diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-01-24 20:58:09 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-01-24 21:01:26 +0100 |
commit | 172edf8fe210e6c6554b95d6f0de3c849019d1a4 (patch) | |
tree | 69af36916bfb251fc8802f138dfacf0daddc56a2 | |
parent | 1a6cc0534fec3023e94878a9bd89918bb84244cb (diff) | |
download | gnutls-172edf8fe210e6c6554b95d6f0de3c849019d1a4.tar.gz |
Added functions to allow quering a priority structure.
That is to allow more information being extracted than only the ciphersuites.
gnutls_priority_certificate_type_list: Added
gnutls_priority_sign_list: Added
gnutls_priority_protocol_list: Added
gnutls_priority_compression_list: Added
gnutls_priority_ecc_curve_list: Added
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | doc/cha-programs.texi | 18 | ||||
-rw-r--r-- | lib/gnutls_priority.c | 105 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 6 | ||||
-rw-r--r-- | lib/libgnutls.map | 5 | ||||
-rw-r--r-- | src/common.c | 1280 |
6 files changed, 842 insertions, 578 deletions
@@ -26,6 +26,12 @@ gnutls_x509_crt_get_authority_key_gn_serial: Added gnutls_x509_crl_get_authority_key_gn_serial: Added gnutls_pkcs11_reinit: Added gnutls_ecc_list: Added +gnutls_priority_certificate_type_list: Added +gnutls_priority_sign_list: Added +gnutls_priority_protocol_list: Added +gnutls_priority_compression_list: Added +gnutls_priority_ecc_curve_list: Added + * Version 3.0.12 (released 2012-01-20) diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi index 4009261e2b..02d0d49df7 100644 --- a/doc/cha-programs.texi +++ b/doc/cha-programs.texi @@ -107,12 +107,18 @@ the handshake. @example $ ./gnutls-cli --priority SECURE192 -l Cipher suites for SECURE192 -TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2 -TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2 -TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 -TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 -TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 -TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 +TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2 +TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2 +TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 +TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 +TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 +TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 + +Certificate types: CTYPE-X.509 +Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0 +Compression: COMP-NULL +Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1 +PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512 @end example diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index 2848a6056d..59f43271db 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -1128,3 +1128,108 @@ void _gnutls_priority_prefer_aes_gcm(void) cipher_priority_performance = cipher_priority_performance_hw_aes; cipher_priority_normal = cipher_priority_normal_hw_aes; } + +/** + * gnutls_priority_ecc_curve_list: + * @pcache: is a #gnutls_prioritity_t structure. + * @list: will point to an integer list + * + * Get a list of available elliptic curves in the priority + * structure. + * + * Returns: the number of curves, or an error code. + * Since: 3.0.0 + **/ +int +gnutls_priority_ecc_curve_list (gnutls_priority_t pcache, const unsigned int** list) +{ + if (pcache->supported_ecc.algorithms == 0) + return 0; + + *list = pcache->supported_ecc.priority; + return pcache->supported_ecc.algorithms; +} + +/** + * gnutls_priority_compression_list: + * @pcache: is a #gnutls_prioritity_t structure. + * @list: will point to an integer list + * + * Get a list of available compression method in the priority + * structure. + * + * Returns: the number of methods, or an error code. + * Since: 3.0.0 + **/ +int +gnutls_priority_compression_list (gnutls_priority_t pcache, const unsigned int** list) +{ + if (pcache->compression.algorithms == 0) + return 0; + + *list = pcache->compression.priority; + return pcache->compression.algorithms; +} + +/** + * gnutls_priority_protocol_list: + * @pcache: is a #gnutls_prioritity_t structure. + * @list: will point to an integer list + * + * Get a list of available TLS version numbers in the priority + * structure. + * + * Returns: the number of protocols, or an error code. + * Since: 3.0.0 + **/ +int +gnutls_priority_protocol_list (gnutls_priority_t pcache, const unsigned int** list) +{ + if (pcache->protocol.algorithms == 0) + return 0; + + *list = pcache->protocol.priority; + return pcache->protocol.algorithms; +} + +/** + * gnutls_priority_sign_list: + * @pcache: is a #gnutls_prioritity_t structure. + * @list: will point to an integer list + * + * Get a list of available signature algorithms in the priority + * structure. + * + * Returns: the number of algorithms, or an error code. + * Since: 3.0.0 + **/ +int +gnutls_priority_sign_list (gnutls_priority_t pcache, const unsigned int** list) +{ + if (pcache->sign_algo.algorithms == 0) + return 0; + + *list = pcache->sign_algo.priority; + return pcache->sign_algo.algorithms; +} + +/** + * gnutls_priority_certificate_type_list: + * @pcache: is a #gnutls_prioritity_t structure. + * @list: will point to an integer list + * + * Get a list of available certificate types in the priority + * structure. + * + * Returns: the number of certificate types, or an error code. + * Since: 3.0.0 + **/ +int +gnutls_priority_certificate_type_list (gnutls_priority_t pcache, const unsigned int** list) +{ + if (pcache->cert_type.algorithms == 0) + return 0; + + *list = pcache->cert_type.priority; + return pcache->cert_type.algorithms; +} diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 344168a2e0..6730306743 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -921,6 +921,12 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session); const char *priorities, const char **err_pos); + int gnutls_priority_get_certificate_type_list (gnutls_priority_t pcache, const unsigned int** list); + int gnutls_priority_get_sign_list (gnutls_priority_t pcache, const unsigned int** list); + int gnutls_priority_get_protocol_list (gnutls_priority_t pcache, const unsigned int** list); + int gnutls_priority_get_compression_list (gnutls_priority_t pcache, const unsigned int** list); + int gnutls_priority_get_ecc_curve_list (gnutls_priority_t pcache, const unsigned int** list); + /* for compatibility */ int gnutls_set_default_priority (gnutls_session_t session); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 229a65c4e2..e169a06170 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -766,6 +766,11 @@ GNUTLS_3_0_0 { gnutls_x509_crt_get_authority_key_gn_serial; gnutls_x509_crl_get_authority_key_gn_serial; gnutls_ecc_curve_list; + gnutls_priority_certificate_type_list; + gnutls_priority_sign_list; + gnutls_priority_protocol_list; + gnutls_priority_compression_list; + gnutls_priority_ecc_curve_list; } GNUTLS_2_12; GNUTLS_PRIVATE { diff --git a/src/common.c b/src/common.c index e01e9a07ca..dcaf421dcd 100644 --- a/src/common.c +++ b/src/common.c @@ -49,122 +49,137 @@ const char str_unknown[] = "(unknown)"; const char * raw_to_string (const unsigned char *raw, size_t raw_size) { - static char buf[1024]; - size_t i; - if (raw_size == 0) - return NULL; + static char buf[1024]; + size_t i; + if (raw_size == 0) + return NULL; - if (raw_size * 3 + 1 >= sizeof (buf)) - return NULL; + if (raw_size * 3 + 1 >= sizeof (buf)) + return NULL; - for (i = 0; i < raw_size; i++) - { - sprintf (&(buf[i * 3]), "%02X%s", raw[i], - (i == raw_size - 1) ? "" : ":"); - } - buf[sizeof (buf) - 1] = '\0'; + for (i = 0; i < raw_size; i++) + { + sprintf (&(buf[i * 3]), "%02X%s", raw[i], + (i == raw_size - 1) ? "" : ":"); + } + buf[sizeof (buf) - 1] = '\0'; - return buf; + return buf; } static void -print_x509_info (gnutls_session_t session, const char *hostname, int insecure) +print_x509_info (gnutls_session_t session, const char *hostname, + int insecure) { - gnutls_x509_crt_t crt; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0, j; - int hostname_ok = 0; - int ret; - - cert_list = gnutls_certificate_get_peers (session, &cert_list_size); - if (cert_list_size == 0) - { - fprintf (stderr, "No certificates found!\n"); - return; - } + gnutls_x509_crt_t crt; + const gnutls_datum_t *cert_list; + unsigned int cert_list_size = 0, j; + int hostname_ok = 0; + int ret; - printf (" - Got a certificate list of %d certificates.\n", cert_list_size); + cert_list = gnutls_certificate_get_peers (session, &cert_list_size); + if (cert_list_size == 0) + { + fprintf (stderr, "No certificates found!\n"); + return; + } - for (j = 0; j < cert_list_size; j++) - { - gnutls_datum_t cinfo; + printf (" - Got a certificate list of %d certificates.\n", + cert_list_size); - gnutls_x509_crt_init (&crt); - ret = gnutls_x509_crt_import (crt, &cert_list[j], GNUTLS_X509_FMT_DER); - if (ret < 0) - { - fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); - return; - } - - printf (" - Certificate[%d] info:\n - ", j); - - if (verbose) - ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo); - else - ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo); - if (ret == 0) - { - printf ("%s\n", cinfo.data); - gnutls_free (cinfo.data); - } - - if (print_cert) - { - size_t size = 0; - char *p = NULL; - - ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p, &size); - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) - { - p = malloc (size); - if (!p) - { - fprintf (stderr, "gnutls_malloc\n"); - exit (1); - } + for (j = 0; j < cert_list_size; j++) + { + gnutls_datum_t cinfo; - ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, - p, &size); - } + gnutls_x509_crt_init (&crt); + ret = + gnutls_x509_crt_import (crt, &cert_list[j], + GNUTLS_X509_FMT_DER); if (ret < 0) { - fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret)); - return; + fprintf (stderr, "Decoding error: %s\n", + gnutls_strerror (ret)); + return; } - fputs ("\n", stdout); - fputs (p, stdout); - fputs ("\n", stdout); - - gnutls_free (p); - } + printf (" - Certificate[%d] info:\n - ", j); - if (j == 0 && hostname != NULL) - { - /* Check the hostname of the first certificate if it matches - * the name of the host we connected to. - */ - if (gnutls_x509_crt_check_hostname (crt, hostname) == 0) - hostname_ok = 1; + if (verbose) + ret = + gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, + &cinfo); else - hostname_ok = 2; - } + ret = + gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, + &cinfo); + if (ret == 0) + { + printf ("%s\n", cinfo.data); + gnutls_free (cinfo.data); + } - gnutls_x509_crt_deinit (crt); - } + if (print_cert) + { + size_t size = 0; + char *p = NULL; + + ret = + gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p, + &size); + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) + { + p = malloc (size); + if (!p) + { + fprintf (stderr, "gnutls_malloc\n"); + exit (1); + } + + ret = + gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, + p, &size); + } + if (ret < 0) + { + fprintf (stderr, "Encoding error: %s\n", + gnutls_strerror (ret)); + return; + } + + fputs ("\n", stdout); + fputs (p, stdout); + fputs ("\n", stdout); + + gnutls_free (p); + } - if (hostname_ok == 1) - { - printf ("- The hostname in the certificate does NOT match '%s'\n", - hostname); - if (!insecure) - exit (1); - } - else if (hostname_ok == 2) - { - printf ("- The hostname in the certificate matches '%s'.\n", hostname); - } + if (j == 0 && hostname != NULL) + { + /* Check the hostname of the first certificate if it matches + * the name of the host we connected to. + */ + if (gnutls_x509_crt_check_hostname (crt, hostname) == 0) + hostname_ok = 1; + else + hostname_ok = 2; + } + + gnutls_x509_crt_deinit (crt); + } + + if (hostname_ok == 1) + { + printf + ("- The hostname in the certificate does NOT match '%s'\n", + hostname); + if (!insecure) + exit (1); + } + else if (hostname_ok == 2) + { + printf ("- The hostname in the certificate matches '%s'.\n", + hostname); + } } #ifdef ENABLE_OPENPGP @@ -174,94 +189,105 @@ print_openpgp_info (gnutls_session_t session, const char *hostname, int insecure) { - gnutls_openpgp_crt_t crt; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size = 0; - int hostname_ok = 0; - int ret; + gnutls_openpgp_crt_t crt; + const gnutls_datum_t *cert_list; + unsigned int cert_list_size = 0; + int hostname_ok = 0; + int ret; - cert_list = gnutls_certificate_get_peers (session, &cert_list_size); + cert_list = gnutls_certificate_get_peers (session, &cert_list_size); - if (cert_list_size > 0) - { - gnutls_datum_t cinfo; - - gnutls_openpgp_crt_init (&crt); - ret = gnutls_openpgp_crt_import (crt, &cert_list[0], - GNUTLS_OPENPGP_FMT_RAW); - if (ret < 0) - { - fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); - return; - } - - if (verbose) - ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo); - else - ret = - gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo); - if (ret == 0) - { - printf (" - %s\n", cinfo.data); - gnutls_free (cinfo.data); - } - - if (print_cert) - { - size_t size = 0; - char *p = NULL; - - ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, - p, &size); - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) - { - p = malloc (size); - if (!p) - { - fprintf (stderr, "gnutls_malloc\n"); - exit (1); - } + if (cert_list_size > 0) + { + gnutls_datum_t cinfo; - ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, - p, &size); - } + gnutls_openpgp_crt_init (&crt); + ret = gnutls_openpgp_crt_import (crt, &cert_list[0], + GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { - fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret)); - return; + fprintf (stderr, "Decoding error: %s\n", + gnutls_strerror (ret)); + return; } - fputs (p, stdout); - fputs ("\n", stdout); + if (verbose) + ret = + gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_FULL, + &cinfo); + else + ret = + gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, + &cinfo); + if (ret == 0) + { + printf (" - %s\n", cinfo.data); + gnutls_free (cinfo.data); + } - gnutls_free (p); - } + if (print_cert) + { + size_t size = 0; + char *p = NULL; - if (hostname != NULL) - { - /* Check the hostname of the first certificate if it matches - * the name of the host we connected to. - */ - if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) - hostname_ok = 1; - else - hostname_ok = 2; - } + ret = + gnutls_openpgp_crt_export (crt, + GNUTLS_OPENPGP_FMT_BASE64, + p, &size); + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) + { + p = malloc (size); + if (!p) + { + fprintf (stderr, "gnutls_malloc\n"); + exit (1); + } + + ret = + gnutls_openpgp_crt_export (crt, + GNUTLS_OPENPGP_FMT_BASE64, + p, &size); + } + if (ret < 0) + { + fprintf (stderr, "Encoding error: %s\n", + gnutls_strerror (ret)); + return; + } + + fputs (p, stdout); + fputs ("\n", stdout); + + gnutls_free (p); + } - gnutls_openpgp_crt_deinit (crt); - } + if (hostname != NULL) + { + /* Check the hostname of the first certificate if it matches + * the name of the host we connected to. + */ + if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) + hostname_ok = 1; + else + hostname_ok = 2; + } - if (hostname_ok == 1) - { - printf ("- The hostname in the certificate does NOT match '%s'\n", - hostname); - if (!insecure) - exit (1); - } - else if (hostname_ok == 2) - { - printf ("- The hostname in the certificate matches '%s'.\n", hostname); - } + gnutls_openpgp_crt_deinit (crt); + } + + if (hostname_ok == 1) + { + printf + ("- The hostname in the certificate does NOT match '%s'\n", + hostname); + if (!insecure) + exit (1); + } + else if (hostname_ok == 2) + { + printf ("- The hostname in the certificate matches '%s'.\n", + hostname); + } } #endif @@ -269,300 +295,320 @@ print_openpgp_info (gnutls_session_t session, const char *hostname, static void print_cert_vrfy (gnutls_session_t session) { - int rc; - unsigned int status; + int rc; + unsigned int status; - rc = gnutls_certificate_verify_peers2 (session, &status); - if (rc < 0) - { - printf ("- Could not verify certificate (err: %s)\n", - gnutls_strerror (rc)); - return; - } + rc = gnutls_certificate_verify_peers2 (session, &status); + if (rc < 0) + { + printf ("- Could not verify certificate (err: %s)\n", + gnutls_strerror (rc)); + return; + } - if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) - { - printf ("- Peer did not send any certificate.\n"); - return; - } + if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) + { + printf ("- Peer did not send any certificate.\n"); + return; + } - if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509) - { - if (status & GNUTLS_CERT_REVOKED) - printf ("- Peer's certificate chain revoked\n"); - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - printf ("- Peer's certificate issuer is unknown\n"); - if (status & GNUTLS_CERT_SIGNER_NOT_CA) - printf ("- Peer's certificate issuer is not a CA\n"); - if (status & GNUTLS_CERT_INSECURE_ALGORITHM) - printf ("- Peer's certificate chain uses insecure algorithm\n"); - if (status & GNUTLS_CERT_NOT_ACTIVATED) - printf - ("- Peer's certificate chain uses not yet valid certificate\n"); - if (status & GNUTLS_CERT_EXPIRED) - printf ("- Peer's certificate chain uses expired certificate\n"); - if (status & GNUTLS_CERT_INVALID) - printf ("- Peer's certificate is NOT trusted\n"); - else - printf ("- Peer's certificate is trusted\n"); - } - else - { - if (status & GNUTLS_CERT_INVALID) - printf ("- Peer's key is invalid\n"); - else - printf ("- Peer's key is valid\n"); - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - printf ("- Could not find a signer of the peer's key\n"); - } + if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509) + { + if (status & GNUTLS_CERT_REVOKED) + printf ("- Peer's certificate chain revoked\n"); + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + printf ("- Peer's certificate issuer is unknown\n"); + if (status & GNUTLS_CERT_SIGNER_NOT_CA) + printf ("- Peer's certificate issuer is not a CA\n"); + if (status & GNUTLS_CERT_INSECURE_ALGORITHM) + printf + ("- Peer's certificate chain uses insecure algorithm\n"); + if (status & GNUTLS_CERT_NOT_ACTIVATED) + printf + ("- Peer's certificate chain uses not yet valid certificate\n"); + if (status & GNUTLS_CERT_EXPIRED) + printf + ("- Peer's certificate chain uses expired certificate\n"); + if (status & GNUTLS_CERT_INVALID) + printf ("- Peer's certificate is NOT trusted\n"); + else + printf ("- Peer's certificate is trusted\n"); + } + else + { + if (status & GNUTLS_CERT_INVALID) + printf ("- Peer's key is invalid\n"); + else + printf ("- Peer's key is valid\n"); + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + printf ("- Could not find a signer of the peer's key\n"); + } } static void print_dh_info (gnutls_session_t session, const char *str) { - printf ("- %sDiffie-Hellman parameters\n", str); - printf (" - Using prime: %d bits\n", gnutls_dh_get_prime_bits (session)); - printf (" - Secret key: %d bits\n", gnutls_dh_get_secret_bits (session)); - printf (" - Peer's public key: %d bits\n", - gnutls_dh_get_peers_public_bits (session)); + printf ("- %sDiffie-Hellman parameters\n", str); + printf (" - Using prime: %d bits\n", + gnutls_dh_get_prime_bits (session)); + printf (" - Secret key: %d bits\n", + gnutls_dh_get_secret_bits (session)); + printf (" - Peer's public key: %d bits\n", + gnutls_dh_get_peers_public_bits (session)); + + if (print_cert) + { + int ret; + gnutls_datum_t raw_gen = { NULL, 0 }; + gnutls_datum_t raw_prime = { NULL, 0 }; + gnutls_dh_params_t dh_params = NULL; + unsigned char *params_data = NULL; + size_t params_data_size = 0; + + ret = gnutls_dh_get_group (session, &raw_gen, &raw_prime); + if (ret) + { + fprintf (stderr, "gnutls_dh_get_group %d\n", ret); + goto out; + } - if (print_cert) - { - int ret; - gnutls_datum_t raw_gen = { NULL, 0 }; - gnutls_datum_t raw_prime = { NULL, 0 }; - gnutls_dh_params_t dh_params = NULL; - unsigned char *params_data = NULL; - size_t params_data_size = 0; - - ret = gnutls_dh_get_group (session, &raw_gen, &raw_prime); - if (ret) - { - fprintf (stderr, "gnutls_dh_get_group %d\n", ret); - goto out; - } - - ret = gnutls_dh_params_init (&dh_params); - if (ret) - { - fprintf (stderr, "gnutls_dh_params_init %d\n", ret); - goto out; - } - - ret = gnutls_dh_params_import_raw (dh_params, &raw_prime, &raw_gen); - if (ret) - { - fprintf (stderr, "gnutls_dh_params_import_raw %d\n", ret); - goto out; - } - - ret = gnutls_dh_params_export_pkcs3 (dh_params, - GNUTLS_X509_FMT_PEM, - params_data, ¶ms_data_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - fprintf (stderr, "gnutls_dh_params_export_pkcs3 %d\n", ret); - goto out; - } - - params_data = gnutls_malloc (params_data_size); - if (!params_data) - { - fprintf (stderr, "gnutls_malloc %d\n", ret); - goto out; - } - - ret = gnutls_dh_params_export_pkcs3 (dh_params, - GNUTLS_X509_FMT_PEM, - params_data, ¶ms_data_size); - if (ret) - { - fprintf (stderr, "gnutls_dh_params_export_pkcs3-2 %d\n", ret); - goto out; - } - - printf (" - PKCS#3 format:\n\n%.*s\n", (int) params_data_size, - params_data); - - out: - gnutls_free (params_data); - gnutls_free (raw_prime.data); - gnutls_free (raw_gen.data); - gnutls_dh_params_deinit (dh_params); - } + ret = gnutls_dh_params_init (&dh_params); + if (ret) + { + fprintf (stderr, "gnutls_dh_params_init %d\n", ret); + goto out; + } + + ret = + gnutls_dh_params_import_raw (dh_params, &raw_prime, + &raw_gen); + if (ret) + { + fprintf (stderr, "gnutls_dh_params_import_raw %d\n", ret); + goto out; + } + + ret = gnutls_dh_params_export_pkcs3 (dh_params, + GNUTLS_X509_FMT_PEM, + params_data, + ¶ms_data_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) + { + fprintf (stderr, "gnutls_dh_params_export_pkcs3 %d\n", + ret); + goto out; + } + + params_data = gnutls_malloc (params_data_size); + if (!params_data) + { + fprintf (stderr, "gnutls_malloc %d\n", ret); + goto out; + } + + ret = gnutls_dh_params_export_pkcs3 (dh_params, + GNUTLS_X509_FMT_PEM, + params_data, + ¶ms_data_size); + if (ret) + { + fprintf (stderr, "gnutls_dh_params_export_pkcs3-2 %d\n", + ret); + goto out; + } + + printf (" - PKCS#3 format:\n\n%.*s\n", (int) params_data_size, + params_data); + + out: + gnutls_free (params_data); + gnutls_free (raw_prime.data); + gnutls_free (raw_gen.data); + gnutls_dh_params_deinit (dh_params); + } } static void print_ecdh_info (gnutls_session_t session, const char *str) { -int curve; + int curve; + + printf ("- %sEC Diffie-Hellman parameters\n", str); - printf ("- %sEC Diffie-Hellman parameters\n", str); - - curve = gnutls_ecc_curve_get(session); - - printf (" - Using curve: %s\n", gnutls_ecc_curve_get_name (curve)); - printf (" - Curve size: %d bits\n", gnutls_ecc_curve_get_size(curve)*8); + curve = gnutls_ecc_curve_get (session); + + printf (" - Using curve: %s\n", gnutls_ecc_curve_get_name (curve)); + printf (" - Curve size: %d bits\n", + gnutls_ecc_curve_get_size (curve) * 8); } int print_info (gnutls_session_t session, const char *hostname, int insecure) { - const char *tmp; - gnutls_credentials_type_t cred; - gnutls_kx_algorithm_t kx; - unsigned char session_id[33]; - size_t session_id_size = sizeof(session_id); - - /* print session ID */ - gnutls_session_get_id (session, session_id, &session_id_size); - printf("- Session ID: %s\n", raw_to_string(session_id, session_id_size)); - - /* print the key exchange's algorithm name - */ - kx = gnutls_kx_get (session); - - cred = gnutls_auth_get_type (session); - switch (cred) - { + const char *tmp; + gnutls_credentials_type_t cred; + gnutls_kx_algorithm_t kx; + unsigned char session_id[33]; + size_t session_id_size = sizeof (session_id); + + /* print session ID */ + gnutls_session_get_id (session, session_id, &session_id_size); + printf ("- Session ID: %s\n", + raw_to_string (session_id, session_id_size)); + + /* print the key exchange's algorithm name + */ + kx = gnutls_kx_get (session); + + cred = gnutls_auth_get_type (session); + switch (cred) + { #ifdef ENABLE_ANON - case GNUTLS_CRD_ANON: - if (kx == GNUTLS_KX_ANON_ECDH) - print_ecdh_info(session, "Anonymous "); - else - print_dh_info (session, "Anonymous "); - break; + case GNUTLS_CRD_ANON: + if (kx == GNUTLS_KX_ANON_ECDH) + print_ecdh_info (session, "Anonymous "); + else + print_dh_info (session, "Anonymous "); + break; #endif #ifdef ENABLE_SRP - case GNUTLS_CRD_SRP: - /* This should be only called in server - * side. - */ - if (gnutls_srp_server_get_username (session) != NULL) - printf ("- SRP authentication. Connected as '%s'\n", - gnutls_srp_server_get_username (session)); - break; + case GNUTLS_CRD_SRP: + /* This should be only called in server + * side. + */ + if (gnutls_srp_server_get_username (session) != NULL) + printf ("- SRP authentication. Connected as '%s'\n", + gnutls_srp_server_get_username (session)); + break; #endif #ifdef ENABLE_PSK - case GNUTLS_CRD_PSK: - /* This returns NULL in server side. - */ - if (gnutls_psk_client_get_hint (session) != NULL) - printf ("- PSK authentication. PSK hint '%s'\n", - gnutls_psk_client_get_hint (session)); - /* This returns NULL in client side. - */ - if (gnutls_psk_server_get_username (session) != NULL) - printf ("- PSK authentication. Connected as '%s'\n", - gnutls_psk_server_get_username (session)); - if (kx == GNUTLS_KX_DHE_PSK) - print_dh_info (session, "Ephemeral "); - if (kx == GNUTLS_KX_ECDHE_PSK) - print_ecdh_info(session, "Ephemeral "); - break; + case GNUTLS_CRD_PSK: + /* This returns NULL in server side. + */ + if (gnutls_psk_client_get_hint (session) != NULL) + printf ("- PSK authentication. PSK hint '%s'\n", + gnutls_psk_client_get_hint (session)); + /* This returns NULL in client side. + */ + if (gnutls_psk_server_get_username (session) != NULL) + printf ("- PSK authentication. Connected as '%s'\n", + gnutls_psk_server_get_username (session)); + if (kx == GNUTLS_KX_DHE_PSK) + print_dh_info (session, "Ephemeral "); + if (kx == GNUTLS_KX_ECDHE_PSK) + print_ecdh_info (session, "Ephemeral "); + break; #endif - case GNUTLS_CRD_IA: - printf ("- TLS/IA authentication\n"); - break; - case GNUTLS_CRD_CERTIFICATE: - { - char dns[256]; - size_t dns_size = sizeof (dns); - unsigned int type; - - /* This fails in client side */ - if (gnutls_server_name_get (session, dns, &dns_size, &type, 0) == 0) + case GNUTLS_CRD_IA: + printf ("- TLS/IA authentication\n"); + break; + case GNUTLS_CRD_CERTIFICATE: { - printf ("- Given server name[%d]: %s\n", type, dns); + char dns[256]; + size_t dns_size = sizeof (dns); + unsigned int type; + + /* This fails in client side */ + if (gnutls_server_name_get + (session, dns, &dns_size, &type, 0) == 0) + { + printf ("- Given server name[%d]: %s\n", type, dns); + } } - } - print_cert_info (session, hostname, insecure); + print_cert_info (session, hostname, insecure); - print_cert_vrfy (session); + print_cert_vrfy (session); - if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) - print_dh_info (session, "Ephemeral "); - else if (kx == GNUTLS_KX_ECDHE_RSA || kx == GNUTLS_KX_ECDHE_ECDSA) - print_ecdh_info(session, "Ephemeral "); - } + if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) + print_dh_info (session, "Ephemeral "); + else if (kx == GNUTLS_KX_ECDHE_RSA + || kx == GNUTLS_KX_ECDHE_ECDSA) + print_ecdh_info (session, "Ephemeral "); + } - tmp = SU (gnutls_protocol_get_name (gnutls_protocol_get_version (session))); - printf ("- Version: %s\n", tmp); + tmp = + SU (gnutls_protocol_get_name + (gnutls_protocol_get_version (session))); + printf ("- Version: %s\n", tmp); - tmp = SU (gnutls_kx_get_name (kx)); - printf ("- Key Exchange: %s\n", tmp); + tmp = SU (gnutls_kx_get_name (kx)); + printf ("- Key Exchange: %s\n", tmp); - tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session))); - printf ("- Cipher: %s\n", tmp); + tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session))); + printf ("- Cipher: %s\n", tmp); - tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session))); - printf ("- MAC: %s\n", tmp); + tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session))); + printf ("- MAC: %s\n", tmp); - tmp = SU (gnutls_compression_get_name (gnutls_compression_get (session))); - printf ("- Compression: %s\n", tmp); + tmp = + SU (gnutls_compression_get_name + (gnutls_compression_get (session))); + printf ("- Compression: %s\n", tmp); - if (verbose) - { - gnutls_datum_t cb; - int rc; - - rc = - gnutls_session_channel_binding (session, GNUTLS_CB_TLS_UNIQUE, &cb); - if (rc) - fprintf (stderr, "Channel binding error: %s\n", gnutls_strerror (rc)); - else - { - size_t i; - - printf ("- Channel binding 'tls-unique': "); - for (i = 0; i < cb.size; i++) - printf ("%02x", cb.data[i]); - printf ("\n"); - } - } + if (verbose) + { + gnutls_datum_t cb; + int rc; + + rc = gnutls_session_channel_binding (session, + GNUTLS_CB_TLS_UNIQUE, &cb); + if (rc) + fprintf (stderr, "Channel binding error: %s\n", + gnutls_strerror (rc)); + else + { + size_t i; - /* Warning: Do not print anything more here. The 'Compression:' - output MUST be the last non-verbose output. This is used by - Emacs starttls.el code. */ + printf ("- Channel binding 'tls-unique': "); + for (i = 0; i < cb.size; i++) + printf ("%02x", cb.data[i]); + printf ("\n"); + } + } - fflush (stdout); + /* Warning: Do not print anything more here. The 'Compression:' + output MUST be the last non-verbose output. This is used by + Emacs starttls.el code. */ - return 0; + fflush (stdout); + + return 0; } void -print_cert_info (gnutls_session_t session, const char *hostname, int insecure) +print_cert_info (gnutls_session_t session, const char *hostname, + int insecure) { - if (gnutls_certificate_client_get_request_status (session) != 0) - printf ("- Server has requested a certificate.\n"); + if (gnutls_certificate_client_get_request_status (session) != 0) + printf ("- Server has requested a certificate.\n"); - printf ("- Certificate type: "); - switch (gnutls_certificate_type_get (session)) - { - case GNUTLS_CRT_UNKNOWN: - printf ("Unknown\n"); - - if (!insecure) - exit (1); - break; - case GNUTLS_CRT_X509: - printf ("X.509\n"); - print_x509_info (session, hostname, insecure); - break; + printf ("- Certificate type: "); + switch (gnutls_certificate_type_get (session)) + { + case GNUTLS_CRT_UNKNOWN: + printf ("Unknown\n"); + + if (!insecure) + exit (1); + break; + case GNUTLS_CRT_X509: + printf ("X.509\n"); + print_x509_info (session, hostname, insecure); + break; #ifdef ENABLE_OPENPGP - case GNUTLS_CRT_OPENPGP: - printf ("OpenPGP\n"); - print_openpgp_info (session, hostname, insecure); - break; + case GNUTLS_CRT_OPENPGP: + printf ("OpenPGP\n"); + print_openpgp_info (session, hostname, insecure); + break; #endif - } + } } void -print_list (const char* priorities, int verbose) +print_list (const char *priorities, int verbose) { size_t i; int ret; @@ -575,188 +621,279 @@ print_list (const char* priorities, int verbose) gnutls_mac_algorithm_t mac; gnutls_protocol_t version; gnutls_priority_t pcache; + const unsigned int *list; if (priorities != NULL) { - printf ("Cipher suites for %s\n", priorities); - - ret = gnutls_priority_init(&pcache, priorities, &err); - if (ret < 0) + printf ("Cipher suites for %s\n", priorities); + + ret = gnutls_priority_init (&pcache, priorities, &err); + if (ret < 0) + { + fprintf (stderr, "Syntax error at: %s\n", err); + exit (1); + } + + for (i = 0;; i++) + { + ret = + gnutls_priority_get_cipher_suite_index (pcache, i, + &idx); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) + continue; + + name = + gnutls_cipher_suite_info (idx, id, NULL, NULL, NULL, + &version); + + if (name != NULL) + printf ("%-50s\t0x%02x, 0x%02x\t%s\n", + name, (unsigned char) id[0], + (unsigned char) id[1], + gnutls_protocol_get_name (version)); + } + + printf("\n"); { - fprintf (stderr, "Syntax error at: %s\n", err); - exit(1); + ret = gnutls_priority_certificate_type_list (pcache, &list); + + printf ("Certificate types: "); + if (ret == 0) printf("none\n"); + for (i = 0; i < (unsigned)ret; i++) + { + printf ("CTYPE-%s", + gnutls_certificate_type_get_name (list[i])); + if (i+1!=(unsigned)ret) + printf (", "); + else + printf ("\n"); + } + } + + { + ret = gnutls_priority_protocol_list (pcache, &list); + + printf ("Protocols: "); + if (ret == 0) printf("none\n"); + for (i = 0; i < (unsigned)ret; i++) + { + printf ("VERS-%s", gnutls_protocol_get_name (list[i])); + if (i+1!=(unsigned)ret) + printf (", "); + else + printf ("\n"); + } + } + + { + ret = gnutls_priority_compression_list (pcache, &list); + + printf ("Compression: "); + if (ret == 0) printf("none\n"); + for (i = 0; i < (unsigned)ret; i++) + { + printf ("COMP-%s", + gnutls_compression_get_name (list[i])); + if (i+1!=(unsigned)ret) + printf (", "); + else + printf ("\n"); + } } - - for (i=0;;i++) + { - ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; - if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) continue; - - name = gnutls_cipher_suite_info(idx, id, NULL, NULL, NULL, &version); - - if (name != NULL) - printf ("%-50s\t0x%02x, 0x%02x\t%s\n", - name, (unsigned char) id[0], (unsigned char) id[1], - gnutls_protocol_get_name (version)); + ret = gnutls_priority_ecc_curve_list (pcache, &list); + + printf ("Elliptic curves: "); + if (ret == 0) printf("none\n"); + for (i = 0; i < (unsigned)ret; i++) + { + printf ("CURVE-%s", + gnutls_ecc_curve_get_name (list[i])); + if (i+1!=(unsigned)ret) + printf (", "); + else + printf ("\n"); + } } - - return; + + { + ret = gnutls_priority_sign_list (pcache, &list); + + printf ("PK-signatures: "); + if (ret == 0) printf("none\n"); + for (i = 0; i < (unsigned)ret; i++) + { + printf ("SIGN-%s", + gnutls_sign_algorithm_get_name (list[i])); + if (i+1!=(unsigned)ret) + printf (", "); + else + printf ("\n"); + } + } + + return; } printf ("Cipher suites:\n"); for (i = 0; (name = gnutls_cipher_suite_info (i, id, &kx, &cipher, &mac, &version)); i++) { - printf ("%-50s\t0x%02x, 0x%02x\t%s\n", - name, - (unsigned char) id[0], (unsigned char) id[1], - gnutls_protocol_get_name (version)); - if (verbose) - printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n", - gnutls_kx_get_name (kx), - gnutls_cipher_get_name (cipher), gnutls_mac_get_name (mac)); + printf ("%-50s\t0x%02x, 0x%02x\t%s\n", + name, + (unsigned char) id[0], (unsigned char) id[1], + gnutls_protocol_get_name (version)); + if (verbose) + printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n", + gnutls_kx_get_name (kx), + gnutls_cipher_get_name (cipher), + gnutls_mac_get_name (mac)); } - { - const gnutls_certificate_type_t *p = gnutls_certificate_type_list (); + printf("\n"); + { + const gnutls_certificate_type_t *p = + gnutls_certificate_type_list (); - printf ("Certificate types: "); - for (; *p; p++) - { - printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("Certificate types: "); + for (; *p; p++) + { + printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_protocol_t *p = gnutls_protocol_list (); + { + const gnutls_protocol_t *p = gnutls_protocol_list (); - printf ("Protocols: "); - for (; *p; p++) - { - printf ("VERS-%s", gnutls_protocol_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("Protocols: "); + for (; *p; p++) + { + printf ("VERS-%s", gnutls_protocol_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_cipher_algorithm_t *p = gnutls_cipher_list (); + { + const gnutls_cipher_algorithm_t *p = gnutls_cipher_list (); - printf ("Ciphers: "); - for (; *p; p++) - { - printf ("%s", gnutls_cipher_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("Ciphers: "); + for (; *p; p++) + { + printf ("%s", gnutls_cipher_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_mac_algorithm_t *p = gnutls_mac_list (); + { + const gnutls_mac_algorithm_t *p = gnutls_mac_list (); - printf ("MACs: "); - for (; *p; p++) - { - printf ("%s", gnutls_mac_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("MACs: "); + for (; *p; p++) + { + printf ("%s", gnutls_mac_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_kx_algorithm_t *p = gnutls_kx_list (); + { + const gnutls_kx_algorithm_t *p = gnutls_kx_list (); - printf ("Key exchange algorithms: "); - for (; *p; p++) - { - printf ("%s", gnutls_kx_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("Key exchange algorithms: "); + for (; *p; p++) + { + printf ("%s", gnutls_kx_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_compression_method_t *p = gnutls_compression_list (); + { + const gnutls_compression_method_t *p = gnutls_compression_list (); - printf ("Compression: "); - for (; *p; p++) - { - printf ("COMP-%s", gnutls_compression_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("Compression: "); + for (; *p; p++) + { + printf ("COMP-%s", gnutls_compression_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list (); + { + const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list (); - printf ("Elliptic curves: "); - for (; *p; p++) - { - printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("Elliptic curves: "); + for (; *p; p++) + { + printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_pk_algorithm_t *p = gnutls_pk_list (); + { + const gnutls_pk_algorithm_t *p = gnutls_pk_list (); - printf ("Public Key Systems: "); - for (; *p; p++) - { - printf ("%s", gnutls_pk_algorithm_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("Public Key Systems: "); + for (; *p; p++) + { + printf ("%s", gnutls_pk_algorithm_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } - { - const gnutls_sign_algorithm_t *p = gnutls_sign_list (); + { + const gnutls_sign_algorithm_t *p = gnutls_sign_list (); - printf ("PK-signatures: "); - for (; *p; p++) - { - printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p)); - if (*(p + 1)) - printf (", "); - else - printf ("\n"); - } - } + printf ("PK-signatures: "); + for (; *p; p++) + { + printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p)); + if (*(p + 1)) + printf (", "); + else + printf ("\n"); + } + } } void sockets_init (void) { #ifdef _WIN32 - WORD wVersionRequested; - WSADATA wsaData; + WORD wVersionRequested; + WSADATA wsaData; - wVersionRequested = MAKEWORD (1, 1); - if (WSAStartup (wVersionRequested, &wsaData) != 0) - { - perror ("WSA_STARTUP_ERROR"); - } + wVersionRequested = MAKEWORD (1, 1); + if (WSAStartup (wVersionRequested, &wsaData) != 0) + { + perror ("WSA_STARTUP_ERROR"); + } #endif } @@ -768,20 +905,19 @@ sockets_init (void) int service_to_port (const char *service) { - int port; - struct servent *server_port; + int port; + struct servent *server_port; - port = atoi (service); - if (port != 0) - return port; + port = atoi (service); + if (port != 0) + return port; - server_port = getservbyname (service, "tcp"); - if (server_port == NULL) - { - perror ("getservbyname()"); - return (-1); - } + server_port = getservbyname (service, "tcp"); + if (server_port == NULL) + { + perror ("getservbyname()"); + return (-1); + } - return ntohs (server_port->s_port); + return ntohs (server_port->s_port); } - |