diff options
| -rw-r--r-- | doc/Makefile.am | 42 | ||||
| -rw-r--r-- | doc/cha-functions.texi | 9 | ||||
| -rw-r--r-- | doc/cha-gtls-examples.texi | 27 | ||||
| -rw-r--r-- | doc/doc.mk | 2 | ||||
| -rw-r--r-- | doc/examples/Makefile.am | 5 | ||||
| -rw-r--r-- | doc/examples/ex-client-xssl1.c | 82 | ||||
| -rw-r--r-- | doc/examples/ex-client-xssl2.c | 99 | ||||
| -rw-r--r-- | doc/manpages/Makefile.am | 12 | ||||
| -rw-r--r-- | lib/Makefile.am | 16 | ||||
| -rw-r--r-- | lib/includes/Makefile.am | 3 | ||||
| -rw-r--r-- | lib/includes/gnutls/xssl.h | 125 | ||||
| -rw-r--r-- | lib/xssl.c | 739 | ||||
| -rw-r--r-- | lib/xssl.h | 26 | ||||
| -rw-r--r-- | lib/xssl_getline.c | 125 | ||||
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/mini-xssl.c | 397 |
16 files changed, 7 insertions, 1704 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index 73fe681713..aa1f2feb5a 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -202,8 +202,7 @@ MAINTAINERCLEANFILES = API_FILES=gnutls-api.texi x509-api.texi pgp-api.texi pkcs12-api.texi \ tpm-api.texi pkcs11-api.texi abstract-api.texi compat-api.texi \ - dtls-api.texi crypto-api.texi ocsp-api.texi tpm-api.texi dane-api.texi \ - xssl-api.texi + dtls-api.texi crypto-api.texi ocsp-api.texi tpm-api.texi dane-api.texi clean-local: -rm -f stamp_enums stamp_functions @@ -247,17 +246,6 @@ x509-api.texi: $(top_srcdir)/lib/includes/gnutls/x509.h done mv -f $@-tmp $@ -xssl-api.texi: $(top_srcdir)/lib/includes/gnutls/xssl.h - echo "" > $@-tmp - for i in `$(top_srcdir)/doc/scripts/getfuncs.pl < $< |sort|uniq`; do \ - echo $(ECHO_N) "Creating documentation for $$i... " && \ - $(srcdir)/scripts/gdoc -texinfo \ - -function $$i \ - $(C_SOURCE_FILES) >> $@-tmp 2>/dev/null && \ - echo "ok"; \ - done - mv -f $@-tmp $@ - pgp-api.texi: $(top_srcdir)/lib/includes/gnutls/openpgp.h echo "" > $@-tmp for i in `$(top_srcdir)/doc/scripts/getfuncs.pl < $< |sort|uniq`; do \ @@ -432,11 +420,11 @@ $(FUNCS): stamp_functions compare-exported: rm -f tmp-exp-$@ tmp-head-$@ for i in ../libdane/includes/gnutls/*.h ../lib/includes/gnutls/*.h;do perl scripts/getfuncs.pl <$$i >>tmp-head-$@;done - sort -u tmp-head-$@|grep -v ^xssl > tmp2-head-$@ + sort -u tmp-head-$@ > tmp2-head-$@ mv tmp2-head-$@ tmp-head-$@ scripts/getfuncs-map.pl <../lib/libgnutls.map >tmp-exp-$@ scripts/getfuncs-map.pl <../libdane/libdane.map >>tmp-exp-$@ - sort -u tmp-exp-$@|grep -v ^xssl > tmp2-exp-$@ + sort -u tmp-exp-$@ > tmp2-exp-$@ mv tmp2-exp-$@ tmp-exp-$@ diff -u tmp-exp-$@ tmp-head-$@ rm -f tmp-exp-$@ tmp-head-$@ @@ -2379,27 +2367,3 @@ FUNCS += functions/gnutls_x509_trust_list_verify_crt FUNCS += functions/gnutls_x509_trust_list_verify_crt.short FUNCS += functions/gnutls_x509_trust_list_verify_named_crt FUNCS += functions/gnutls_x509_trust_list_verify_named_crt.short -FUNCS += functions/xssl_client_init -FUNCS += functions/xssl_client_init.short -FUNCS += functions/xssl_cred_deinit -FUNCS += functions/xssl_cred_deinit.short -FUNCS += functions/xssl_cred_init -FUNCS += functions/xssl_cred_init.short -FUNCS += functions/xssl_deinit -FUNCS += functions/xssl_deinit.short -FUNCS += functions/xssl_flush -FUNCS += functions/xssl_flush.short -FUNCS += functions/xssl_getdelim -FUNCS += functions/xssl_getdelim.short -FUNCS += functions/xssl_get_session -FUNCS += functions/xssl_get_session.short -FUNCS += functions/xssl_printf -FUNCS += functions/xssl_printf.short -FUNCS += functions/xssl_read -FUNCS += functions/xssl_read.short -FUNCS += functions/xssl_server_init -FUNCS += functions/xssl_server_init.short -FUNCS += functions/xssl_sinit -FUNCS += functions/xssl_sinit.short -FUNCS += functions/xssl_write -FUNCS += functions/xssl_write.short diff --git a/doc/cha-functions.texi b/doc/cha-functions.texi index 6af6ded8cb..da86cc4b2c 100644 --- a/doc/cha-functions.texi +++ b/doc/cha-functions.texi @@ -4,7 +4,6 @@ @menu * Core TLS API:: -* High level TLS API:: * Datagram TLS API:: * X509 certificate API:: * OCSP API:: @@ -26,14 +25,6 @@ The prototypes for the following functions lie in @include gnutls-api.texi -@node High level TLS API -@section High level TLS API - -The prototypes for the following functions lie in -@file{gnutls/xssl.h}. - -@include xssl-api.texi - @node Datagram TLS API @section Datagram TLS API diff --git a/doc/cha-gtls-examples.texi b/doc/cha-gtls-examples.texi index e01c078602..7615f92041 100644 --- a/doc/cha-gtls-examples.texi +++ b/doc/cha-gtls-examples.texi @@ -13,7 +13,6 @@ no error checking. * Server examples:: * OCSP example:: * Miscellaneous examples:: -* XSSL examples:: @end menu @node Client examples @@ -290,29 +289,3 @@ such a structure. @verbatiminclude examples/ex-pkcs12.c -@node XSSL examples -@section XSSL examples - -XSSL is an experimental API available in the @code{gnutls-xssl} library -and in @code{gnutls/xssl.h} header. It is intended to be a very simple -to use API avoid the GnuTLS API. The API however has the following limitations -@itemize -@item It is applicable to blocking sockets only. -@item The server verification is based on its DNS name. -@end itemize - -@menu -* Example client with X.509 certificate authentication:: -* Example client with X.509 certificate authentication and TOFU:: -@end menu - -@node Example client with X.509 certificate authentication -@subsection Example client with X.509 certificate authentication - -@verbatiminclude examples/ex-client-xssl1.c - -@node Example client with X.509 certificate authentication and TOFU -@subsection Example client with X.509 certificate authentication and TOFU - -@verbatiminclude examples/ex-client-xssl2.c - diff --git a/doc/doc.mk b/doc/doc.mk index ac24d17e0b..6f67f61d9d 100644 --- a/doc/doc.mk +++ b/doc/doc.mk @@ -24,6 +24,6 @@ HEADER_FILES = $(top_srcdir)/lib/includes/gnutls/gnutls.h.in \ $(top_srcdir)/lib/includes/gnutls/abstract.h $(top_srcdir)/lib/includes/gnutls/compat.h \ $(top_srcdir)/lib/includes/gnutls/dtls.h $(top_srcdir)/lib/includes/gnutls/crypto.h \ $(top_srcdir)/lib/includes/gnutls/ocsp.h $(top_srcdir)/lib/includes/gnutls/tpm.h \ - $(top_srcdir)/libdane/includes/gnutls/dane.h $(top_srcdir)/lib/includes/gnutls/xssl.h + $(top_srcdir)/libdane/includes/gnutls/dane.h C_SOURCE_FILES = $(top_srcdir)/lib/*/*.c $(top_srcdir)/lib/*.c $(top_srcdir)/libdane/*.c diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am index 959a9e52cb..ce0ef19111 100644 --- a/doc/examples/Makefile.am +++ b/doc/examples/Makefile.am @@ -44,15 +44,12 @@ CXX_LDADD = ../../lib/libgnutlsxx.la \ noinst_PROGRAMS = ex-client-resume ex-client-dtls noinst_PROGRAMS += ex-cert-select ex-client-x509 -noinst_PROGRAMS += ex-serv-dtls ex-client-xssl1 ex-client-xssl2 +noinst_PROGRAMS += ex-serv-dtls noinst_PROGRAMS += print-ciphersuites if ENABLE_OCSP noinst_PROGRAMS += ex-serv-x509 endif -ex_client_xssl1_LDADD = $(LDADD) ../../lib/libgnutls-xssl.la -ex_client_xssl2_LDADD = $(LDADD) ../../lib/libgnutls-xssl.la - if ENABLE_CXX ex_cxx_SOURCES = ex-cxx.cpp ex_cxx_LDADD = $(CXX_LDADD) diff --git a/doc/examples/ex-client-xssl1.c b/doc/examples/ex-client-xssl1.c deleted file mode 100644 index a50b4123a8..0000000000 --- a/doc/examples/ex-client-xssl1.c +++ /dev/null @@ -1,82 +0,0 @@ -/* This example code is placed in the public domain. */ - -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <gnutls/gnutls.h> -#include <gnutls/xssl.h> -#include "examples.h" - -/* A simple TLS client, with X.509 authentication. Certificate verification - * is explicit. - */ - -extern int tcp_connect(void); -extern void tcp_close(int sd); - -int main(void) -{ - int ret; - char *line = NULL; - size_t line_len; - xssl_cred_t cred; - xssl_t sb; - unsigned int status; - int fd; - - gnutls_global_init(); - - fd = tcp_connect(); - - ret = xssl_cred_init(&cred, GNUTLS_VMETHOD_SYSTEM_CAS, NULL, 0); - if (ret < 0) - exit(1); - - /* Initialize TLS session - */ - ret = xssl_client_init(&sb, "www.example.com", NULL, - (gnutls_transport_ptr_t) fd, - NULL, cred, &status, 0); - if (ret < 0) { - if (ret == GNUTLS_E_AUTH_ERROR) { - gnutls_datum_t txt; - - gnutls_certificate_verification_status_print - (status, GNUTLS_CRT_X509, &txt, 0); - - fprintf(stderr, "Verification error (%x): %s\n", - status, txt.data); - gnutls_free(txt.data); - } - exit(1); - } -#define REQ "GET / HTTP/1.0\r\n" - ret = xssl_write(sb, REQ, sizeof(REQ) - 1); - if (ret < 0) - exit(1); - - do { - ret = xssl_getline(sb, &line, &line_len); - if (ret < 0) - exit(1); - - fprintf(stderr, "received: %s\n", line); - } - while (ret >= 0); - - gnutls_free(line); - - xssl_deinit(sb); - - tcp_close(fd); - - xssl_cred_deinit(cred); - - gnutls_global_deinit(); - - return 0; -} diff --git a/doc/examples/ex-client-xssl2.c b/doc/examples/ex-client-xssl2.c deleted file mode 100644 index f457f315c4..0000000000 --- a/doc/examples/ex-client-xssl2.c +++ /dev/null @@ -1,99 +0,0 @@ -/* This example code is placed in the public domain. */ - -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <gnutls/gnutls.h> -#include <gnutls/xssl.h> -#include "examples.h" - -/* A simple TLS client, with X.509 authentication. Certificate verification - * with a fixed CA, and trust on first use. - */ - -extern int tcp_connect(void); -extern void tcp_close(int sd); - -int main(void) -{ - int ret; - char *line = NULL; - size_t line_len; - xssl_cred_t cred; - xssl_t sb; - gnutls_cinput_st aux[2]; - unsigned aux_size = 0; - unsigned int status; - int fd; - - gnutls_global_init(); - - fd = tcp_connect(); - - aux[aux_size].type = GNUTLS_CINPUT_TYPE_FILE; - aux[aux_size].contents = GNUTLS_CINPUT_CAS; - aux[aux_size].fmt = GNUTLS_X509_FMT_PEM; - aux[aux_size].i1.file = "/path/to/ca/file"; - aux_size++; - - /* This may be skipped to use the default DB file */ - aux[aux_size].type = GNUTLS_CINPUT_TYPE_FILE; - aux[aux_size].contents = GNUTLS_CINPUT_TOFU_DB; - aux[aux_size].i1.file = "/path/to/trust/db/file"; - aux_size++; - - ret = - xssl_cred_init(&cred, - GNUTLS_VMETHOD_GIVEN_CAS | GNUTLS_VMETHOD_TOFU, - aux, aux_size); - if (ret < 0) - exit(1); - - /* Initialize TLS session - */ - ret = xssl_client_init(&sb, "www.example.com", NULL, - (gnutls_transport_ptr_t) fd, - NULL, cred, &status, 0); - if (ret < 0) { - if (ret == GNUTLS_E_AUTH_ERROR) { - gnutls_datum_t txt; - - gnutls_certificate_verification_status_print - (status, GNUTLS_CRT_X509, &txt, 0); - - fprintf(stderr, "Verification error (%x): %s\n", - status, txt.data); - gnutls_free(txt.data); - } - exit(1); - } -#define REQ "GET / HTTP/1.0\r\n" - ret = xssl_write(sb, REQ, sizeof(REQ) - 1); - if (ret < 0) - exit(1); - - do { - ret = xssl_getline(sb, &line, &line_len); - if (ret < 0) - exit(1); - - fprintf(stderr, "received: %s\n", line); - } - while (ret >= 0); - - gnutls_free(line); - - xssl_deinit(sb); - - tcp_close(fd); - - xssl_cred_deinit(cred); - - gnutls_global_deinit(); - - return 0; -} diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index dfdf9abe22..c7acbd2adb 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -977,18 +977,6 @@ APIMANS += gnutls_x509_trust_list_remove_trust_file.3 APIMANS += gnutls_x509_trust_list_remove_trust_mem.3 APIMANS += gnutls_x509_trust_list_verify_crt.3 APIMANS += gnutls_x509_trust_list_verify_named_crt.3 -APIMANS += xssl_client_init.3 -APIMANS += xssl_cred_deinit.3 -APIMANS += xssl_cred_init.3 -APIMANS += xssl_deinit.3 -APIMANS += xssl_flush.3 -APIMANS += xssl_getdelim.3 -APIMANS += xssl_get_session.3 -APIMANS += xssl_printf.3 -APIMANS += xssl_read.3 -APIMANS += xssl_server_init.3 -APIMANS += xssl_sinit.3 -APIMANS += xssl_write.3 dist_man_MANS += $(APIMANS) diff --git a/lib/Makefile.am b/lib/Makefile.am index 395ac7cdbe..e2432dc2c4 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -207,19 +207,3 @@ gnutls_asn1_tab.c: $(srcdir)/gnutls.asn priority_options.h: $(srcdir)/priority_options.gperf -gperf -t $^ > $@ -libgnutls_xssl_la_LDFLAGS = -no-undefined -export-symbols-regex '^xssl.*' - -lib_LTLIBRARIES += libgnutls-xssl.la - -libgnutls_xssl_la_SOURCES = xssl.c xssl_getline.c xssl.h vasprintf.c vasprintf.h - -libgnutls_xssl_la_LIBADD = ../gl/libgnu.la libgnutls.la - -libgnutls_xssl_la_LDFLAGS += -version-info $(LT_XSSL_CURRENT):$(LT_XSSL_REVISION):$(LT_XSSL_AGE) - -if HAVE_LD_OUTPUT_DEF -libgnutls_xssl_la_LDFLAGS += \ - -Wl,--output-def,libgnutls-xssl-$(DLL_VERSION).def -libgnutls-xssl-$(DLL_VERSION).def: libgnutls-xssl.la -defexec_DATA += libgnutls-xssl-$(DLL_VERSION).def -endif diff --git a/lib/includes/Makefile.am b/lib/includes/Makefile.am index 2fb86094c6..bf32cdb4c8 100644 --- a/lib/includes/Makefile.am +++ b/lib/includes/Makefile.am @@ -20,8 +20,7 @@ nobase_include_HEADERS = gnutls/x509.h gnutls/pkcs12.h gnutls/compat.h \ gnutls/openpgp.h gnutls/crypto.h gnutls/pkcs11.h \ - gnutls/abstract.h gnutls/dtls.h gnutls/ocsp.h gnutls/tpm.h \ - gnutls/xssl.h + gnutls/abstract.h gnutls/dtls.h gnutls/ocsp.h gnutls/tpm.h if ENABLE_CXX nobase_include_HEADERS += gnutls/gnutlsxx.h diff --git a/lib/includes/gnutls/xssl.h b/lib/includes/gnutls/xssl.h deleted file mode 100644 index f9d2bce2fa..0000000000 --- a/lib/includes/gnutls/xssl.h +++ /dev/null @@ -1,125 +0,0 @@ -/* -*- c -*- - * Copyright (C) 2013 Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * The GnuTLS library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -#ifndef GNUTLS_SBUF_H -#define GNUTLS_SBUF_H - -/* *INDENT-OFF* */ -#ifdef __cplusplus -extern "C" { -#endif -/* *INDENT-ON* */ - -#include <gnutls/gnutls.h> - -/* Buffered session I/O */ -typedef struct xssl_st *xssl_t; -typedef struct xssl_cred_st *xssl_cred_t; - -ssize_t xssl_printf(xssl_t sb, const char *fmt, ...) -#ifdef __GNUC__ - __attribute__ ((format(printf, 2, 3))) -#endif - ; - -ssize_t xssl_write(xssl_t sb, const void *data, size_t data_size); - -ssize_t xssl_flush(xssl_t sb); - -ssize_t xssl_read(xssl_t sb, void *data, size_t data_size); - -ssize_t -xssl_getdelim(xssl_t sbuf, char **lineptr, size_t * n, int delimiter); - -#define xssl_getline(sbuf, ptr, n) xssl_getdelim(sbuf, ptr, n, '\n') - -void xssl_deinit(xssl_t sb); - -#define GNUTLS_SBUF_WRITE_FLUSHES (1<<0) -int xssl_sinit(xssl_t * isb, gnutls_session_t session, unsigned int flags); - -gnutls_session_t xssl_get_session(xssl_t sb); - -int xssl_client_init(xssl_t * isb, const char *hostname, - const char *service, - gnutls_transport_ptr fd, - const char *priority, xssl_cred_t cred, - unsigned int *status, unsigned int flags); - -int xssl_server_init(xssl_t * isb, - gnutls_transport_ptr fd, - const char *priority, xssl_cred_t cred, - unsigned int *status, unsigned int flags); - -/* High level credential structures */ -typedef enum { - GNUTLS_VMETHOD_NO_AUTH = 0, - GNUTLS_VMETHOD_TOFU = 1 << 0, - GNUTLS_VMETHOD_GIVEN_CAS = 1 << 1, - GNUTLS_VMETHOD_SYSTEM_CAS = 1 << 2 -} gnutls_vmethod_t; - -typedef enum { - GNUTLS_CINPUT_TYPE_FILE = 0, - GNUTLS_CINPUT_TYPE_MEM = 1, - GNUTLS_CINPUT_TYPE_PIN_FUNC = 2, -} gnutls_cinput_type_t; - -typedef enum { - GNUTLS_CINPUT_CAS = 1, /* i1 contains the CAs */ - GNUTLS_CINPUT_CRLS = 2, /* i1 contains the CRLs */ - GNUTLS_CINPUT_TOFU_DB = 3, /* i1 contains the DB filename */ - GNUTLS_CINPUT_KEYPAIR = 4, /* i1 contains the certificate, i2 the key - * or i1.pin_fn contains the pin function, - * and i2.udata the user pointer */ -} gnutls_cinput_contents_t; - -typedef struct gnutls_cinput_st { - gnutls_cinput_type_t type; - gnutls_cinput_contents_t contents; - gnutls_x509_crt_fmt_t fmt; /* if applicable */ - - union { - gnutls_pin_callback_t pin_fn; - const char *file; - gnutls_datum_t mem; - } i1; - - union { - void *udata; - const char *file; - gnutls_datum_t mem; - } i2; - - unsigned long future_pad[8]; -} gnutls_cinput_st; - -int xssl_cred_init(xssl_cred_t * c, unsigned vflags, - gnutls_cinput_st * aux, unsigned aux_size); -void xssl_cred_deinit(xssl_cred_t cred); - - -/* *INDENT-OFF* */ -#ifdef __cplusplus -} -#endif -/* *INDENT-ON* */ - -#endif /* GNUTLS_SBUF_H */ diff --git a/lib/xssl.c b/lib/xssl.c deleted file mode 100644 index 237c6860d7..0000000000 --- a/lib/xssl.c +++ /dev/null @@ -1,739 +0,0 @@ -/* - * Copyright (C) 2013 Nikos Mavrogiannopoulos - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * The gnutls library is free software; you can redistribute it - * and/or modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -#include <gnutls_int.h> -#include <gnutls_errors.h> -#include <gnutls_num.h> -#include <gnutls/xssl.h> -#include <auth/cert.h> -#include <fips.h> -#include "vasprintf.h" - -#include <xssl.h> - -/** - * xssl_cred_deinit: - * @cred: is a #xssl_cred_t structure. - * - * This function deinitializes a #xssl_cred_t structure. - * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. - * - * Since: 3.1.7 - **/ -void xssl_cred_deinit(xssl_cred_t cred) -{ - if (cred->xcred) - gnutls_certificate_free_credentials(cred->xcred); - gnutls_free(cred); -} - - -static int _verify_certificate_callback(gnutls_session_t session) -{ - unsigned int status; - xssl_t sb; - int ret, type; - const char *hostname = NULL; - const char *service = NULL; - const char *tofu_file = NULL; - - sb = gnutls_session_get_ptr(session); - if (sb == NULL) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - - if (sb->cred == NULL) - return - gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); - - if (sb->server_name[0] != 0) - hostname = sb->server_name; - - if (sb->service_name[0] != 0) - service = sb->service_name; - - if (sb->cred->tofu_file[0] != 0) - tofu_file = sb->cred->tofu_file; - - /* This verification function uses the trusted CAs in the credentials - * structure. So you must have installed one or more CA certificates. - */ - sb->vstatus = 0; - if (sb->cred->vflags & GNUTLS_VMETHOD_SYSTEM_CAS - || sb->cred->vflags & GNUTLS_VMETHOD_GIVEN_CAS) { - ret = - gnutls_certificate_verify_peers3(session, hostname, - &status); - if (ret < 0) - return gnutls_assert_val(GNUTLS_E_AUTH_ERROR); - - sb->vstatus = status; - - if (status != 0) /* Certificate is not trusted */ - return gnutls_assert_val(GNUTLS_E_AUTH_ERROR); - } - - if (hostname && sb->cred->vflags & GNUTLS_VMETHOD_TOFU) { - const gnutls_datum_t *cert_list; - unsigned int cert_list_size; - - type = gnutls_certificate_type_get(session); - - /* Do SSH verification */ - cert_list = - gnutls_certificate_get_peers(session, &cert_list_size); - if (cert_list == NULL) { - sb->vstatus |= GNUTLS_CERT_INVALID; - return gnutls_assert_val(GNUTLS_E_AUTH_ERROR); - } - - /* service may be obtained alternatively using getservbyport() */ - ret = - gnutls_verify_stored_pubkey(tofu_file, NULL, hostname, - service, type, - &cert_list[0], 0); - if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) { - /* host was not seen before. Store the key */ - gnutls_store_pubkey(tofu_file, NULL, hostname, - service, type, &cert_list[0], - 0, 0); - } else if (ret == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { - sb->vstatus |= GNUTLS_CERT_MISMATCH; - return gnutls_assert_val(GNUTLS_E_AUTH_ERROR); - } else if (ret < 0) { - sb->vstatus |= GNUTLS_CERT_INVALID; - return gnutls_assert_val(GNUTLS_E_AUTH_ERROR); - } - } - - /* notify gnutls to continue handshake normally */ - return 0; -} - -/** - * xssl_cred_init: - * @c: is a pointer to #xssl_cred_t structure. - * @vflags: the requested peer verification methods - * @aux: Auxilary data to input any required CA certificate etc. - * @aux_size: the number of the auxillary data provided - * - * This function initializes X.509 certificates in - * a #xssl_cred_t structure. - * - * The @ca_file and @crl_file are required only if @vflags includes - * %GNUTLS_VMETHOD_GIVEN_CAS. The @tofu_file may be set if - * %GNUTLS_VMETHOD_TOFU is specified. - * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. - * - * Since: 3.1.7 - **/ -int xssl_cred_init(xssl_cred_t * c, unsigned vflags, - gnutls_cinput_st * aux, unsigned aux_size) -{ - int ret; - unsigned len, i; - xssl_cred_t cred; - - *c = gnutls_calloc(1, sizeof(*cred)); - if (*c == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - cred = *c; - cred->vflags = vflags; - - if (cred->xcred == NULL) { - ret = - gnutls_certificate_allocate_credentials(&cred->xcred); - if (ret < 0) - return gnutls_assert_val(ret); - } - - if (vflags & GNUTLS_VMETHOD_SYSTEM_CAS) { - ret = - gnutls_certificate_set_x509_system_trust(cred->xcred); - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - } - - for (i = 0; i < aux_size; i++) { - if (aux[i].contents == GNUTLS_CINPUT_KEYPAIR) { - if (aux[i].type == GNUTLS_CINPUT_TYPE_FILE) - ret = - gnutls_certificate_set_x509_key_file - (cred->xcred, aux[i].i1.file, - aux[i].i2.file, aux[i].fmt); - else if (aux[i].type == GNUTLS_CINPUT_TYPE_MEM) - ret = - gnutls_certificate_set_x509_key_mem - (cred->xcred, &aux[i].i1.mem, - &aux[i].i2.mem, aux[i].fmt); - else if (aux[i].type == - GNUTLS_CINPUT_TYPE_PIN_FUNC) { - ret = 0; - gnutls_certificate_set_pin_function(cred-> - xcred, - aux[i]. - i1. - pin_fn, - aux[i]. - i2. - udata); - } else - ret = - gnutls_assert_val - (GNUTLS_E_INVALID_REQUEST); - - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - } - - if (aux[i].contents == GNUTLS_CINPUT_CAS - && (vflags & GNUTLS_VMETHOD_GIVEN_CAS)) { - if (aux[i].type == GNUTLS_CINPUT_TYPE_FILE) - ret = - gnutls_certificate_set_x509_trust_file - (cred->xcred, aux[i].i1.file, - aux[i].fmt); - else - ret = - gnutls_certificate_set_x509_trust_mem - (cred->xcred, &aux[i].i1.mem, - aux[i].fmt); - - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - } - - if (aux[i].contents == GNUTLS_CINPUT_CRLS - && (vflags & GNUTLS_VMETHOD_GIVEN_CAS)) { - if (aux[i].type == GNUTLS_CINPUT_TYPE_FILE) - ret = - gnutls_certificate_set_x509_crl_file - (cred->xcred, aux[i].i1.file, - aux[i].fmt); - else - ret = - gnutls_certificate_set_x509_crl_mem - (cred->xcred, &aux[i].i1.mem, - aux[i].fmt); - - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - } - - if (aux[i].contents == GNUTLS_CINPUT_TOFU_DB - && (vflags & GNUTLS_VMETHOD_TOFU)) { - if (aux[i].type == GNUTLS_CINPUT_TYPE_FILE) { - len = strlen(aux[i].i1.file); - if (len >= sizeof(cred->tofu_file)) { - ret = - gnutls_assert_val - (GNUTLS_E_INVALID_REQUEST); - goto fail1; - } - memcpy(cred->tofu_file, aux[i].i1.file, - len + 1); - ret = 0; - } else - ret = GNUTLS_E_INVALID_REQUEST; - - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - } - } - - gnutls_certificate_set_verify_function(cred->xcred, - _verify_certificate_callback); - - return 0; - fail1: - gnutls_certificate_free_credentials(cred->xcred); - cred->xcred = NULL; - gnutls_free(*c); - - return ret; -} - -/** - * xssl_sinit: - * @isb: is a pointer to a #xssl_t structure. - * @session: a GnuTLS session - * @flags: should be zero or %GNUTLS_SBUF_WRITE_FLUSHES - * - * This function initializes a #xssl_t structure associated - * with the provided session. If the flag %GNUTLS_SBUF_WRITE_FLUSHES - * is set then xssl_queue() will flush when the maximum - * data size for a record is reached. - * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. - * - * Since: 3.1.7 - **/ -int xssl_sinit(xssl_t * isb, gnutls_session_t session, unsigned int flags) -{ - struct xssl_st *sb; - - sb = gnutls_calloc(1, sizeof(*sb)); - if (sb == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - _gnutls_buffer_init(&sb->buf); - sb->session = session; - sb->flags = flags; - - *isb = sb; - - return 0; -} - -/** - * xssl_client_init: - * @isb: is a pointer to a #xssl_t structure. - * @hostname: The name of the host to connect to - * @service: The name of the host to connect to - * @fd: a socket descriptor - * @priority: A priority string to use (use %NULL for default) - * @cred: A credentials structure - * @status: An authentication failure status - * @flags: should be zero or %GNUTLS_SBUF_WRITE_FLUSHES - * - * This function initializes a #xssl_t structure. - * If the flag %GNUTLS_SBUF_WRITE_FLUSHES - * is set then xssl_queue() will flush when the maximum - * data size for a record is reached. - * - * If peer verification fails then %GNUTLS_E_AUTH_ERROR is returned. - * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. - * - * Since: 3.1.7 - **/ -int xssl_client_init(xssl_t * isb, const char *hostname, - const char *service, - gnutls_transport_ptr fd, - const char *priority, xssl_cred_t cred, - unsigned int *status, unsigned int flags) -{ - struct xssl_st *sb; - gnutls_session_t session; - int ret; - unsigned len; - - ret = gnutls_init(&session, GNUTLS_CLIENT); - if (ret < 0) - return gnutls_assert_val(ret); - - sb = gnutls_calloc(1, sizeof(*sb)); - if (sb == NULL) { - gnutls_deinit(session); - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto fail1; - } - _gnutls_buffer_init(&sb->buf); - sb->session = session; - sb->flags = flags; - sb->cred = cred; - - /* set session/handshake info - */ - gnutls_handshake_set_timeout(session, - GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); - - if (priority == NULL) - priority = "NORMAL:%COMPAT"; - ret = gnutls_priority_set_direct(session, priority, NULL); - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - - if (cred->xcred) { - ret = - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, - cred->xcred); - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - } - - if (hostname) { - len = strlen(hostname); - - if (len >= sizeof(sb->server_name)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - memcpy(sb->server_name, hostname, len + 1); - - ret = - gnutls_server_name_set(session, GNUTLS_NAME_DNS, - hostname, len); - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - } - - if (service) { - len = strlen(service); - - if (len >= sizeof(sb->service_name)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - memcpy(sb->service_name, service, len + 1); - } - - gnutls_transport_set_ptr(session, fd); - gnutls_session_set_ptr(session, sb); - - do { - ret = gnutls_handshake(session); - } - while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (status) - *status = sb->vstatus; - - if (ret < 0) { - int ret2; - do { - ret2 = - gnutls_alert_send_appropriate(sb->session, - ret); - } - while (ret2 < 0 && gnutls_error_is_fatal(ret2) == 0); - - return gnutls_assert_val(ret); - - gnutls_assert(); - goto fail1; - } - - *isb = sb; - - return 0; - - fail1: - if (sb) - xssl_deinit(sb); - - return ret; -} - -/** - * xssl_server_init: - * @isb: is a pointer to a #xssl_t structure. - * @fd: a socket descriptor - * @priority: A priority string to use (use %NULL for default) - * @cred: A credentials structure - * @status: An authentication failure status - * @flags: should be zero or %GNUTLS_SBUF_WRITE_FLUSHES - * - * This function initializes a #xssl_t structure. - * If the flag %GNUTLS_SBUF_WRITE_FLUSHES - * is set then xssl_queue() will flush when the maximum - * data size for a record is reached. - * - * Returns: %GNUTLS_E_SUCCESS on success, or an error code. - * - * Since: 3.1.7 - **/ -int xssl_server_init(xssl_t * isb, - gnutls_transport_ptr fd, - const char *priority, xssl_cred_t cred, - unsigned int *status, unsigned int flags) -{ - struct xssl_st *sb; - gnutls_session_t session; - int ret; - - ret = gnutls_init(&session, GNUTLS_SERVER); - if (ret < 0) - return gnutls_assert_val(ret); - - sb = gnutls_calloc(1, sizeof(*sb)); - if (sb == NULL) { - gnutls_deinit(session); - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto fail1; - } - _gnutls_buffer_init(&sb->buf); - sb->session = session; - sb->flags = flags; - sb->cred = cred; - - /* set session/handshake info - */ - gnutls_handshake_set_timeout(session, - GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); - - if (priority == NULL) - priority = "NORMAL:%COMPAT"; - ret = gnutls_priority_set_direct(session, priority, NULL); - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - - if (cred->xcred) { - if (cred->xcred->ncerts == 0 - && cred->xcred->get_cert_callback2 == NULL) { - ret = - gnutls_assert_val - (GNUTLS_E_INSUFFICIENT_CREDENTIALS); - goto fail1; - } - - ret = - gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, - cred->xcred); - if (ret < 0) { - gnutls_assert(); - goto fail1; - } - - } - - if (cred->vflags & GNUTLS_VMETHOD_GIVEN_CAS) - gnutls_certificate_server_set_request(session, - GNUTLS_CERT_REQUIRE); - - gnutls_transport_set_ptr(session, fd); - gnutls_session_set_ptr(session, sb); - - do { - ret = gnutls_handshake(session); - } - while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (status) - *status = sb->vstatus; - - if (ret < 0) { - int ret2; - do { - ret2 = - gnutls_alert_send_appropriate(sb->session, - ret); - } - while (ret2 < 0 && gnutls_error_is_fatal(ret2) == 0); - - return gnutls_assert_val(ret); - - gnutls_assert(); - goto fail1; - } - - *isb = sb; - - return 0; - - fail1: - if (sb) - xssl_deinit(sb); - - return ret; -} - -/** - * xssl_deinit: - * @sb: is a #xssl_t structure. - * - * This function clears all buffers associated with the @sb - * structure. The GnuTLS session associated with the structure - * is left intact. - * - * Since: 3.1.7 - **/ -void xssl_deinit(xssl_t sb) -{ - if (sb->session) { - gnutls_bye(sb->session, GNUTLS_SHUT_WR); - gnutls_deinit(sb->session); - } - _gnutls_buffer_clear(&sb->buf); - gnutls_free(sb); -} - -/** - * xssl_write: - * @sb: is a #xssl_t structure. - * @data: contains the data to send - * @data_size: is the length of the data - * - * This function is the buffered equivalent of gnutls_record_send(). - * Instead of sending the data immediately the data are buffered - * until xssl_queue() is called, or if the flag %GNUTLS_SBUF_WRITE_FLUSHES - * is set, until the number of bytes for a full record is reached. - * - * This function must only be used with blocking sockets. - * - * Returns: On success, the number of bytes written is returned, otherwise - * an error code is returned. - * - * Since: 3.1.7 - **/ -ssize_t xssl_write(xssl_t sb, const void *data, size_t data_size) -{ - int ret; - - ret = _gnutls_buffer_append_data(&sb->buf, data, data_size); - if (ret < 0) - return gnutls_assert_val(ret); - - while ((sb->flags & GNUTLS_SBUF_WRITE_FLUSHES) && - sb->buf.length >= MAX_RECORD_SEND_SIZE(sb->session)) { - do { - ret = - gnutls_record_send(sb->session, sb->buf.data, - sb->buf.length); - } - while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (ret < 0) - return gnutls_assert_val(ret); - - sb->buf.data += ret; - sb->buf.length -= ret; - } - - return data_size; -} - -/** - * xssl_printf: - * @sb: is a #xssl_t structure. - * @fmt: printf-style format - * - * This function allows writing to a %xssl_t using printf - * style arguments. - * - * This function must only be used with blocking sockets. - * - * Returns: On success, the number of bytes written is returned, otherwise - * an error code is returned. - * - * Since: 3.1.7 - **/ -ssize_t xssl_printf(xssl_t sb, const char *fmt, ...) -{ - int ret; - va_list args; - int len; - char *str; - - va_start(args, fmt); - len = vasprintf(&str, fmt, args); - va_end(args); - - if (len < 0 || !str) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - ret = xssl_write(sb, str, len); - - gnutls_free(str); - - return ret; -} - -/** - * xssl_flush: - * @sb: is a #xssl_t structure. - * - * This function flushes the buffer @sb. All the data stored are transmitted. - * - * This function must only be used with blocking sockets. - * - * Returns: On success, the number of bytes sent, otherwise a negative error code. - * - * Since: 3.1.7 - **/ -ssize_t xssl_flush(xssl_t sb) -{ - int ret; - ssize_t total = 0; - - while (sb->buf.length > 0) { - do { - ret = - gnutls_record_send(sb->session, sb->buf.data, - sb->buf.length); - } - while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (ret < 0) - return gnutls_assert_val(ret); - - sb->buf.data += ret; - sb->buf.length -= ret; - total += ret; - } - - return total; -} - -/** - * xssl_read: - * @sb: is a #xssl_t structure. - * @data: the buffer that the data will be read into - * @data_size: the number of requested bytes - * - * This function receives data from the underlying session. - * Only fatal errors are returned by this function. - * - * Returns: The number of bytes received and zero on EOF (for stream - * connections) or a negative error code. - * - * Since: 3.1.7 - **/ -ssize_t xssl_read(xssl_t sb, void *data, size_t data_size) -{ - int ret; - - do { - ret = gnutls_record_recv(sb->session, data, data_size); - } - while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - - if (ret < 0) - return gnutls_assert_val(ret); - - return 0; -} - -/** - * xssl_get_session: - * @sb: is a #xssl_t structure. - * - * Returns: The associated session or %NULL. - * - * Since: 3.1.7 - **/ -gnutls_session_t xssl_get_session(xssl_t sb) -{ - return sb->session; -} diff --git a/lib/xssl.h b/lib/xssl.h deleted file mode 100644 index aac26a9755..0000000000 --- a/lib/xssl.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SBUF_H -#define SBUF_H - -#include <gnutls_str.h> -#include <gnutls/gnutls.h> - -struct xssl_cred_st { - gnutls_certificate_credentials_t xcred; - char tofu_file[MAX_FILENAME]; - unsigned vflags; -}; - -struct xssl_st { - gnutls_session_t session; - gnutls_buffer_st buf; - - char server_name[MAX_SERVER_NAME_SIZE]; - char service_name[MAX_SERVER_NAME_SIZE]; - - xssl_cred_t cred; - - unsigned int vstatus; /* the verification status reason */ - unsigned int flags; -}; - -#endif diff --git a/lib/xssl_getline.c b/lib/xssl_getline.c deleted file mode 100644 index aa5677f7fd..0000000000 --- a/lib/xssl_getline.c +++ /dev/null @@ -1,125 +0,0 @@ -/* getdelim.c --- Implementation of replacement getdelim function. - * Copyright (C) 1994, 1996-1998, 2001, 2003, 2005-2012 Free Software - * Foundation, Inc. - * - * This file is part of GnuTLS. - * - * The gnutls library is free software; you can redistribute it - * and/or modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/> - */ - -/* Ported from glibc by Simon Josefsson. */ - -#include <gnutls_int.h> -#include <gnutls_errors.h> -#include <gnutls/xssl.h> -#include <xssl.h> - -#ifndef SSIZE_MAX -#define SSIZE_MAX ((ssize_t) (SIZE_MAX / 2)) -#endif - -/** - * xssl_get_delim: - * @sb: is a #xssl_t structure. - * @lineptr: a pointer. - * @n: The size of @lineptr. - * @delimiter: The delimiter to stop reading at. - * - * Read up to (and including) a @delimiter from &sb into *LINEPTR (and - * NUL-terminate it). @lineptr is a pointer returned from gnutls_malloc() - * (or %NULL), pointing to @n characters of space. It is realloc'ed as - * necessary. - * - * Only fatal errors are returned by this function. - * - * Returns the number of characters read (not including - * the null terminator), or a negative error code on error. - * - * Since: 3.1.7 - **/ -ssize_t -xssl_getdelim(xssl_t sbuf, char **lineptr, size_t * n, int delimiter) -{ - ssize_t result; - size_t cur_len = 0; - - if (lineptr == NULL || n == NULL || sbuf == NULL) { - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - } - - if (*lineptr == NULL || *n == 0) { - char *new_lineptr; - *n = 120; - new_lineptr = (char *) gnutls_realloc_fast(*lineptr, *n); - if (new_lineptr == NULL) { - result = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto fail; - } - *lineptr = new_lineptr; - } - - for (;;) { - char c; - - result = xssl_read(sbuf, &c, 1); - if (result < 0) { - gnutls_assert(); - break; - } - - /* Make enough space for len+1 (for final NUL) bytes. */ - if (cur_len + 1 >= *n) { - size_t needed_max = - SSIZE_MAX < - SIZE_MAX ? (size_t) SSIZE_MAX + 1 : SIZE_MAX; - size_t needed = 2 * *n + 1; /* Be generous. */ - char *new_lineptr; - - if (needed_max < needed) - needed = needed_max; - if (cur_len + 1 >= needed) { - result = - gnutls_assert_val - (GNUTLS_E_LARGE_PACKET); - goto fail; - } - - new_lineptr = - (char *) gnutls_realloc_fast(*lineptr, needed); - if (new_lineptr == NULL) { - result = - gnutls_assert_val - (GNUTLS_E_MEMORY_ERROR); - goto fail; - } - - *lineptr = new_lineptr; - *n = needed; - } - - (*lineptr)[cur_len] = c; - cur_len++; - - if (c == delimiter) - break; - } - (*lineptr)[cur_len] = '\0'; - - if (cur_len != 0) - result = cur_len; - - fail: - - return result; -} diff --git a/tests/Makefile.am b/tests/Makefile.am index 8e9cdde20d..49e1d7f0c2 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -71,7 +71,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ mini-termination mini-x509-cas mini-x509-2 pkcs12_simple \ mini-emsgsize-dtls chainverify-unsorted mini-overhead \ mini-dtls-heartbeat mini-x509-callbacks key-openssl priorities \ - mini-dtls-srtp mini-xssl rsa-encrypt-decrypt mini-loss-time \ + mini-dtls-srtp rsa-encrypt-decrypt mini-loss-time \ mini-record mini-dtls-record mini-handshake-timeout mini-record-range \ mini-cert-status mini-rsa-psk global-init sec-params \ fips-test mini-global-load name-constraints diff --git a/tests/mini-xssl.c b/tests/mini-xssl.c deleted file mode 100644 index 1834353da7..0000000000 --- a/tests/mini-xssl.c +++ /dev/null @@ -1,397 +0,0 @@ -/* - * Copyright (C) 2013 Nikos Mavrogiannopoulos - * - * This file is part of GnuTLS. - * - * GnuTLS is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * GnuTLS is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with GnuTLS; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - -/* Tests for the xssl interface */ - -#ifdef HAVE_CONFIG_H -#include <config.h> -#endif - -#include <stdio.h> -#include <stdlib.h> - -#if defined(_WIN32) || !defined(ENABLE_NON_SUITEB_CURVES) - -int main() -{ - exit(77); -} - -#else - -#include <string.h> -#include <sys/types.h> -#include <netinet/in.h> -#include <sys/socket.h> -#include <sys/wait.h> -#include <arpa/inet.h> -#include <unistd.h> -#include <gnutls/gnutls.h> -#include <gnutls/xssl.h> -#include <signal.h> - -#include "utils.h" - -#define TOFU_DB_FILE "tofu.tmp.db" - -static void terminate(void); - -/* This program tests the robustness of record - * decoding. - */ - -static time_t mytime(time_t * t) -{ - time_t then = 1359304177; - - if (t) - *t = then; - - return then; -} - - -static void server_log_func(int level, const char *str) -{ - fprintf (stderr, "server|<%d>| %s", level, str); -} - -static void client_log_func(int level, const char *str) -{ - fprintf(stderr, "client|<%d>| %s", level, str); -} - -static unsigned char ca_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIDUDCCAgigAwIBAgIBADANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5HbnVU\n" - "TFMgVGVzdCBDQTAeFw0xMTA1MjgwODM2MzBaFw0zODEwMTIwODM2MzNaMBkxFzAV\n" - "BgNVBAMTDkdudVRMUyBUZXN0IENBMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIB\n" - "OgKCATEAnORCsX1unl//fy2d1054XduIg/3CqVBaT3Hca65SEoDwh0KiPtQoOgZL\n" - "dKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJU95v4TQdC4OLMiE56eIGq252hZAb\n" - "HoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08\n" - "WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3\n" - "F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vGVYHigXMEZC2FezlwIHaZzpEoFlY3\n" - "a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSe\n" - "oxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/\n" - "MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFE1Wt2oAWPFnkvSmdVUbjlMBA+/P\n" - "MA0GCSqGSIb3DQEBCwUAA4IBMQAesOgjGFi1zOYpA/N3gkUVRcBHDxmN7g2yOcqH\n" - "VfhFc+e4zhOehR11WCt2RgzNlnYVmV5zBmQBdTAt8Po/MVhLCDW1BULHlLvL0DFc\n" - "4sB1RlcGeQcCKQa4b+Q9VWf4f6TfuEWZQC5j5stiXjVgOqrOMrzKZ2eKWA4JsL9s\n" - "V+7ANSZE+hOt1X1mA8moyqe95U2Ecih+nFJSWSBd1WFiEzVnXv4FVWPXbH9HERDK\n" - "VbasjofWWmQO1YlQPishLgm1IbwqOkOk4sDgoLuUZ4GgP0DDeN6EmRDOzByrv+9u\n" - "f45Bl9IQf4IJNPLU9lEqjyMOydqT6kBi7fjV5ICuQZ4EeVJsOGuX7PqNyoDzJHLv\n" - "ferRfNLr6eQSHSxBhS0cVyDjb5gCawK6u7xTU+b7xikEie9k\n" - "-----END CERTIFICATE-----\n"; - -const gnutls_datum_t ca_cert = { ca_pem, - sizeof(ca_pem) - 1 -}; - -static unsigned char server_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICsDCCAWigAwIBAgIETeC0kjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H\n" - "bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM4NDNaFw0zODEwMTIwODM4NDZaMDEx\n" - "LzAtBgNVBAMTJkdudVRMUyBUZXN0IHNlcnZlciAoRUNEU0EgY2VydGlmaWNhdGUp\n" - "ME4wEAYHKoZIzj0CAQYFK4EEACEDOgAE0vMmf/W0rRoUqBxH5Uq+c/sR76ElmyZM\n" - "e2zj3U9PRJ0maKstEOHkpaDaSU6s2Hyi9L88wS1ZX0ijgY0wgYowDAYDVR0TAQH/\n" - "BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEw\n" - "DwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUJ97Q83IFpLgqeOnT1rX/JzCvlTQw\n" - "HwYDVR0jBBgwFoAUTVa3agBY8WeS9KZ1VRuOUwED788wDQYJKoZIhvcNAQELBQAD\n" - "ggExAErP9z8CCwt7YwA+SHoulNjqcXsngeKAKN9fVgV/XuspG6L2nU1WZvCjjFj6\n" - "jggMbJSElyCuLZJKlTC/DihXUgRXyswOzg9qQ7dDv+V/Qi95XH5slXNzYxMQSdoA\n" - "IaULVVDZcMFMVSc+TyAchJ6XwUY9umiysz3lSOioMQCch4MA366ZNqqnq5OD4moH\n" - "1SUX8CbRjA6SLpvffexLTB2Af+mFi8ReTkXCwB1LGEH1HRp/XzBc+/F9mavy3g/6\n" - "Hnjf2E1h2GDYXcJCVfE+ArjNS+R94jJwRMFBvwD/x2hsvpSajDpO0+GIxlGGKdyh\n" - "7o4puz/BqHwSzX9h7I7RvFEogDUNUzLgHMdcjq5usnmQpdWNUP8Xs/WqLjML+/PT\n" - "+jyCwmll0lPlC2RqAx3pM1XrjjQ=\n" "-----END CERTIFICATE-----\n"; - -const gnutls_datum_t server_cert = { server_cert_pem, - sizeof(server_cert_pem) - 1 -}; - -static unsigned char server_key_pem[] = - "-----BEGIN EC PRIVATE KEY-----\n" - "MGgCAQEEHHX3xeBOGgIxxtuhhpbwdwZnJztR7+uZTHnYuL+gBwYFK4EEACGhPAM6\n" - "AATS8yZ/9bStGhSoHEflSr5z+xHvoSWbJkx7bOPdT09EnSZoqy0Q4eSloNpJTqzY\n" - "fKL0vzzBLVlfSA==\n" "-----END EC PRIVATE KEY-----\n"; - -const gnutls_datum_t server_key = { server_key_pem, - sizeof(server_key_pem) - 1 -}; - -#define LINE1 "hello there people\n" -#define LINE2 "how are you doing today, all well?\n" - -static const char *test = NULL; - -#define err_quit(r) {fail("%s: Error in line %d: %s\n", test, __LINE__, gnutls_strerror(r)); exit(1);} - -static void client(int fd, unsigned int vmethod, unsigned use_cert) -{ - int ret; - char *line = NULL; - size_t line_len; - xssl_cred_t cred; - xssl_t sb; - gnutls_cinput_st aux[6]; - unsigned int status; - unsigned aux_size = 0; - - global_init(); - gnutls_global_set_time_function(mytime); - - if (debug) { - gnutls_global_set_log_function(client_log_func); - gnutls_global_set_log_level(7); - } - - if (vmethod & GNUTLS_VMETHOD_GIVEN_CAS) { - aux[aux_size].type = GNUTLS_CINPUT_TYPE_MEM; - aux[aux_size].contents = GNUTLS_CINPUT_CAS; - aux[aux_size].fmt = GNUTLS_X509_FMT_PEM; - aux[aux_size].i1.mem = ca_cert; - aux_size++; - } - - if (use_cert != 0) { - aux[aux_size].type = GNUTLS_CINPUT_TYPE_MEM; - aux[aux_size].contents = GNUTLS_CINPUT_KEYPAIR; - aux[aux_size].fmt = GNUTLS_X509_FMT_PEM; - aux[aux_size].i1.mem = server_cert; - aux[aux_size].i2.mem = server_key; - aux_size++; - } - - if (vmethod & GNUTLS_VMETHOD_TOFU) { - aux[aux_size].type = GNUTLS_CINPUT_TYPE_FILE; - aux[aux_size].contents = GNUTLS_CINPUT_TOFU_DB; - aux[aux_size].i1.file = TOFU_DB_FILE; - aux_size++; - } - - ret = xssl_cred_init(&cred, vmethod, aux, aux_size); - if (ret < 0) - err_quit(ret); - - /* Initialize TLS session - */ - ret = - xssl_client_init(&sb, "localhost", NULL, - (gnutls_transport_ptr_t) (long) fd, NULL, - cred, &status, 0); - if (ret < 0) { - if (ret == GNUTLS_E_AUTH_ERROR) { - gnutls_datum_t txt; - - gnutls_certificate_verification_status_print - (status, GNUTLS_CRT_X509, &txt, 0); - - fprintf(stderr, "auth[%x]: %s\n", status, - txt.data); - gnutls_free(txt.data); - } - err_quit(ret); - } - - ret = xssl_getline(sb, &line, &line_len); - if (ret < 0) - err_quit(ret); - - if (strcmp(line, LINE1) != 0) { - fail("Error comparing first line\n"); - exit(1); - } - - ret = xssl_getline(sb, &line, &line_len); - if (ret < 0) - err_quit(ret); - - if (strcmp(line, LINE2) != 0) { - fail("Error comparing first line\n"); - exit(1); - } - - gnutls_free(line); - - xssl_deinit(sb); - - close(fd); - - xssl_cred_deinit(cred); - - gnutls_global_deinit(); -} - - -/* These are global */ -pid_t child; - -static void terminate(void) -{ - kill(child, SIGTERM); - exit(1); -} - -static void server(int fd, unsigned vmethod) -{ - int ret; - xssl_cred_t cred; - xssl_t sb; - gnutls_cinput_st aux[6]; - unsigned aux_size = 0; - - if (debug) { - gnutls_global_set_log_function(server_log_func); - gnutls_global_set_log_level(7); - } - - global_init(); - - aux[aux_size].type = GNUTLS_CINPUT_TYPE_MEM; - aux[aux_size].contents = GNUTLS_CINPUT_KEYPAIR; - aux[aux_size].fmt = GNUTLS_X509_FMT_PEM; - aux[aux_size].i1.mem = server_cert; - aux[aux_size].i2.mem = server_key; - aux_size++; - - if (vmethod & GNUTLS_VMETHOD_GIVEN_CAS) { - aux[aux_size].type = GNUTLS_CINPUT_TYPE_MEM; - aux[aux_size].contents = GNUTLS_CINPUT_CAS; - aux[aux_size].fmt = GNUTLS_X509_FMT_PEM; - aux[aux_size].i1.mem = ca_cert; - aux_size++; - } - - ret = xssl_cred_init(&cred, vmethod, aux, aux_size); - if (ret < 0) - err_quit(ret); - - /* Initialize TLS session - */ - ret = xssl_server_init(&sb, (gnutls_transport_ptr_t) (long) fd, - NULL, cred, NULL, 0); - if (ret < 0) - err_quit(ret); - - ret = xssl_write(sb, LINE1, sizeof(LINE1) - 1); - if (ret < 0) - err_quit(ret); - - ret = xssl_write(sb, LINE2, sizeof(LINE2) - 1); - if (ret < 0) - err_quit(ret); - - ret = xssl_flush(sb); - if (ret < 0) - err_quit(ret); - - xssl_deinit(sb); - - close(fd); - - xssl_cred_deinit(cred); - - gnutls_global_deinit(); - -} - -static void start(unsigned vc, unsigned vs, unsigned ccert) -{ - int fd[2]; - int ret; - - ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); - if (ret < 0) { - perror("socketpair"); - exit(1); - } - - child = fork(); - if (child < 0) { - perror("fork"); - fail("fork"); - exit(1); - } - - if (child) { - /* parent */ - close(fd[1]); - server(fd[0], vs); - waitpid(-1, NULL, 0); - //kill(child, SIGTERM); - } else { - close(fd[0]); - client(fd[1], vc, ccert); - exit(0); - } -} - -static void ch_handler(int sig) -{ - int status = 0; - - waitpid(-1, &status, 0); - if (WEXITSTATUS(status) != 0 || - (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) { - if (WIFSIGNALED(status)) - fail("Child died with sigsegv\n"); - else - fail("Child died with status %d\n", - WEXITSTATUS(status)); - terminate(); - } - return; -} - -void doit(void) -{ - signal(SIGCHLD, ch_handler); - signal(SIGPIPE, SIG_IGN); - - test = "test1: no auth"; - if (debug) - fprintf(stderr, "running %s", test); - start(GNUTLS_VMETHOD_NO_AUTH, GNUTLS_VMETHOD_NO_AUTH, 0); - - test = "test2: server auth"; - if (debug) - fprintf(stderr, "running %s", test); - start(GNUTLS_VMETHOD_GIVEN_CAS, GNUTLS_VMETHOD_NO_AUTH, 0); - - test = "test3: mutual auth"; - if (debug) - fprintf(stderr, "running %s", test); - start(GNUTLS_VMETHOD_GIVEN_CAS, GNUTLS_VMETHOD_GIVEN_CAS, 1); - - remove(TOFU_DB_FILE); - test = "test4: trust on first use p1"; - if (debug) - fprintf(stderr, "running %s", test); - start(GNUTLS_VMETHOD_TOFU, GNUTLS_VMETHOD_NO_AUTH, 0); - - test = "test5: trust on first use p2"; - if (debug) - fprintf(stderr, "running %s", test); - start(GNUTLS_VMETHOD_TOFU, GNUTLS_VMETHOD_NO_AUTH, 0); - remove(TOFU_DB_FILE); - -} - -#endif /* _WIN32 */ |