + if (ret == GNUTLS_E_GOT_HELLO_REQUEST) + printf("* Received HelloRequest message (server asked to rehandshake)\n"); + } + + if (ret > 0) { + printf("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); + } + fputs("\n", stdout); + } + gnutls_bye(sd, state, 0); + + end: + + shutdown(sd, SHUT_RDWR); /* no more receptions */ + close(sd); + + gnutls_deinit(state); + + } /* for() */ + + gnutls_free_x509_client_sc(xcred); + + gnutls_global_deinit(); + + return 0; } \end{verbatim} diff --git a/doc/tex/ex2.tex b/doc/tex/ex2.tex index 44c9aaadfa..2558ff8931 100644 --- a/doc/tex/ex2.tex +++ b/doc/tex/ex2.tex @@ -16,130 +16,130 @@ int main() { - const char *PORT = "443"; - const char *SERVER = "127.0.0.1"; - int err, ret; - int sd, ii; - struct sockaddr_in sa; - GNUTLS_STATE state; - char buffer[MAX_BUF + 1]; - X509PKI_CLIENT_CREDENTIALS xcred; - - if (gnutls_global_init() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } - /* X509 stuff */ - if (gnutls_allocate_x509_client_sc(&xcred, 0) < 0) { /* no client private key */ - fprintf(stderr, "memory error\n"); - exit(1); - } - /* set's the trusted cas file - */ - gnutls_set_x509_client_trust(xcred, CAFILE, CRLFILE); - - /* connects to server - */ - sd = socket(AF_INET, SOCK_STREAM, 0); - - memset(&sa, '\0', sizeof(sa)); - sa.sin_family = AF_INET; - sa.sin_port = htons(atoi(PORT)); - inet_pton(AF_INET, SERVER, &sa.sin_addr); - - err = connect(sd, (SA *) & sa, sizeof(sa)); - if (err < 0) { - fprintf(stderr, "Connect error\n"); - exit(1); - } - /* Initialize TLS state - */ - gnutls_init(&state, GNUTLS_CLIENT); - - /* allow both SSL3 and TLS1 - */ - gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); - - /* allow only ARCFOUR and 3DES ciphers - * (3DES has the highest priority) - */ - gnutls_set_cipher_priority(state, GNUTLS_3DES_CBC, GNUTLS_ARCFOUR, 0); - - /* only allow null compression - */ - gnutls_set_compression_priority(state, GNUTLS_NULL_COMPRESSION, 0); - - /* use GNUTLS_KX_RSA - */ - gnutls_set_kx_priority(state, GNUTLS_KX_RSA, 0); - - /* allow the usage of both SHA and MD5 - */ - gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); - - - /* put the x509 credentials to the current state - */ - gnutls_set_cred(state, GNUTLS_X509PKI, xcred); - - /* This should be the CN in the server's - * certificate. - */ - gnutls_x509_set_cn(state, "www.host.com"); - - - /* Perform the TLS handshake - */ - ret = gnutls_handshake(sd, state); - - if (ret < 0) { - fprintf(stderr, "*** Handshake failed\n"); - gnutls_perror(ret); - goto end; - } else { - printf("- Handshake was completed\n"); - } - - gnutls_write(sd, state, MSG, strlen(MSG)); - - ret = gnutls_read(sd, state, buffer, MAX_BUF); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { - if (ret == 0) { - printf("- Peer has closed the GNUTLS connection\n"); - goto end; - } else { - fprintf(stderr, "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", - ret); - goto end; - } - } else { - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) - printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); - if (ret == GNUTLS_E_GOT_HELLO_REQUEST) - printf("* Received HelloRequest message (server asked to rehandshake)\n"); - } - - if (ret > 0) { - printf("- Received %d bytes: ", ret); - for (ii = 0; ii < ret; ii++) { - fputc(buffer[ii], stdout); - } - fputs("\n", stdout); - } - gnutls_bye(sd, state, 0); - - end: - - shutdown(sd, SHUT_RDWR); /* no more receptions */ - close(sd); - - gnutls_deinit(state); - - gnutls_free_x509_client_sc(xcred); - - gnutls_global_deinit(); - - return 0; + const char *PORT = "443"; + const char *SERVER = "127.0.0.1"; + int err, ret; + int sd, ii; + struct sockaddr_in sa; + GNUTLS_STATE state; + char buffer[MAX_BUF + 1]; + X509PKI_CLIENT_CREDENTIALS xcred; + + if (gnutls_global_init() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } + /* X509 stuff */ + if (gnutls_allocate_x509_client_sc(&xcred, 0) < 0) { /* no client private key */ + fprintf(stderr, "memory error\n"); + exit(1); + } + /* set's the trusted cas file + */ + gnutls_set_x509_client_trust(xcred, CAFILE, CRLFILE); + + /* connects to server + */ + sd = socket(AF_INET, SOCK_STREAM, 0); + + memset(&sa, '\0', sizeof(sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons(atoi(PORT)); + inet_pton(AF_INET, SERVER, &sa.sin_addr); + + err = connect(sd, (SA *) & sa, sizeof(sa)); + if (err < 0) { + fprintf(stderr, "Connect error\n"); + exit(1); + } + /* Initialize TLS state + */ + gnutls_init(&state, GNUTLS_CLIENT); + + /* allow both SSL3 and TLS1 + */ + gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); + + /* allow only ARCFOUR and 3DES ciphers + * (3DES has the highest priority) + */ + gnutls_set_cipher_priority(state, GNUTLS_3DES_CBC, GNUTLS_ARCFOUR, 0); + + /* only allow null compression + */ + gnutls_set_compression_priority(state, GNUTLS_NULL_COMPRESSION, 0); + + /* use GNUTLS_KX_RSA + */ + gnutls_set_kx_priority(state, GNUTLS_KX_RSA, 0); + + /* allow the usage of both SHA and MD5 + */ + gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); + + + /* put the x509 credentials to the current state + */ + gnutls_set_cred(state, GNUTLS_X509PKI, xcred); + + /* This should be the CN in the server's + * certificate. + */ + gnutls_x509_set_cn(state, "www.host.com"); + + + /* Perform the TLS handshake + */ + ret = gnutls_handshake(sd, state); + + if (ret < 0) { + fprintf(stderr, "*** Handshake failed\n"); + gnutls_perror(ret); + goto end; + } else { + printf("- Handshake was completed\n"); + } + + gnutls_write(sd, state, MSG, strlen(MSG)); + + ret = gnutls_read(sd, state, buffer, MAX_BUF); + if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (ret == 0) { + printf("- Peer has closed the GNUTLS connection\n"); + goto end; + } else { + fprintf(stderr, "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", + ret); + goto end; + } + } else { + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) + printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); + if (ret == GNUTLS_E_GOT_HELLO_REQUEST) + printf("* Received HelloRequest message (server asked to rehandshake)\n"); + } + + if (ret > 0) { + printf("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); + } + fputs("\n", stdout); + } + gnutls_bye(sd, state, 0); + + end: + + shutdown(sd, SHUT_RDWR); /* no more receptions */ + close(sd); + + gnutls_deinit(state); + + gnutls_free_x509_client_sc(xcred); + + gnutls_global_deinit(); + + return 0; } \end{verbatim} diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index bb6e8ace53..e22d22f899 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -1,66 +1,66 @@ -\begin {verbatim} +\begin{verbatim} int print_info(GNUTLS_STATE state) { - const char *tmp; - const X509PKI_CLIENT_AUTH_INFO *x509_info; + const char *tmp; + const X509PKI_CLIENT_AUTH_INFO *x509_info; - /* print the key exchange's algorithm name - */ - tmp = gnutls_kx_get_name(gnutls_get_current_kx(state)); - printf("- Key Exchange: %s\n", tmp); + /* print the key exchange's algorithm name + */ + tmp = gnutls_kx_get_name(gnutls_get_current_kx(state)); + printf("- Key Exchange: %s\n", tmp); - /* in case of X509 PKI - */ - if (gnutls_get_auth_info_type(state) == GNUTLS_X509PKI) { - x509_info = gnutls_get_auth_info(state); - if (x509_info != NULL) { - switch (x509_info->peer_certificate_status) { - case GNUTLS_CERT_NOT_TRUSTED: - printf("- Peer's X509 Certificate was NOT verified\n"); - break; - case GNUTLS_CERT_EXPIRED: - printf("- Peer's X509 Certificate was verified but is expired\n"); - break; - case GNUTLS_CERT_TRUSTED: - printf("- Peer's X509 Certificate was verified\n"); - break; - case GNUTLS_CERT_WRONG_CN: - /* the server's name - * is set by using the gnutls_set_x509_cn() function. - */ - printf("- Peer's X509 Certificate was verified but it does not match the server's name\n"); - break; - case GNUTLS_CERT_INVALID: - default: - printf("- Peer's X509 Certificate was invalid\n"); - break; + /* in case of X509 PKI + */ + if (gnutls_get_auth_info_type(state) == GNUTLS_X509PKI) { + x509_info = gnutls_get_auth_info(state); + if (x509_info != NULL) { + switch (x509_info->peer_certificate_status) { + case GNUTLS_CERT_NOT_TRUSTED: + printf("- Peer's X509 Certificate was NOT verified\n"); + break; + case GNUTLS_CERT_EXPIRED: + printf("- Peer's X509 Certificate was verified but is expired\n"); + break; + case GNUTLS_CERT_TRUSTED: + printf("- Peer's X509 Certificate was verified\n"); + break; + case GNUTLS_CERT_WRONG_CN: + /* the server's name + * is set by using the gnutls_set_x509_cn() function. + */ + printf("- Peer's X509 Certificate was verified but it does not match the server's name\n"); + break; + case GNUTLS_CERT_INVALID: + default: + printf("- Peer's X509 Certificate was invalid\n"); + break; - } - } - } - printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", x509_info->peer_certificate_version); + } + } + } + printf(" - Certificate info:\n"); + printf(" - Certificate version: #%d\n", x509_info->peer_certificate_version); - PRINT_DN(peer_dn); + PRINT_DN(peer_dn); - printf(" - Certificate Issuer's info:\n"); - PRINT_DN(issuer_dn); + printf(" - Certificate Issuer's info:\n"); + PRINT_DN(issuer_dn); - tmp = gnutls_version_get_name(gnutls_get_current_version(state)); - printf("- Version: %s\n", tmp); + tmp = gnutls_version_get_name(gnutls_get_current_version(state)); + printf("- Version: %s\n", tmp); - tmp = gnutls_compression_get_name(gnutls_get_current_compression_method(state)); - printf("- Compression: %s\n", tmp); + tmp = gnutls_compression_get_name(gnutls_get_current_compression_method(state)); + printf("- Compression: %s\n", tmp); - tmp = gnutls_cipher_get_name(gnutls_get_current_cipher(state)); - printf("- Cipher: %s\n", tmp); + tmp = gnutls_cipher_get_name(gnutls_get_current_cipher(state)); + printf("- Cipher: %s\n", tmp); - tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm(state)); - printf("- MAC: %s\n", tmp); + tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm(state)); + printf("- MAC: %s\n", tmp); - return 0; + return 0; } \end{verbatim} diff --git a/doc/tex/gnutls.tex b/doc/tex/gnutls.tex index 00ad2427d6..e9ea18e9c8 100644 --- a/doc/tex/gnutls.tex +++ b/doc/tex/gnutls.tex @@ -8,18 +8,29 @@ \maketitle \tableofcontents +\newpage \section{Introduction} \par gnuTLS is a library which implements the {\bf TLS 1.0} and {\bf SSL 3.0} protocols. -TLS stands for 'Transport Layer Security' and is the sucessor of SSL (Secure Sockets Layer). -{\bf TLS 1.0} is described is {\it RFC 2246} and is an Internet protocol (thus it's mostly used over TCP/IP), -that provides confidentiality, and authentication layers. Currently {\bf gnuTLS} implements: +TLS stands for 'Transport Layer Security' and is the sucessor of SSL\footnote{ +SSL or Secure Sockets Layer is a protocol designed by Netscape. TLS 1.0 is based on +{\bf SSL 3.0} protocol. {\bf SSL 2.0} is very old protocol which is vulnerable to several attacks. SSL 2.0 is not +implemented in gnuTLS}. +{\bf TLS 1.0} is described is {\it RFC 2246} and is an Internet protocol, +defined by IETF\footnote{IETF or Internet Engineering Task Force +is a large open international community of network +designers, operators, vendors, and researchers concerned with the evolution of +the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.} +that provides confidentiality, and authentication layers. +TLS is mostly used over {\bf TCP/IP} although this is not restrictive, you may +use it over any reliable transport layer. +Currently gnuTLS implements: \begin{itemize} \item the {\bf TLS 1.0} and {\bf{ SSL 3.0}} protocols, without any (US) export-controlled algorithms \item {\bf X509} Public Key Infrastructure (with several limitations). \item {\bf SRP} for TLS authentication. - \item {\bf TLS Extensions} + \item TLS {\bf Extensions} \end{itemize} \subsection{Confidentiality} diff --git a/doc/tex/serv1.tex b/doc/tex/serv1.tex index 26ffb6e16f..c605ab435b 100644 --- a/doc/tex/serv1.tex +++ b/doc/tex/serv1.tex @@ -27,7 +27,7 @@ #define SA struct sockaddr #define ERR(err,s) if(err==-1) {perror(s);return(1);} #define MAX_BUF 1024 -#define PORT 5556 /* listen to 5556 port */ +#define PORT 5556 /* listen to 5556 port */ /* These are global */ SRP_SERVER_CREDENTIALS srp_cred; @@ -35,67 +35,67 @@ X509PKI_SERVER_CREDENTIALS x509_cred; GNUTLS_STATE initialize_state() { - GNUTLS_STATE state; - int ret; + GNUTLS_STATE state; + int ret; - gnutls_init(&state, GNUTLS_SERVER); - - /* in order to support session resuming: - */ - if ((ret = gnutls_set_db_name(state, "gnutls-rsm.db")) < 0) - fprintf(stderr, "*** DB error (%d)\n\n", ret); + gnutls_init(&state, GNUTLS_SERVER); - gnutls_set_cipher_priority(state, GNUTLS_RIJNDAEL_CBC, GNUTLS_3DES_CBC, 0); - gnutls_set_compression_priority(state, GNUTLS_ZLIB, GNUTLS_NULL_COMPRESSION, 0); - gnutls_set_kx_priority(state, GNUTLS_KX_RSA, GNUTLS_KX_SRP, 0); - gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); - gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); + /* in order to support session resuming: + */ + if ((ret = gnutls_set_db_name(state, "gnutls-rsm.db")) < 0) + fprintf(stderr, "*** DB error (%d)\n\n", ret); - gnutls_set_cred(state, GNUTLS_SRP, srp_cred); - gnutls_set_cred(state, GNUTLS_X509PKI, x509_cred); + gnutls_set_cipher_priority(state, GNUTLS_RIJNDAEL_CBC, GNUTLS_3DES_CBC, 0); + gnutls_set_compression_priority(state, GNUTLS_ZLIB, GNUTLS_NULL_COMPRESSION, 0); + gnutls_set_kx_priority(state, GNUTLS_KX_RSA, GNUTLS_KX_SRP, 0); + gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); + gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); + gnutls_set_cred(state, GNUTLS_SRP, srp_cred); + gnutls_set_cred(state, GNUTLS_X509PKI, x509_cred); - return state; + + return state; } void print_info(GNUTLS_STATE state) { - const SRP_SERVER_AUTH_INFO *srp_info; - const char *tmp; - unsigned char sesid[32]; - int sesid_size, i; - - /* print session_id specific data */ - gnutls_get_current_session_id(state, sesid, &sesid_size); - printf("\n- Session ID: "); - for (i = 0; i < sesid_size; i++) - printf("%.2X", sesid[i]); - printf("\n"); - - /* print srp specific data */ - if (gnutls_get_auth_info_type(state) == GNUTLS_SRP) { - srp_info = gnutls_get_auth_info(state); - if (srp_info != NULL) - printf("\n- User '%s' connected\n", - srp_info->username); - } - /* print state information */ - tmp = gnutls_version_get_name(gnutls_get_current_version(state)); - printf("- Version: %s\n", tmp); - - tmp = gnutls_kx_get_name(gnutls_get_current_kx(state)); - printf("- Key Exchange: %s\n", tmp); - - tmp = - gnutls_compression_get_name - (gnutls_get_current_compression_method(state)); - printf("- Compression: %s\n", tmp); - - tmp = gnutls_cipher_get_name(gnutls_get_current_cipher(state)); - printf("- Cipher: %s\n", tmp); - - tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm(state)); - printf("- MAC: %s\n", tmp); + const SRP_SERVER_AUTH_INFO *srp_info; + const char *tmp; + unsigned char sesid[32]; + int sesid_size, i; + + /* print session_id specific data */ + gnutls_get_current_session_id(state, sesid, &sesid_size); + printf("\n- Session ID: "); + for (i = 0; i < sesid_size; i++) + printf("%.2X", sesid[i]); + printf("\n"); + + /* print srp specific data */ + if (gnutls_get_auth_info_type(state) == GNUTLS_SRP) { + srp_info = gnutls_get_auth_info(state); + if (srp_info != NULL) + printf("\n- User '%s' connected\n", + srp_info->username); + } + /* print state information */ + tmp = gnutls_version_get_name(gnutls_get_current_version(state)); + printf("- Version: %s\n", tmp); + + tmp = gnutls_kx_get_name(gnutls_get_current_kx(state)); + printf("- Key Exchange: %s\n", tmp); + + tmp = + gnutls_compression_get_name + (gnutls_get_current_compression_method(state)); + printf("- Compression: %s\n", tmp); + + tmp = gnutls_cipher_get_name(gnutls_get_current_cipher(state)); + printf("- Cipher: %s\n", tmp); + + tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm(state)); + printf("- MAC: %s\n", tmp); } @@ -103,133 +103,133 @@ void print_info(GNUTLS_STATE state) int main() { - int err, listen_sd, i; - int sd, ret; - struct sockaddr_in sa_serv; - struct sockaddr_in sa_cli; - int client_len; - char topbuf[512]; - GNUTLS_STATE state; - char buffer[MAX_BUF + 1]; - int optval = 1; - int http = 0; - char name[256]; - - strcpy(name, "Echo Server"); - - /* this must be called once in the program - */ - if (gnutls_global_init() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } - if (gnutls_allocate_x509_server_sc(&x509_cred, 1) < 0) { - fprintf(stderr, "memory error\n"); - exit(1); - } - if (gnutls_set_x509_server_trust(x509_cred, CAFILE, CRLFILE) < 0) { - fprintf(stderr, "X509 PARSE ERROR\nDid you have ca.pem?\n"); - exit(1); - } - if (gnutls_set_x509_server_key(x509_cred, CERTFILE, KEYFILE) < 0) { - fprintf(stderr, "X509 PARSE ERROR\nDid you have key.pem and cert.pem?\n"); - exit(1); - } - /* SRP_PASSWD a password file (created with the included crypt utility) - * Read README.crypt prior to using SRP. - */ - gnutls_allocate_srp_server_sc(&srp_cred); - gnutls_set_srp_server_cred(srp_cred, SRP_PASSWD, SRP_PASSWD_CONF); - - - /* Socket operations - */ - listen_sd = socket(AF_INET, SOCK_STREAM, 0); - ERR(listen_sd, "socket"); - - memset(&sa_serv, '\0', sizeof(sa_serv)); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = INADDR_ANY; - sa_serv.sin_port = htons(PORT); /* Server Port number */ - - setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(int)); - - err = bind(listen_sd, (SA *) & sa_serv, sizeof(sa_serv)); - ERR(err, "bind"); - err = listen(listen_sd, 1024); - ERR(err, "listen"); - - printf("%s ready. Listening to port '%d'.\n\n", name, PORT); - - client_len = sizeof(sa_cli); - for (;;) { - state = initialize_state(); - - sd = accept(listen_sd, (SA *) & sa_cli, &client_len); - - printf("- connection from %s, port %d\n", - inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf, - sizeof(topbuf)), ntohs(sa_cli.sin_port)); - - - ret = gnutls_handshake(sd, state); - if (ret < 0) { - close(sd); - gnutls_deinit(state); - fprintf(stderr, "*** Handshake has failed (%s)\n\n", - gnutls_strerror(ret)); - continue; - } - printf("- Handshake was completed\n"); - - print_info(state); - - i = 0; - for (;;) { - bzero(buffer, MAX_BUF + 1); - ret = gnutls_read(sd, state, buffer, MAX_BUF); - - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { - if (ret == 0) { - printf - ("\n- Peer has closed the GNUTLS connection\n"); - break; - } else { - fprintf(stderr, - "\n*** Received corrupted data(%d). Closing the connection.\n\n", - ret); - break; - } - - } - if (ret > 0) { - /* echo data back to the client - */ - gnutls_write(sd, state, buffer, - strlen(buffer)); - } - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { - ret = gnutls_get_last_alert(state); - printf("* Received alert '%d'.\n", ret); - } - } - printf("\n"); - gnutls_bye(sd, state, 1); /* do not wait for - * the peer to close the connection. - */ - - close(sd); - gnutls_deinit(state); - - } - close(listen_sd); - - gnutls_free_x509_server_sc(x509_cred); - gnutls_free_srp_server_sc(srp_cred); - - gnutls_global_deinit(); - - return 0; + int err, listen_sd, i; + int sd, ret; + struct sockaddr_in sa_serv; + struct sockaddr_in sa_cli; + int client_len; + char topbuf[512]; + GNUTLS_STATE state; + char buffer[MAX_BUF + 1]; + int optval = 1; + int http = 0; + char name[256]; + + strcpy(name, "Echo Server"); + + /* this must be called once in the program + */ + if (gnutls_global_init() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } + if (gnutls_allocate_x509_server_sc(&x509_cred, 1) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } + if (gnutls_set_x509_server_trust(x509_cred, CAFILE, CRLFILE) < 0) { + fprintf(stderr, "X509 PARSE ERROR\nDid you have ca.pem?\n"); + exit(1); + } + if (gnutls_set_x509_server_key(x509_cred, CERTFILE, KEYFILE) < 0) { + fprintf(stderr, "X509 PARSE ERROR\nDid you have key.pem and cert.pem?\n"); + exit(1); + } + /* SRP_PASSWD a password file (created with the included crypt utility) + * Read README.crypt prior to using SRP. + */ + gnutls_allocate_srp_server_sc(&srp_cred); + gnutls_set_srp_server_cred(srp_cred, SRP_PASSWD, SRP_PASSWD_CONF); + + + /* Socket operations + */ + listen_sd = socket(AF_INET, SOCK_STREAM, 0); + ERR(listen_sd, "socket"); + + memset(&sa_serv, '\0', sizeof(sa_serv)); + sa_serv.sin_family = AF_INET; + sa_serv.sin_addr.s_addr = INADDR_ANY; + sa_serv.sin_port = htons(PORT); /* Server Port number */ + + setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(int)); + + err = bind(listen_sd, (SA *) & sa_serv, sizeof(sa_serv)); + ERR(err, "bind"); + err = listen(listen_sd, 1024); + ERR(err, "listen"); + + printf("%s ready. Listening to port '%d'.\n\n", name, PORT); + + client_len = sizeof(sa_cli); + for (;;) { + state = initialize_state(); + + sd = accept(listen_sd, (SA *) & sa_cli, &client_len); + + printf("- connection from %s, port %d\n", + inet_ntop(AF_INET, &sa_cli.sin_addr, topbuf, + sizeof(topbuf)), ntohs(sa_cli.sin_port)); + + + ret = gnutls_handshake(sd, state); + if (ret < 0) { + close(sd); + gnutls_deinit(state); + fprintf(stderr, "*** Handshake has failed (%s)\n\n", + gnutls_strerror(ret)); + continue; + } + printf("- Handshake was completed\n"); + + print_info(state); + + i = 0; + for (;;) { + bzero(buffer, MAX_BUF + 1); + ret = gnutls_read(sd, state, buffer, MAX_BUF); + + if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (ret == 0) { + printf + ("\n- Peer has closed the GNUTLS connection\n"); + break; + } else { + fprintf(stderr, + "\n*** Received corrupted data(%d). Closing the connection.\n\n", + ret); + break; + } + + } + if (ret > 0) { + /* echo data back to the client + */ + gnutls_write(sd, state, buffer, + strlen(buffer)); + } + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { + ret = gnutls_get_last_alert(state); + printf("* Received alert '%d'.\n", ret); + } + } + printf("\n"); + gnutls_bye(sd, state, 1); /* do not wait for + * the peer to close the connection. + */ + + close(sd); + gnutls_deinit(state); + + } + close(listen_sd); + + gnutls_free_x509_server_sc(x509_cred); + gnutls_free_srp_server_sc(srp_cred); + + gnutls_global_deinit(); + + return 0; } diff --git a/doc/tex/srp1.tex b/doc/tex/srp1.tex index 0e986a6f7e..13fbfcc729 100644 --- a/doc/tex/srp1.tex +++ b/doc/tex/srp1.tex @@ -16,123 +16,122 @@ int main() { - const char *PORT = "443"; - const char *SERVER = "127.0.0.1"; - int err, ret; - int sd, ii; - struct sockaddr_in sa; - GNUTLS_STATE state; - char buffer[MAX_BUF + 1]; - SRP_CLIENT_CREDENTIALS xcred; - - if (gnutls_global_init() < 0) { - fprintf(stderr, "global state initialization error\n"); - exit(1); - } - - if (gnutls_allocate_srp_client_sc( &xcred)<0) { - fprintf(stderr, "memory error\n"); - exit(1); - } - gnutls_set_srp_client_cred( xcred, USERNAME, PASSWORD); - - /* connects to server - */ - sd = socket(AF_INET, SOCK_STREAM, 0); - - memset(&sa, '\0', sizeof(sa)); - sa.sin_family = AF_INET; - sa.sin_port = htons(atoi(PORT)); - inet_pton(AF_INET, SERVER, &sa.sin_addr); - - err = connect(sd, (SA *) & sa, sizeof(sa)); - if (err < 0) { - fprintf(stderr, "Connect error\n"); - exit(1); - } - /* Initialize TLS state - */ - gnutls_init(&state, GNUTLS_CLIENT); - - /* allow both SSL3 and TLS1 - */ - gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); - - /* allow only ARCFOUR and 3DES ciphers - * (3DES has the highest priority) - */ - gnutls_set_cipher_priority(state, GNUTLS_3DES_CBC, GNUTLS_ARCFOUR, 0); - - /* only allow null compression - */ - gnutls_set_compression_priority(state, GNUTLS_NULL_COMPRESSION, 0); - - /* use GNUTLS_KX_RSA - */ - gnutls_set_kx_priority(state, GNUTLS_KX_SRP, 0); - - /* allow the usage of both SHA and MD5 - */ - gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); - - - /* put the SRP credentials to the current state - */ - gnutls_set_cred(state, GNUTLS_SRP, xcred); - - - /* Perform the TLS handshake - */ - ret = gnutls_handshake(sd, state); - - if (ret < 0) { - fprintf(stderr, "*** Handshake failed\n"); - gnutls_perror(ret); - goto end; - } else { - printf("- Handshake was completed\n"); - } - - gnutls_write(sd, state, MSG, strlen(MSG)); - - ret = gnutls_read(sd, state, buffer, MAX_BUF); - if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { - if (ret == 0) { - printf("- Peer has closed the GNUTLS connection\n"); - goto end; - } else { - fprintf(stderr, "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", - ret); - goto end; - } - } else { - if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) - printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); - if (ret == GNUTLS_E_GOT_HELLO_REQUEST) - printf("* Received HelloRequest message (server asked to rehandshake)\n"); - } - - if (ret > 0) { - printf("- Received %d bytes: ", ret); - for (ii = 0; ii < ret; ii++) { - fputc(buffer[ii], stdout); - } - fputs("\n", stdout); - } - gnutls_bye(sd, state, 0); - - end: - - shutdown(sd, SHUT_RDWR); /* no more receptions */ - close(sd); - - gnutls_deinit(state); - - gnutls_free_srp_client_sc(xcred); - - gnutls_global_deinit(); - - return 0; + const char *PORT = "443"; + const char *SERVER = "127.0.0.1"; + int err, ret; + int sd, ii; + struct sockaddr_in sa; + GNUTLS_STATE state; + char buffer[MAX_BUF + 1]; + SRP_CLIENT_CREDENTIALS xcred; + + if (gnutls_global_init() < 0) { + fprintf(stderr, "global state initialization error\n"); + exit(1); + } + if (gnutls_allocate_srp_client_sc(&xcred) < 0) { + fprintf(stderr, "memory error\n"); + exit(1); + } + gnutls_set_srp_client_cred(xcred, USERNAME, PASSWORD); + + /* connects to server + */ + sd = socket(AF_INET, SOCK_STREAM, 0); + + memset(&sa, '\0', sizeof(sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons(atoi(PORT)); + inet_pton(AF_INET, SERVER, &sa.sin_addr); + + err = connect(sd, (SA *) & sa, sizeof(sa)); + if (err < 0) { + fprintf(stderr, "Connect error\n"); + exit(1); + } + /* Initialize TLS state + */ + gnutls_init(&state, GNUTLS_CLIENT); + + /* allow both SSL3 and TLS1 + */ + gnutls_set_protocol_priority(state, GNUTLS_TLS1, GNUTLS_SSL3, 0); + + /* allow only ARCFOUR and 3DES ciphers + * (3DES has the highest priority) + */ + gnutls_set_cipher_priority(state, GNUTLS_3DES_CBC, GNUTLS_ARCFOUR, 0); + + /* only allow null compression + */ + gnutls_set_compression_priority(state, GNUTLS_NULL_COMPRESSION, 0); + + /* use GNUTLS_KX_RSA + */ + gnutls_set_kx_priority(state, GNUTLS_KX_SRP, 0); + + /* allow the usage of both SHA and MD5 + */ + gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); + + + /* put the SRP credentials to the current state + */ + gnutls_set_cred(state, GNUTLS_SRP, xcred); + + + /* Perform the TLS handshake + */ + ret = gnutls_handshake(sd, state); + + if (ret < 0) { + fprintf(stderr, "*** Handshake failed\n"); + gnutls_perror(ret); + goto end; + } else { + printf("- Handshake was completed\n"); + } + + gnutls_write(sd, state, MSG, strlen(MSG)); + + ret = gnutls_read(sd, state, buffer, MAX_BUF); + if (gnutls_is_fatal_error(ret) == 1 || ret == 0) { + if (ret == 0) { + printf("- Peer has closed the GNUTLS connection\n"); + goto end; + } else { + fprintf(stderr, "*** Received corrupted data(%d) - server has terminated the connection abnormally\n", + ret); + goto end; + } + } else { + if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) + printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); + if (ret == GNUTLS_E_GOT_HELLO_REQUEST) + printf("* Received HelloRequest message (server asked to rehandshake)\n"); + } + + if (ret > 0) { + printf("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); + } + fputs("\n", stdout); + } + gnutls_bye(sd, state, 0); + + end: + + shutdown(sd, SHUT_RDWR); /* no more receptions */ + close(sd); + + gnutls_deinit(state); + + gnutls_free_srp_client_sc(xcred); + + gnutls_global_deinit(); + + return 0; } -\end{verbatim}
\ No newline at end of file +\end{verbatim} |