[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-299-gae9f09b
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-299-gae9f09b |
|
Date: |
Thu, 08 Jul 2010 15:56:02 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=ae9f09b7e71dab272b483e22c0888075dfd3aec0
The branch, master has been updated
via ae9f09b7e71dab272b483e22c0888075dfd3aec0 (commit)
via bee02cee8afff636fdddfcaccb2e3569371eef50 (commit)
via d23837b5ab80a4e7b42fdbad65c17eb68501720d (commit)
from 1e4d20a5831ba92a27d00e188333c4c310568fab (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ae9f09b7e71dab272b483e22c0888075dfd3aec0
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 8 17:55:54 2010 +0200
ex-rfc2818 is now a functional program demonstrating the verification
procedure.
commit bee02cee8afff636fdddfcaccb2e3569371eef50
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 8 17:35:34 2010 +0200
Example with export ciphersuites was removed.
commit d23837b5ab80a4e7b42fdbad65c17eb68501720d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Jul 8 17:33:16 2010 +0200
corrected typo
-----------------------------------------------------------------------
Summary of changes:
doc/Makefile.am | 2 +-
doc/cha-gtls-app.texi | 13 +--
doc/examples/Makefile.am | 6 +-
doc/examples/ex-rfc2818.c | 135 ++++++++++++++--
doc/examples/ex-serv-export.c | 367 -----------------------------------------
lib/gnutls_pubkey.c | 2 +-
6 files changed, 131 insertions(+), 394 deletions(-)
delete mode 100644 doc/examples/ex-serv-export.c
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 6e8eb32..c99dcc0 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -42,7 +42,7 @@ gnutls_TEXINFOS += examples/ex-client1.c
examples/ex-client2.c \
examples/ex-cert-select.c examples/ex-client-resume.c \
examples/ex-client-srp.c examples/ex-client-tlsia.c \
examples/ex-rfc2818.c examples/ex-serv1.c \
- examples/ex-serv-export.c examples/ex-serv-anon.c \
+ examples/ex-serv-anon.c \
examples/ex-serv-pgp.c examples/ex-serv-srp.c \
examples/ex-alert.c examples/ex-x509-info.c examples/ex-crq.c \
examples/ex-pkcs12.c
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 515859d..5e08aa3 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -233,8 +233,8 @@ treat the connection as being a secure one.
@verbatiminclude examples/ex-rfc2818.c
-An other example is listed below which provides a more detailed
-verification output.
+Another example is listed below which provides more detailed
+verification output, for applications that need it.
@verbatiminclude examples/ex-verify.c
@@ -327,15 +327,6 @@ This example is a very simple echo server which supports
@verbatiminclude examples/ex-serv1.c
address@hidden Echo Server with X.509 authentication II
address@hidden Echo Server with @acronym{X.509} Authentication II
-
-The following example is a server which supports @acronym{X.509}
-authentication. This server supports the export-grade cipher suites,
-the DHE ciphersuites and session resuming.
-
address@hidden examples/ex-serv-export.c
-
@node Echo Server with OpenPGP authentication
@subsection Echo Server with @acronym{OpenPGP} Authentication
@cindex @acronym{OpenPGP} Server
diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
index 0c055b1..9a19409 100644
--- a/doc/examples/Makefile.am
+++ b/doc/examples/Makefile.am
@@ -42,10 +42,10 @@ CXX_LDADD = $(LDADD) \
../../lib/libgnutlsxx.la
noinst_PROGRAMS = ex-client2 ex-client-resume
-noinst_PROGRAMS += ex-cert-select
+noinst_PROGRAMS += ex-cert-select ex-rfc2818
if ENABLE_PKI
-noinst_PROGRAMS += ex-crq ex-serv1 ex-serv-export
+noinst_PROGRAMS += ex-crq ex-serv1
endif
if ENABLE_CXX
@@ -77,5 +77,5 @@ endif
noinst_LTLIBRARIES = libexamples.la
libexamples_la_SOURCES = examples.h ex-alert.c ex-pkcs12.c \
- ex-rfc2818.c ex-session-info.c ex-x509-info.c ex-verify.c \
+ ex-session-info.c ex-x509-info.c ex-verify.c \
tcp.c ex-cert-select-pkcs11.c
diff --git a/doc/examples/ex-rfc2818.c b/doc/examples/ex-rfc2818.c
index 1df60a8..693e5f5 100644
--- a/doc/examples/ex-rfc2818.c
+++ b/doc/examples/ex-rfc2818.c
@@ -5,33 +5,46 @@
#endif
#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
-
#include "examples.h"
+/* A very basic TLS client, with X.509 authentication and server certificate
+ * verification.
+ */
+
+#define MAX_BUF 1024
+#define CAFILE "ca.pem"
+#define MSG "GET / HTTP/1.0\r\n\r\n"
+
+extern int tcp_connect (void);
+extern void tcp_close (int sd);
+
/* This function will try to verify the peer's certificate, and
* also check if the hostname matches, and the activation, expiration dates.
*/
-void
-verify_certificate (gnutls_session_t session, const char *hostname)
+static int verify_certificate_callback (gnutls_session_t session)
{
unsigned int status;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size;
int ret;
gnutls_x509_crt_t cert;
+ const char *hostname;
+ /* read hostname */
+ hostname = gnutls_session_get_ptr(session);
/* This verification function uses the trusted CAs in the credentials
* structure. So you must have installed one or more CA certificates.
*/
ret = gnutls_certificate_verify_peers2 (session, &status);
-
if (ret < 0)
{
printf ("Error\n");
- return;
+ return GNUTLS_E_CERTIFICATE_ERROR;
}
if (status & GNUTLS_CERT_INVALID)
@@ -54,19 +67,19 @@ verify_certificate (gnutls_session_t session, const char
*hostname)
* be easily extended to work with openpgp keys as well.
*/
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509)
- return;
+ return GNUTLS_E_CERTIFICATE_ERROR;
if (gnutls_x509_crt_init (&cert) < 0)
{
printf ("error in initialization\n");
- return;
+ return GNUTLS_E_CERTIFICATE_ERROR;
}
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list == NULL)
{
printf ("No certificate was found!\n");
- return;
+ return GNUTLS_E_CERTIFICATE_ERROR;
}
/* This is not a real world example, since we only check the first
@@ -75,7 +88,7 @@ verify_certificate (gnutls_session_t session, const char
*hostname)
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
printf ("error parsing certificate\n");
- return;
+ return GNUTLS_E_CERTIFICATE_ERROR;
}
@@ -83,10 +96,110 @@ verify_certificate (gnutls_session_t session, const char
*hostname)
{
printf ("The certificate's owner does not match hostname '%s'\n",
hostname);
- return;
+ return GNUTLS_E_CERTIFICATE_ERROR;
}
gnutls_x509_crt_deinit (cert);
- return;
+ /* notify gnutls to continue handshake normally */
+ return 0;
+}
+
+
+int
+main (void)
+{
+ int ret, sd, ii;
+ gnutls_session_t session;
+ char buffer[MAX_BUF + 1];
+ const char *err;
+ gnutls_certificate_credentials_t xcred;
+
+ gnutls_global_init ();
+
+ /* X509 stuff */
+ gnutls_certificate_allocate_credentials (&xcred);
+
+ /* sets the trusted cas file
+ */
+ gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
+ gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
+ gnutls_certificate_set_verify_flags(xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+
+ /* Initialize TLS session
+ */
+ gnutls_init (&session, GNUTLS_CLIENT);
+
+ gnutls_session_set_ptr(session, (void*)"my_host_name");
+
+ /* Use default priorities */
+ ret = gnutls_priority_set_direct (session, "PERFORMANCE", &err);
+ if (ret < 0)
+ {
+ if (ret == GNUTLS_E_INVALID_REQUEST)
+ {
+ fprintf (stderr, "Syntax error at: %s\n", err);
+ }
+ exit (1);
+ }
+
+ /* put the x509 credentials to the current session
+ */
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ /* connect to the peer
+ */
+ sd = tcp_connect ();
+
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
+
+ /* Perform the TLS handshake
+ */
+ ret = gnutls_handshake (session);
+
+ if (ret < 0)
+ {
+ fprintf (stderr, "*** Handshake failed\n");
+ gnutls_perror (ret);
+ goto end;
+ }
+ else
+ {
+ printf ("- Handshake was completed\n");
+ }
+
+ gnutls_record_send (session, MSG, strlen (MSG));
+
+ ret = gnutls_record_recv (session, buffer, MAX_BUF);
+ if (ret == 0)
+ {
+ printf ("- Peer has closed the TLS connection\n");
+ goto end;
+ }
+ else if (ret < 0)
+ {
+ fprintf (stderr, "*** Error: %s\n", gnutls_strerror (ret));
+ goto end;
+ }
+
+ printf ("- Received %d bytes: ", ret);
+ for (ii = 0; ii < ret; ii++)
+ {
+ fputc (buffer[ii], stdout);
+ }
+ fputs ("\n", stdout);
+
+ gnutls_bye (session, GNUTLS_SHUT_RDWR);
+
+end:
+
+ tcp_close (sd);
+
+ gnutls_deinit (session);
+
+ gnutls_certificate_free_credentials (xcred);
+
+ gnutls_global_deinit ();
+
+ return 0;
}
diff --git a/doc/examples/ex-serv-export.c b/doc/examples/ex-serv-export.c
deleted file mode 100644
index b79ad55..0000000
--- a/doc/examples/ex-serv-export.c
+++ /dev/null
@@ -1,367 +0,0 @@
-/* This example code is placed in the public domain. */
-
-#ifdef HAVE_CONFIG_H
-# include <config.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <unistd.h>
-#include <gnutls/gnutls.h>
-
-#define KEYFILE "key.pem"
-#define CERTFILE "cert.pem"
-#define CAFILE "ca.pem"
-#define CRLFILE "crl.pem"
-
-/* This is a sample TLS 1.0 echo server.
- * Export-grade ciphersuites and session resuming are supported.
- */
-
-#define SA struct sockaddr
-#define SOCKET_ERR(err,s) if(err==-1) {perror(s);return(1);}
-#define MAX_BUF 1024
-#define PORT 5556 /* listen to 5556 port */
-#define DH_BITS 1024
-
-/* These are global */
-gnutls_certificate_credentials_t cert_cred;
-
-static void wrap_db_init (void);
-static void wrap_db_deinit (void);
-static int wrap_db_store (void *dbf, gnutls_datum_t key, gnutls_datum_t data);
-static gnutls_datum_t wrap_db_fetch (void *dbf, gnutls_datum_t key);
-static int wrap_db_delete (void *dbf, gnutls_datum_t key);
-
-#define TLS_SESSION_CACHE 50
-
-static gnutls_session_t
-initialize_tls_session (void)
-{
- gnutls_session_t session;
-
- gnutls_init (&session, GNUTLS_SERVER);
-
- /* Use the default priorities, plus, export cipher suites.
- */
- gnutls_priority_set_direct (session, "EXPORT", NULL);
-
- gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred);
-
- /* request client certificate if any.
- */
- gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
-
- gnutls_dh_set_prime_bits (session, DH_BITS);
-
- if (TLS_SESSION_CACHE != 0)
- {
- gnutls_db_set_retrieve_function (session, wrap_db_fetch);
- gnutls_db_set_remove_function (session, wrap_db_delete);
- gnutls_db_set_store_function (session, wrap_db_store);
- gnutls_db_set_ptr (session, NULL);
- }
-
- return session;
-}
-
-gnutls_dh_params_t dh_params;
-/* Export-grade cipher suites require temporary RSA
- * keys.
- */
-gnutls_rsa_params_t rsa_params;
-
-static char srp_dh_group2048[] =
- "-----BEGIN DH PARAMETERS-----\n"
- "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
- "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
- "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
- "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
- "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
- "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" "-----END DH PARAMETERS-----\n";
-
-static int
-generate_dh_params (void)
-{
- gnutls_datum_t dparams = { srp_dh_group2048, sizeof (srp_dh_group2048) };
- /* Here instead of generating Diffie-Hellman parameters (for use with DHE
- * kx algorithms) we import them.
- */
- gnutls_dh_params_init (&dh_params);
- gnutls_dh_params_import_pkcs3 (dh_params, &dparams, GNUTLS_X509_FMT_PEM);
-
- return 0;
-}
-
-static int
-generate_rsa_params (void)
-{
- gnutls_rsa_params_init (&rsa_params);
-
- /* Generate RSA parameters - for use with RSA-export
- * cipher suites. This is an RSA private key and should be
- * discarded and regenerated once a day, once every 500
- * transactions etc. Depends on the security requirements.
- */
-
- gnutls_rsa_params_generate2 (rsa_params, 512);
-
- return 0;
-}
-
-int
-main (void)
-{
- int err, listen_sd;
- int sd, ret;
- struct sockaddr_in sa_serv;
- struct sockaddr_in sa_cli;
- int client_len;
- char topbuf[512];
- gnutls_session_t session;
- char buffer[MAX_BUF + 1];
- int optval = 1;
- char name[256];
-
- strcpy (name, "Echo Server");
-
- /* this must be called once in the program
- */
- gnutls_global_init ();
-
-
- gnutls_certificate_allocate_credentials (&cert_cred);
-
- gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE,
- GNUTLS_X509_FMT_PEM);
-
- gnutls_certificate_set_x509_crl_file (cert_cred, CRLFILE,
- GNUTLS_X509_FMT_PEM);
-
- gnutls_certificate_set_x509_key_file (cert_cred, CERTFILE, KEYFILE,
- GNUTLS_X509_FMT_PEM);
-
- generate_dh_params ();
- generate_rsa_params ();
-
- if (TLS_SESSION_CACHE != 0)
- {
- wrap_db_init ();
- }
-
- gnutls_certificate_set_dh_params (cert_cred, dh_params);
- gnutls_certificate_set_rsa_export_params (cert_cred, rsa_params);
-
- /* Socket operations
- */
- listen_sd = socket (AF_INET, SOCK_STREAM, 0);
- SOCKET_ERR (listen_sd, "socket");
-
- memset (&sa_serv, '\0', sizeof (sa_serv));
- sa_serv.sin_family = AF_INET;
- sa_serv.sin_addr.s_addr = INADDR_ANY;
- sa_serv.sin_port = htons (PORT); /* Server Port number */
-
- setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *) &optval,
- sizeof (int));
-
- err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
- SOCKET_ERR (err, "bind");
- err = listen (listen_sd, 1024);
- SOCKET_ERR (err, "listen");
-
- printf ("%s ready. Listening to port '%d'.\n\n", name, PORT);
-
- client_len = sizeof (sa_cli);
- for (;;)
- {
- session = initialize_tls_session ();
-
- sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
-
- printf ("- connection from %s, port %d\n",
- inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
- sizeof (topbuf)), ntohs (sa_cli.sin_port));
-
- gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
- ret = gnutls_handshake (session);
- if (ret < 0)
- {
- close (sd);
- gnutls_deinit (session);
- fprintf (stderr, "*** Handshake has failed (%s)\n\n",
- gnutls_strerror (ret));
- continue;
- }
- printf ("- Handshake was completed\n");
-
- /* print_info(session); */
-
- for (;;)
- {
- memset (buffer, 0, MAX_BUF + 1);
- ret = gnutls_record_recv (session, buffer, MAX_BUF);
-
- if (ret == 0)
- {
- printf ("\n- Peer has closed the TLS connection\n");
- break;
- }
- else if (ret < 0)
- {
- fprintf (stderr, "\n*** Received corrupted "
- "data(%d). Closing the connection.\n\n", ret);
- break;
- }
- else if (ret > 0)
- {
- /* echo data back to the client
- */
- gnutls_record_send (session, buffer, strlen (buffer));
- }
- }
- printf ("\n");
- /* do not wait for the peer to close the connection.
- */
- gnutls_bye (session, GNUTLS_SHUT_WR);
-
- close (sd);
- gnutls_deinit (session);
-
- }
- close (listen_sd);
-
- if (TLS_SESSION_CACHE != 0)
- {
- wrap_db_deinit ();
- }
-
- gnutls_certificate_free_credentials (cert_cred);
-
- gnutls_global_deinit ();
-
- return 0;
-
-}
-
-
-/* Functions and other stuff needed for session resuming.
- * This is done using a very simple list which holds session ids
- * and session data.
- */
-
-#define MAX_SESSION_ID_SIZE 32
-#define MAX_SESSION_DATA_SIZE 512
-
-typedef struct
-{
- char session_id[MAX_SESSION_ID_SIZE];
- size_t session_id_size;
-
- char session_data[MAX_SESSION_DATA_SIZE];
- size_t session_data_size;
-} CACHE;
-
-static CACHE *cache_db;
-static int cache_db_ptr = 0;
-
-static void
-wrap_db_init (void)
-{
-
- /* allocate cache_db */
- cache_db = calloc (1, TLS_SESSION_CACHE * sizeof (CACHE));
-}
-
-static void
-wrap_db_deinit (void)
-{
- free (cache_db);
- cache_db = NULL;
- return;
-}
-
-static int
-wrap_db_store (void *dbf, gnutls_datum_t key, gnutls_datum_t data)
-{
-
- if (cache_db == NULL)
- return -1;
-
- if (key.size > MAX_SESSION_ID_SIZE)
- return -1;
- if (data.size > MAX_SESSION_DATA_SIZE)
- return -1;
-
- memcpy (cache_db[cache_db_ptr].session_id, key.data, key.size);
- cache_db[cache_db_ptr].session_id_size = key.size;
-
- memcpy (cache_db[cache_db_ptr].session_data, data.data, data.size);
- cache_db[cache_db_ptr].session_data_size = data.size;
-
- cache_db_ptr++;
- cache_db_ptr %= TLS_SESSION_CACHE;
-
- return 0;
-}
-
-static gnutls_datum_t
-wrap_db_fetch (void *dbf, gnutls_datum_t key)
-{
- gnutls_datum_t res = { NULL, 0 };
- int i;
-
- if (cache_db == NULL)
- return res;
-
- for (i = 0; i < TLS_SESSION_CACHE; i++)
- {
- if (key.size == cache_db[i].session_id_size &&
- memcmp (key.data, cache_db[i].session_id, key.size) == 0)
- {
-
-
- res.size = cache_db[i].session_data_size;
-
- res.data = gnutls_malloc (res.size);
- if (res.data == NULL)
- return res;
-
- memcpy (res.data, cache_db[i].session_data, res.size);
-
- return res;
- }
- }
- return res;
-}
-
-static int
-wrap_db_delete (void *dbf, gnutls_datum_t key)
-{
- int i;
-
- if (cache_db == NULL)
- return -1;
-
- for (i = 0; i < TLS_SESSION_CACHE; i++)
- {
- if (key.size == cache_db[i].session_id_size &&
- memcmp (key.data, cache_db[i].session_id, key.size) == 0)
- {
-
- cache_db[i].session_id_size = 0;
- cache_db[i].session_data_size = 0;
-
- return 0;
- }
- }
-
- return -1;
-
-}
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 2460eca..bd413ef 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -561,7 +561,7 @@ gnutls_pubkey_get_pk_dsa_raw(gnutls_pubkey_t key,
/**
* gnutls_pubkey_import:
- * @key: The structure to store the parsed certificate.
+ * @key: The structure to store the parsed public key.
* @data: The DER or PEM encoded certificate.
* @format: One of DER or PEM
*
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-299-gae9f09b,
Nikos Mavrogiannopoulos <=