diff options
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | lib/auth_rsa.c | 25 | ||||
-rw-r--r-- | lib/gnutls_algorithms.h | 8 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 10 | ||||
-rw-r--r-- | lib/gnutls_int.h | 4 | ||||
-rw-r--r-- | lib/gnutls_pk.c | 15 | ||||
-rw-r--r-- | lib/gnutls_v2_compat.c | 4 | ||||
-rw-r--r-- | src/pkcs1.asn | 242 | ||||
-rw-r--r-- | src/serv.c | 47 |
9 files changed, 102 insertions, 255 deletions
diff --git a/configure.in b/configure.in index 95efe995d3..e3b1cee557 100644 --- a/configure.in +++ b/configure.in @@ -147,6 +147,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS) AC_CONFIG_COMMANDS([default],[[ cat lib/gnutls_errors_int.h >> lib/gnutls.h echo "" >> lib/gnutls.h + cat lib/cert_asn1.h >> lib/gnutls.h + echo "" >> lib/gnutls.h chmod -w lib/gnutls.h chmod +x lib/libgnutls-config ]],[[]]) diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index d92622f514..04a4b4941c 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -30,6 +30,7 @@ #include "auth_x509.h" #include <gnutls_random.h> #include <gnutls_pk.h> +#include <gnutls_algorithms.h> #if 0 int gen_rsa_server_kx(GNUTLS_KEY, opaque **); @@ -398,11 +399,17 @@ int proc_rsa_client_kx( GNUTLS_KEY key, opaque* data, int data_size) { gnutls_datum ciphertext; int ret, dsize; - ciphertext.data = &data[2]; - dsize = READuint16(data); - ciphertext.size = GMIN(dsize, data_size); - + if ( _gnutls_version_ssl3(_gnutls_version_get(key->version.major, key->version.minor)) == 0 ) { + /* SSL 3.0 */ + ciphertext.data = data; + ciphertext.size = data_size; + } else { /* TLS 1 */ + ciphertext.data = &data[2]; + dsize = READuint16(data); + ciphertext.size = GMIN(dsize, data_size); + } ret = _gnutls_pkcs1_rsa_decrypt(&plaintext, ciphertext, key->u, key->A); + if ( ret < 0) { /* in case decryption fails then don't inform * the peer. Just use a random key. (in order to avoid @@ -411,9 +418,19 @@ int proc_rsa_client_kx( GNUTLS_KEY key, opaque* data, int data_size) { gnutls_assert(); RANDOMIZE_X(key->key); } else { + ret = 0; if (plaintext.size != 48) { /* WOW */ RANDOMIZE_X(key->key); } else { + if (key->version.major != plaintext.data[0]) ret = GNUTLS_E_DECRYPTION_FAILED; + if (key->version.minor != plaintext.data[1]) ret = GNUTLS_E_DECRYPTION_FAILED; + if (ret != 0) { + _gnutls_mpi_release( &key->B); + _gnutls_mpi_release( &key->u); + _gnutls_mpi_release( &key->A); + gnutls_assert(); + return ret; + } key->key.data = plaintext.data; key->key.size = plaintext.size; } diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index e2e0f36473..a0186eb837 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -28,7 +28,7 @@ GNUTLS_Version _gnutls_version_get( int major, int minor); /* functions for macs */ int _gnutls_mac_get_digest_size(MACAlgorithm algorithm); -char* _gnutls_mac_get_name(MACAlgorithm algorithm); +char* gnutls_mac_get_name(MACAlgorithm algorithm); int _gnutls_mac_is_ok(MACAlgorithm algorithm); int _gnutls_mac_priority(GNUTLS_STATE state, MACAlgorithm algorithm); int _gnutls_mac_count(); @@ -54,7 +54,7 @@ int _gnutls_cipher_count(); int _gnutls_cipher_is_ok(BulkCipherAlgorithm algorithm); int _gnutls_cipher_get_key_size(BulkCipherAlgorithm algorithm); int _gnutls_cipher_get_iv_size(BulkCipherAlgorithm algorithm); -char *_gnutls_cipher_get_name(BulkCipherAlgorithm algorithm); +char *gnutls_cipher_get_name(BulkCipherAlgorithm algorithm); /* functions for key exchange */ int _gnutls_kx_priority(GNUTLS_STATE state, KXAlgorithm algorithm); @@ -75,7 +75,7 @@ int _gnutls_kx_client_cert_vrfy(KXAlgorithm algorithm); int _gnutls_kx_server_cert_vrfy(KXAlgorithm algorithm); MOD_AUTH_STRUCT * _gnutls_kx_auth_struct(KXAlgorithm algorithm); -char *_gnutls_kx_get_name(KXAlgorithm algorithm); +char *gnutls_kx_get_name(KXAlgorithm algorithm); int _gnutls_kx_is_ok(KXAlgorithm algorithm); int _gnutls_kx_count(); @@ -85,7 +85,7 @@ int _gnutls_compression_is_ok(CompressionMethod algorithm); int _gnutls_compression_count(); int _gnutls_compression_get_num(CompressionMethod algorithm); CompressionMethod _gnutls_compression_get_id(int num); -char *_gnutls_compression_get_name(CompressionMethod algorithm); +char *gnutls_compression_get_name(CompressionMethod algorithm); /* Type to KX mappings */ KXAlgorithm _gnutls_map_kx_get_kx(CredType type); diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 83f8a3cb5e..88b9847015 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -48,7 +48,7 @@ #define FALSE 0 static int SelectSuite(GNUTLS_STATE state, opaque ret[2], char *data, int datalen); -static int SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, opaque * data, int datalen); +int _gnutls_SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, opaque * data, int datalen); void _gnutls_set_server_random( GNUTLS_STATE state, uint8* random) { memcpy( state->security_parameters.server_random, random, 32); @@ -289,7 +289,6 @@ int _gnutls_read_client_hello(GNUTLS_STATE state, opaque * data, return GNUTLS_E_INSUFICIENT_CRED; } - /* set the MOD_AUTH_STRUCT to the appropriate struct * according to the KX algorithm. This is needed since all the * handshake functions are read from there; @@ -311,9 +310,12 @@ int _gnutls_read_client_hello(GNUTLS_STATE state, opaque * data, memcpy(&z, &data[pos++], 1); /* z is the number of compression methods */ DECR_LEN(len, z); - ret = SelectCompMethod(state, &state-> + ret = _gnutls_SelectCompMethod(state, &state-> gnutls_internals.compression_method, &data[pos], z); +#ifdef HARD_DEBUG + fprintf(stderr, "Selected Compression Method: %s\n", gnutls_compression_get_name(state->gnutls_internals.compression_method)); +#endif pos += z; if (ret < 0) { @@ -473,7 +475,7 @@ static int SelectSuite(GNUTLS_STATE state, opaque ret[2], char *data, /* This selects the best supported compression method from the ones provided */ -static int SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, +int _gnutls_SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, opaque * data, int datalen) { int x, i, j; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index b581b6126c..22eb8e9462 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -27,9 +27,9 @@ #define WRITE_DEBUG #define BUFFERS_DEBUG #define HANDSHAKE_DEBUG -*/ #define HARD_DEBUG -#define DEBUG +*/#define DEBUG + #define LIST ... diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index 7cd01ab86f..5573385c28 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +/* This file contains function for RSA/DSA etc. + */ + #include <defines.h> #include <gnutls_int.h> #include <gnutls_gcry.h> @@ -25,6 +28,7 @@ #include <gnutls_errors.h> #include <gnutls_random.h> #include <gnutls_datum.h> +#include "debug.h" /* Do PKCS-1 RSA encryption. * pkey is the public key and n the modulus. @@ -114,7 +118,6 @@ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, gnutls_datum ciphertext, MPI *_pkey[2]; k = gcry_mpi_get_nbits(n) / 8; - esize = ciphertext.size; if (esize!=k) { @@ -124,7 +127,6 @@ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, gnutls_datum ciphertext, if (gcry_mpi_scan(&c, GCRYMPI_FMT_USG, ciphertext.data, &esize) != 0) { gnutls_assert(); - gnutls_free(edata); return GNUTLS_E_MPI_SCAN_FAILED; } @@ -140,13 +142,13 @@ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, gnutls_datum ciphertext, } gcry_mpi_print(GCRYMPI_FMT_USG, NULL, &esize, res); - edata = gnutls_malloc(esize); + edata = gnutls_malloc(esize+1); if (edata == NULL) { gnutls_assert(); gcry_mpi_release(res); return GNUTLS_E_MEMORY_ERROR; } - gcry_mpi_print(GCRYMPI_FMT_USG, edata, &esize, res); + gcry_mpi_print(GCRYMPI_FMT_USG, &edata[1], &esize, res); gcry_mpi_release(res); @@ -154,6 +156,9 @@ int _gnutls_pkcs1_rsa_decrypt(gnutls_datum * plaintext, gnutls_datum ciphertext, * (use block type 2) */ + edata[0] = 0; + esize++; + if (edata[0] != 0 || edata[1] != 2) { gnutls_assert(); gnutls_free(edata); @@ -201,7 +206,7 @@ int _gnutls_pk_encrypt(int algo, MPI * resarr, MPI data, MPI **pkey) /* make a sexp from pkey */ if (algo == GCRY_PK_RSA) { rc = gcry_sexp_build(&s_pkey, NULL, - "(public-key(rsa(p%m)(e%m)))", + "(public-key(rsa(n%m)(e%m)))", *pkey[0], *pkey[1]); } else { gnutls_assert(); diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c index ce4e2b5921..a7195f200b 100644 --- a/lib/gnutls_v2_compat.c +++ b/lib/gnutls_v2_compat.c @@ -37,6 +37,7 @@ #include "gnutls_random.h" #include "gnutls_auth_int.h" +int _gnutls_SelectCompMethod(GNUTLS_STATE state, CompressionMethod * ret, opaque * data, int datalen); /* This selects the best supported ciphersuite from the ones provided */ static int SelectSuite_v2(GNUTLS_STATE state, opaque ret[2], char *data, @@ -112,7 +113,6 @@ int _gnutls_read_client_hello_v2(GNUTLS_STATE state, opaque * data, int err; uint16 challenge; - /* we only want to get here once - only in client hello */ state->gnutls_internals.v2_hello = 0; @@ -249,5 +249,7 @@ int _gnutls_read_client_hello_v2(GNUTLS_STATE state, opaque * data, state->gnutls_internals.resumed = RESUME_FALSE; } + state->gnutls_internals.compression_method = GNUTLS_NULL_COMPRESSION; + return 0; } diff --git a/src/pkcs1.asn b/src/pkcs1.asn index 17855b194d..d76ffc7472 100644 --- a/src/pkcs1.asn +++ b/src/pkcs1.asn @@ -9,188 +9,33 @@ DEFINITIONS EXPLICIT TAGS ::= BEGIN --- EXPORTS ALL -- --- All types and values defined in this module is exported for --- use in other ASN.1 modules. - -IMPORTS - -id-sha256, id-sha384, id-sha512 - FROM NIST-SHA2 {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) - nistalgorithm(4) modules (0) sha2 (1)}; - --- Basic object identifiers - --- The DER for this in hexadecimal is: --- 06 08 --- 2A 86 48 86 F7 0D 01 01 --- -pkcs-1 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1} - --- --- When the following OIDs are used in an AlgorithmIdentifier --- the parameters MUST be present and MUST be NULL. --- -rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } -md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } -md4WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 3 } -md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } -sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } -sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } -sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } -sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } - -rsaOAEPEncryptionSET OBJECT IDENTIFIER ::= { pkcs-1 6 } - --- --- When id-RSAES-OAEP is used in an AlgorithmIdentifier the --- parameters MUST be present and MUST be RSAES-OAEP-params. --- -id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 } - --- --- When id-mgf1 is used in an AlgorithmIdentifier the parameters --- MUST be present and MUST be a DigestAlgorithmIdentifier, for --- example SHA1Identifier. --- -id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 } - --- --- When id-pSpecified is used in an AlgorithmIdentifier the --- parameters MUST be an OCTET STRING. --- -id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } - --- --- When id-RSASSA-PSS is used in an AlgorithmIdentifier the --- parameters MUST be present and MUST be RSASSA-PSS-params. --- -id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } - --- --- This OID really belongs in a module with the secsig OIDs. --- -id-sha1 OBJECT IDENTIFIER ::= - {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } - --- Useful types - -ALGORITHM-IDENTIFIER ::= TYPE-IDENTIFIER - --- Note: the parameter InfoObjectSet in the following --- definitions allows a distinct information object --- set to be specified for sets of algorithms such as: --- DigestAlgorithms ALGORITHM-IDENTIFIER ::= { --- { NULL IDENTIFIED BY id-md2 }, --- { NULL IDENTIFIED BY id-md5 }, --- { NULL IDENTIFIED BY id-sha1 } --- } --- - -AlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::= SEQUENCE { - algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}), - parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet} {@algorithm}) OPTIONAL - } - --- Algorithms - --- --- Allowed OAEP digest algorithms. --- -OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= { - { SHAParameters IDENTIFIED BY id-sha1 } | - { SHAParameters IDENTIFIED BY id-sha256 } | - { SHAParameters IDENTIFIED BY id-sha384 } | - { SHAParameters IDENTIFIED BY id-sha512 }, - ... -- Allows for future expansion - } - -sha1Identifier AlgorithmIdentifier {{ OAEP-PSSDigestAlgorithms }} ::= - {algorithm id-sha1, parameters SHAParameters : NULL} - -SHAParameters ::= NULL - --- --- Allowed Mask Generation Function algorithms. --- If the identifier is id-mgf1, the parameters --- are a single digest algorithm identifier. --- -PKCS1MGFAlgorithms ALGORITHM-IDENTIFIER ::= { - { MGF1Parameters IDENTIFIED BY id-mgf1 }, - ...-- Allows for future expansion - } - -MGF1Parameters ::= AlgorithmIdentifier { {OAEP-PSSDigestAlgorithms} } - --- --- Allowed algorithms for pSourceFunc. --- -PKCS1PSourceAlgorithms ALGORITHM-IDENTIFIER ::= { - { PEmptyString IDENTIFIED BY id-pSpecified }, - ...-- Allows for future expansion - } - -PEmptyString ::= OCTET STRING (SIZE(0)) - --- --- This identifier means that P is an empty string, so the digest --- of the empty string appears in the RSA block before masking. --- -pSpecifiedEmptyIdentifier AlgorithmIdentifier {{ PKCS1PSourceAlgorithms }} ::= - { algorithm id-pSpecified, parameters PEmptyString : ''H } - --- --- Default AlgorithmIdentifier for id-RSAES-OAEP.maskGenFunc. --- -mgf1SHA1Identifier AlgorithmIdentifier {{ PKCS1MGFAlgorithms }} ::= - {algorithm id-mgf1, - parameters AlgorithmIdentifier{{OAEP-PSSDigestAlgorithms}} : sha1Identifier} - --- --- Type identifier definitions for the PKCS #1 OIDs. --- -PKCS1Algorithms ALGORITHM-IDENTIFIER ::= { - { NULL IDENTIFIED BY rsaEncryption } | - { NULL IDENTIFIED BY md2WithRSAEncryption } | - { NULL IDENTIFIED BY md4WithRSAEncryption } | - { NULL IDENTIFIED BY md5WithRSAEncryption } | - { NULL IDENTIFIED BY sha1WithRSAEncryption } | - { NULL IDENTIFIED BY sha256WithRSAEncryption } | - { NULL IDENTIFIED BY sha384WithRSAEncryption } | - { NULL IDENTIFIED BY sha512WithRSAEncryption } | - { NULL IDENTIFIED BY rsaOAEPEncryptionSET } | - { RSAES-OAEP-params IDENTIFIED BY id-RSAES-OAEP } | - PKCS1PSourceAlgorithms | - { RSASSA-PSS-params IDENTIFIED BY id-RSASSA-PSS }, - ... -- Allows for future expansion - } -- Main structures RSAPublicKey ::= SEQUENCE { - modulus INTEGER, -- n - publicExponent INTEGER -- e - } + modulus INTEGER, -- n + publicExponent INTEGER -- e +} -- -- Representation of RSA private key with information for the -- CRT algorithm. -- RSAPrivateKey ::= SEQUENCE { - version Version, - modulus INTEGER, -- (Usually large) n - publicExponent INTEGER, -- (Usually small) e - privateExponent INTEGER, -- (Usually large) d - prime1 INTEGER, -- (Usually large) p + version Version, + modulus INTEGER, -- (Usually large) n + publicExponent INTEGER, -- (Usually small) e + privateExponent INTEGER, -- (Usually large) d + prime1 INTEGER, -- (Usually large) p prime2 INTEGER, -- (Usually large) q exponent1 INTEGER, -- (Usually large) d mod (p-1) exponent2 INTEGER, -- (Usually large) d mod (q-1) coefficient INTEGER, -- (Usually large) (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL - } +} Version ::= INTEGER { two-prime(0), multi(1) } - (CONSTRAINED BY {-- version must be multi if otherPrimeInfos present --}) +-- (CONSTRAINED BY {-- version must be multi if otherPrimeInfos present --}) OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo @@ -198,70 +43,7 @@ OtherPrimeInfo ::= SEQUENCE { prime INTEGER, -- ri exponent INTEGER, -- di coefficient INTEGER -- ti - } - --- --- AlgorithmIdentifier.parameters for id-RSAES-OAEP. --- Note that the tags in this Sequence are explicit. --- -RSAES-OAEP-params ::= SEQUENCE { - hashFunc [0] AlgorithmIdentifier { {OAEP-PSSDigestAlgorithms} } - DEFAULT sha1Identifier, - maskGenFunc [1] AlgorithmIdentifier { {PKCS1MGFAlgorithms} } - DEFAULT mgf1SHA1Identifier, - pSourceFunc [2] AlgorithmIdentifier { {PKCS1PSourceAlgorithms} } - DEFAULT pSpecifiedEmptyIdentifier - } - --- --- Identifier for default RSAES-OAEP algorithm identifier --- The DER Encoding of this is in hexadecimal: --- 30 0D --- 06 09 --- 2A 86 48 86 F7 0D 01 01 07 --- 30 00 --- Notice that the DER encoding of default values --- is "empty". --- - -rSAES-OAEP-Default-Identifier AlgorithmIdentifier{ {PKCS1Algorithms} } ::= - {algorithm id-RSAES-OAEP, - parameters RSAES-OAEP-params : { - hashFunc sha1Identifier, - maskGenFunc mgf1SHA1Identifier, - pSourceFunc pSpecifiedEmptyIdentifier - } - } - - --- --- AlgorithmIdentifier.parameters for id-RSASSA-PSS. --- Note that the tags in this Sequence are explicit. --- -RSASSA-PSS-params ::= SEQUENCE { - hashFunc [0] AlgorithmIdentifier {{OAEP-PSSDigestAlgorithms}} - DEFAULT sha1Identifier, - maskGenFunc [1] AlgorithmIdentifier {{PKCS1MGFAlgorithms}} - DEFAULT mgf1SHA1Identifier - } - --- --- Identifier for default RSASSA-PSS algorithm identifier --- The DER Encoding of this is in hexadecimal: --- 30 0D --- 06 09 --- 2A 86 48 86 F7 0D 01 01 0A --- 30 00 --- Notice that the DER encoding of default values --- is "empty". --- -rSASSA-PSS-Default-Identifier AlgorithmIdentifier{ {PKCS1Algorithms} } ::= - {algorithm id-RSASSA-PSS, - parameters RSASSA-PSS-params : { - hashFunc sha1Identifier, - maskGenFunc mgf1SHA1Identifier - } - } +} -END -- PKCS1Definitions +END
\ No newline at end of file diff --git a/src/serv.c b/src/serv.c index 126c57fd4c..d45648ebed 100644 --- a/src/serv.c +++ b/src/serv.c @@ -30,6 +30,35 @@ #include "../lib/gnutls.h" #include <port.h> +#define PKIX "pkix.asn" +#define PKCS "pkcs1.asn" +#define KEYFILE "key.pem" +#define CERTFILE "cert.pem" +void PARSE() { + int result=parser_asn1(PKIX); + + if(result==ASN_SYNTAX_ERROR){ + printf("%s: PARSE ERROR\n", PKIX); + return; + } + else if(result==ASN_IDENTIFIER_NOT_FOUND){ + printf("%s: IDENTIFIER NOT FOUND\n", PKIX); + return; + } + + result=parser_asn1(PKCS); + + if(result==ASN_SYNTAX_ERROR){ + printf("%s: PARSE ERROR\n", PKCS); + return; + } + else if(result==ASN_IDENTIFIER_NOT_FOUND){ + printf("%s: IDENTIFIER NOT FOUND\n", PKCS); + return; + } + +} + #define SA struct sockaddr #define ERR(err,s) if(err==-1) {perror(s);return(1);} #define MAX_BUF 100 @@ -51,7 +80,15 @@ int main() const SRP_AUTH_INFO *srp_info; ANON_SERVER_CREDENTIALS dh_cred; const ANON_AUTH_INFO *dh_info; + X509PKI_SERVER_CREDENTIALS x509_cred; + + PARSE(); + if ( gnutls_read_certs( &x509_cred, CERTFILE, KEYFILE) < 0 ) { + fprintf(stderr, "X509 PARSE ERROR\n"); + return -1; + } + /* this is a password file (created with the included crypt utility) * Read README.crypt prior to using SRP. */ @@ -75,7 +112,7 @@ int main() err = listen(listen_sd, 1024); ERR(err, "listen"); - + printf("Echo server ready. Listening to port '%d'.\n\n", PORT); client_len = sizeof(sa_cli); for (;;) { @@ -85,15 +122,15 @@ int main() gnutls_set_cipher_priority(state, GNUTLS_TWOFISH, GNUTLS_RIJNDAEL, GNUTLS_3DES, - GNUTLS_ARCFOUR, 0); - gnutls_set_compression_priority(state, GNUTLS_ZLIB, - GNUTLS_NULL_COMPRESSION, + 0); + gnutls_set_compression_priority(state, GNUTLS_NULL_COMPRESSION, 0); - gnutls_set_kx_priority(state, GNUTLS_KX_SRP, + gnutls_set_kx_priority(state, GNUTLS_KX_RSA, GNUTLS_KX_SRP, GNUTLS_KX_DH_ANON, 0); gnutls_set_cred(state, GNUTLS_ANON, &dh_cred); gnutls_set_cred(state, GNUTLS_SRP, &srp_cred); + gnutls_set_cred(state, GNUTLS_X509PKI, &x509_cred); gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); |