search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Use _gnutls_dsa_q_to_hash() only for warning reasons.
[gnutls.git] / src / common.c
blob3928491fe2e07ec9afdfe970825e75b342c57c82
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos
4 *
5 * This file is part of GnuTLS.
6 *
7 * GnuTLS is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuTLS is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22
23 /* Work around problem reported in
24 <http://permalink.gmane.org/gmane.comp.lib.gnulib.bugs/15755>.*/
25 #if GETTIMEOFDAY_CLOBBERS_LOCALTIME
26 #undef localtime
27 #endif
28
29 #include <getpass.h>
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <gnutls/gnutls.h>
35 #include <gnutls/x509.h>
36 #include <gnutls/openpgp.h>
37 #include <time.h>
38 #include <common.h>
39
40 #ifdef ENABLE_PKCS11
41 # include <gnutls/pkcs11.h>
42 #endif
43
44 #define SU(x) (x!=NULL?x:"Unknown")
45
46 const char str_unknown[] = "(unknown)";
47
48 /* Hex encodes the given data.
49 */
50 const char *
51 raw_to_string (const unsigned char *raw, size_t raw_size)
52 {
53 static char buf[1024];
54 size_t i;
55 if (raw_size == 0)
56 return "(empty)";
57
58 if (raw_size * 3 + 1 >= sizeof (buf))
59 return "(too large)";
60
61 for (i = 0; i < raw_size; i++)
62 {
63 sprintf (&(buf[i * 3]), "%02X%s", raw[i],
64 (i == raw_size - 1) ? "" : ":");
65 }
66 buf[sizeof (buf) - 1] = '\0';
67
68 return buf;
69 }
70
71 static void
72 print_x509_info_compact (gnutls_session_t session)
73 {
74 gnutls_x509_crt_t crt;
75 const gnutls_datum_t *cert_list;
76 unsigned int cert_list_size = 0;
77 int ret;
78 gnutls_datum_t cinfo;
79
80 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
81 if (cert_list_size == 0)
82 {
83 fprintf (stderr, "No certificates found!\n");
84 return;
85 }
86
87 gnutls_x509_crt_init (&crt);
88 ret =
89 gnutls_x509_crt_import (crt, &cert_list[0],
90 GNUTLS_X509_FMT_DER);
91 if (ret < 0)
92 {
93 fprintf (stderr, "Decoding error: %s\n",
94 gnutls_strerror (ret));
95 return;
96 }
97
98 ret =
99 gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
100 if (ret == 0)
101 {
102 printf ("- X.509 cert: %s\n", cinfo.data);
103 gnutls_free (cinfo.data);
104 }
105
106 gnutls_x509_crt_deinit (crt);
107 }
108
109 static void
110 print_x509_info (gnutls_session_t session, int flag, int print_cert)
111 {
112 gnutls_x509_crt_t crt;
113 const gnutls_datum_t *cert_list;
114 unsigned int cert_list_size = 0, j;
115 int ret;
116
117 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
118 if (cert_list_size == 0)
119 {
120 fprintf (stderr, "No certificates found!\n");
121 return;
122 }
123
124 printf ("- Certificate type: X.509\n");
125 printf ("- Got a certificate list of %d certificates.\n",
126 cert_list_size);
127
128 for (j = 0; j < cert_list_size; j++)
129 {
130 gnutls_datum_t cinfo;
131
132 gnutls_x509_crt_init (&crt);
133 ret =
134 gnutls_x509_crt_import (crt, &cert_list[j],
135 GNUTLS_X509_FMT_DER);
136 if (ret < 0)
137 {
138 fprintf (stderr, "Decoding error: %s\n",
139 gnutls_strerror (ret));
140 return;
141 }
142
143 printf ("- Certificate[%d] info:\n - ", j);
144 if (flag == GNUTLS_CRT_PRINT_COMPACT && j > 0) flag = GNUTLS_CRT_PRINT_ONELINE;
145
146 ret =
147 gnutls_x509_crt_print (crt, flag, &cinfo);
148 if (ret == 0)
149 {
150 printf ("%s\n", cinfo.data);
151 gnutls_free (cinfo.data);
152 }
153
154 if (print_cert)
155 {
156 size_t size = 0;
157 char *p = NULL;
158
159 ret =
160 gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p,
161 &size);
162 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
163 {
164 p = malloc (size);
165 if (!p)
166 {
167 fprintf (stderr, "gnutls_malloc\n");
168 exit (1);
169 }
170
171 ret =
172 gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM,
173 p, &size);
174 }
175 if (ret < 0)
176 {
177 fprintf (stderr, "Encoding error: %s\n",
178 gnutls_strerror (ret));
179 return;
180 }
181
182 fputs ("\n", stdout);
183 fputs (p, stdout);
184 fputs ("\n", stdout);
185
186 gnutls_free (p);
187 }
188
189 gnutls_x509_crt_deinit (crt);
190 }
191 }
192
193 /* returns true or false, depending on whether the hostname
194 * matches to certificate */
195 static int
196 verify_x509_hostname (gnutls_session_t session, const char *hostname)
197 {
198 gnutls_x509_crt_t crt;
199 const gnutls_datum_t *cert_list;
200 unsigned int cert_list_size = 0;
201 int ret;
202
203 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
204 if (cert_list_size == 0)
205 {
206 fprintf (stderr, "No certificates found!\n");
207 return 0;
208 }
209
210 gnutls_x509_crt_init (&crt);
211 ret =
212 gnutls_x509_crt_import (crt, &cert_list[0],
213 GNUTLS_X509_FMT_DER);
214 if (ret < 0)
215 {
216 fprintf (stderr, "Decoding error: %s\n",
217 gnutls_strerror (ret));
218 return 0;
219 }
220
221 /* Check the hostname of the first certificate if it matches
222 * the name of the host we connected to.
223 */
224 if (hostname != NULL)
225 {
226 if (gnutls_x509_crt_check_hostname (crt, hostname) == 0)
227 {
228 printf
229 ("- The hostname in the certificate does NOT match '%s'\n",
230 hostname);
231 ret = 0;
232 }
233 else
234 {
235 printf ("- The hostname in the certificate matches '%s'.\n",
236 hostname);
237 ret = 1;
238 }
239 }
240
241 gnutls_x509_crt_deinit (crt);
242
243 return ret;
244 }
245
246 #ifdef ENABLE_OPENPGP
247 /* returns true or false, depending on whether the hostname
248 * matches to certificate */
249 static int
250 verify_openpgp_hostname (gnutls_session_t session, const char *hostname)
251 {
252 gnutls_openpgp_crt_t crt;
253 const gnutls_datum_t *cert_list;
254 unsigned int cert_list_size = 0;
255 int ret;
256
257 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
258 if (cert_list_size == 0)
259 {
260 fprintf (stderr, "No certificates found!\n");
261 return 0;
262 }
263
264 gnutls_openpgp_crt_init (&crt);
265 ret =
266 gnutls_openpgp_crt_import (crt, &cert_list[0],
267 GNUTLS_OPENPGP_FMT_RAW);
268 if (ret < 0)
269 {
270 fprintf (stderr, "Decoding error: %s\n",
271 gnutls_strerror (ret));
272 return 0;
273 }
274
275 /* Check the hostname of the first certificate if it matches
276 * the name of the host we connected to.
277 */
278 if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
279 {
280 printf
281 ("- The hostname in the certificate does NOT match '%s'\n",
282 hostname);
283 ret = 0;
284 }
285 else
286 {
287 printf ("- The hostname in the certificate matches '%s'.\n",
288 hostname);
289 ret = 1;
290 }
291
292 gnutls_openpgp_crt_deinit (crt);
293
294 return ret;
295 }
296
297 static void
298 print_openpgp_info_compact (gnutls_session_t session)
299 {
300
301 gnutls_openpgp_crt_t crt;
302 const gnutls_datum_t *cert_list;
303 unsigned int cert_list_size = 0;
304 int ret;
305
306 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
307
308 if (cert_list_size > 0)
309 {
310 gnutls_datum_t cinfo;
311
312 gnutls_openpgp_crt_init (&crt);
313 ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
314 GNUTLS_OPENPGP_FMT_RAW);
315 if (ret < 0)
316 {
317 fprintf (stderr, "Decoding error: %s\n",
318 gnutls_strerror (ret));
319 return;
320 }
321
322 ret =
323 gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
324 if (ret == 0)
325 {
326 printf ("- OpenPGP cert: %s\n", cinfo.data);
327 gnutls_free (cinfo.data);
328 }
329
330 gnutls_openpgp_crt_deinit (crt);
331 }
332 }
333
334 static void
335 print_openpgp_info (gnutls_session_t session, int flag, int print_cert)
336 {
337
338 gnutls_openpgp_crt_t crt;
339 const gnutls_datum_t *cert_list;
340 unsigned int cert_list_size = 0;
341 int ret;
342
343 printf ("- Certificate type: OpenPGP\n");
344
345 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
346
347 if (cert_list_size > 0)
348 {
349 gnutls_datum_t cinfo;
350
351 gnutls_openpgp_crt_init (&crt);
352 ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
353 GNUTLS_OPENPGP_FMT_RAW);
354 if (ret < 0)
355 {
356 fprintf (stderr, "Decoding error: %s\n",
357 gnutls_strerror (ret));
358 return;
359 }
360
361 ret =
362 gnutls_openpgp_crt_print (crt, flag, &cinfo);
363 if (ret == 0)
364 {
365 printf ("- %s\n", cinfo.data);
366 gnutls_free (cinfo.data);
367 }
368
369 if (print_cert)
370 {
371 size_t size = 0;
372 char *p = NULL;
373
374 ret =
375 gnutls_openpgp_crt_export (crt,
376 GNUTLS_OPENPGP_FMT_BASE64,
377 p, &size);
378 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
379 {
380 p = malloc (size);
381 if (!p)
382 {
383 fprintf (stderr, "gnutls_malloc\n");
384 exit (1);
385 }
386
387 ret =
388 gnutls_openpgp_crt_export (crt,
389 GNUTLS_OPENPGP_FMT_BASE64,
390 p, &size);
391 }
392 if (ret < 0)
393 {
394 fprintf (stderr, "Encoding error: %s\n",
395 gnutls_strerror (ret));
396 return;
397 }
398
399 fputs (p, stdout);
400 fputs ("\n", stdout);
401
402 gnutls_free (p);
403 }
404
405 gnutls_openpgp_crt_deinit (crt);
406 }
407 }
408
409 #endif
410
411 /* returns false (0) if not verified, or true (1) otherwise
412 */
413 int
414 cert_verify (gnutls_session_t session, const char* hostname)
415 {
416 int rc;
417 unsigned int status = 0;
418 int type;
419
420 rc = gnutls_certificate_verify_peers2 (session, &status);
421 if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND)
422 {
423 printf ("- Peer did not send any certificate.\n");
424 return 0;
425 }
426
427 if (rc < 0)
428 {
429 printf ("- Could not verify certificate (err: %s)\n",
430 gnutls_strerror (rc));
431 return 0;
432 }
433
434 type = gnutls_certificate_type_get (session);
435 if (type == GNUTLS_CRT_X509)
436 {
437
438 if (status & GNUTLS_CERT_REVOKED)
439 printf ("- Peer's certificate chain revoked\n");
440 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
441 printf ("- Peer's certificate issuer is unknown\n");
442 if (status & GNUTLS_CERT_SIGNER_NOT_CA)
443 printf ("- Peer's certificate issuer is not a CA\n");
444 if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
445 printf
446 ("- Peer's certificate chain uses insecure algorithm\n");
447 if (status & GNUTLS_CERT_NOT_ACTIVATED)
448 printf
449 ("- Peer's certificate chain uses not yet valid certificate\n");
450 if (status & GNUTLS_CERT_EXPIRED)
451 printf
452 ("- Peer's certificate chain uses expired certificate\n");
453 if (status & GNUTLS_CERT_INVALID)
454 printf ("- Peer's certificate is NOT trusted\n");
455 else
456 printf ("- Peer's certificate is trusted\n");
457
458 rc = verify_x509_hostname (session, hostname);
459 if (rc == 0) status |= GNUTLS_CERT_INVALID;
460 }
461 else if (type == GNUTLS_CRT_OPENPGP)
462 {
463 if (status & GNUTLS_CERT_INVALID)
464 printf ("- Peer's key is invalid\n");
465 else
466 printf ("- Peer's key is valid\n");
467 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
468 printf ("- Could not find a signer of the peer's key\n");
469
470 rc = verify_openpgp_hostname (session, hostname);
471 if (rc == 0) status |= GNUTLS_CERT_INVALID;
472 }
473 else
474 {
475 fprintf(stderr, "Unknown certificate type\n");
476 status |= GNUTLS_CERT_INVALID;
477 }
478
479 if (status)
480 return 0;
481
482 return 1;
483 }
484
485 static void
486 print_dh_info (gnutls_session_t session, const char *str, int print)
487 {
488 printf ("- %sDiffie-Hellman parameters\n", str);
489 printf (" - Using prime: %d bits\n",
490 gnutls_dh_get_prime_bits (session));
491 printf (" - Secret key: %d bits\n",
492 gnutls_dh_get_secret_bits (session));
493 printf (" - Peer's public key: %d bits\n",
494 gnutls_dh_get_peers_public_bits (session));
495
496 if (print)
497 {
498 int ret;
499 gnutls_datum_t raw_gen = { NULL, 0 };
500 gnutls_datum_t raw_prime = { NULL, 0 };
501 gnutls_dh_params_t dh_params = NULL;
502 unsigned char *params_data = NULL;
503 size_t params_data_size = 0;
504
505 ret = gnutls_dh_get_group (session, &raw_gen, &raw_prime);
506 if (ret)
507 {
508 fprintf (stderr, "gnutls_dh_get_group %d\n", ret);
509 goto out;
510 }
511
512 ret = gnutls_dh_params_init (&dh_params);
513 if (ret)
514 {
515 fprintf (stderr, "gnutls_dh_params_init %d\n", ret);
516 goto out;
517 }
518
519 ret =
520 gnutls_dh_params_import_raw (dh_params, &raw_prime,
521 &raw_gen);
522 if (ret)
523 {
524 fprintf (stderr, "gnutls_dh_params_import_raw %d\n", ret);
525 goto out;
526 }
527
528 ret = gnutls_dh_params_export_pkcs3 (dh_params,
529 GNUTLS_X509_FMT_PEM,
530 params_data,
531 &params_data_size);
532 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
533 {
534 fprintf (stderr, "gnutls_dh_params_export_pkcs3 %d\n",
535 ret);
536 goto out;
537 }
538
539 params_data = gnutls_malloc (params_data_size);
540 if (!params_data)
541 {
542 fprintf (stderr, "gnutls_malloc %d\n", ret);
543 goto out;
544 }
545
546 ret = gnutls_dh_params_export_pkcs3 (dh_params,
547 GNUTLS_X509_FMT_PEM,
548 params_data,
549 &params_data_size);
550 if (ret)
551 {
552 fprintf (stderr, "gnutls_dh_params_export_pkcs3-2 %d\n",
553 ret);
554 goto out;
555 }
556
557 printf (" - PKCS#3 format:\n\n%.*s\n", (int) params_data_size,
558 params_data);
559
560 out:
561 gnutls_free (params_data);
562 gnutls_free (raw_prime.data);
563 gnutls_free (raw_gen.data);
564 gnutls_dh_params_deinit (dh_params);
565 }
566 }
567
568 static void
569 print_ecdh_info (gnutls_session_t session, const char *str)
570 {
571 int curve;
572
573 printf ("- %sEC Diffie-Hellman parameters\n", str);
574
575 curve = gnutls_ecc_curve_get (session);
576
577 printf (" - Using curve: %s\n", gnutls_ecc_curve_get_name (curve));
578 printf (" - Curve size: %d bits\n",
579 gnutls_ecc_curve_get_size (curve) * 8);
580
581 }
582
583 int
584 print_info (gnutls_session_t session, int print_cert, int verbose)
585 {
586 const char *tmp;
587 gnutls_credentials_type_t cred;
588 gnutls_kx_algorithm_t kx;
589 unsigned char session_id[33];
590 size_t session_id_size = sizeof (session_id);
591
592 /* print session ID */
593 gnutls_session_get_id (session, session_id, &session_id_size);
594 printf ("- Session ID: %s\n",
595 raw_to_string (session_id, session_id_size));
596
597 /* print the key exchange's algorithm name
598 */
599 kx = gnutls_kx_get (session);
600
601 cred = gnutls_auth_get_type (session);
602 switch (cred)
603 {
604 #ifdef ENABLE_ANON
605 case GNUTLS_CRD_ANON:
606 if (kx == GNUTLS_KX_ANON_ECDH)
607 print_ecdh_info (session, "Anonymous ");
608 else
609 print_dh_info (session, "Anonymous ", verbose);
610 break;
611 #endif
612 #ifdef ENABLE_SRP
613 case GNUTLS_CRD_SRP:
614 /* This should be only called in server
615 * side.
616 */
617 if (gnutls_srp_server_get_username (session) != NULL)
618 printf ("- SRP authentication. Connected as '%s'\n",
619 gnutls_srp_server_get_username (session));
620 break;
621 #endif
622 #ifdef ENABLE_PSK
623 case GNUTLS_CRD_PSK:
624 /* This returns NULL in server side.
625 */
626 if (gnutls_psk_client_get_hint (session) != NULL)
627 printf ("- PSK authentication. PSK hint '%s'\n",
628 gnutls_psk_client_get_hint (session));
629 /* This returns NULL in client side.
630 */
631 if (gnutls_psk_server_get_username (session) != NULL)
632 printf ("- PSK authentication. Connected as '%s'\n",
633 gnutls_psk_server_get_username (session));
634 if (kx == GNUTLS_KX_DHE_PSK)
635 print_dh_info (session, "Ephemeral ", verbose);
636 if (kx == GNUTLS_KX_ECDHE_PSK)
637 print_ecdh_info (session, "Ephemeral ");
638 break;
639 #endif
640 case GNUTLS_CRD_IA:
641 printf ("- TLS/IA authentication\n");
642 break;
643 case GNUTLS_CRD_CERTIFICATE:
644 {
645 char dns[256];
646 size_t dns_size = sizeof (dns);
647 unsigned int type;
648
649 /* This fails in client side */
650 if (gnutls_server_name_get
651 (session, dns, &dns_size, &type, 0) == 0)
652 {
653 printf ("- Given server name[%d]: %s\n", type, dns);
654 }
655 }
656
657 print_cert_info (session, verbose, print_cert);
658
659 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
660 print_dh_info (session, "Ephemeral ", verbose);
661 else if (kx == GNUTLS_KX_ECDHE_RSA
662 || kx == GNUTLS_KX_ECDHE_ECDSA)
663 print_ecdh_info (session, "Ephemeral ");
664 }
665
666 tmp =
667 SU (gnutls_protocol_get_name
668 (gnutls_protocol_get_version (session)));
669 printf ("- Version: %s\n", tmp);
670
671 tmp = SU (gnutls_kx_get_name (kx));
672 printf ("- Key Exchange: %s\n", tmp);
673
674 tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session)));
675 printf ("- Cipher: %s\n", tmp);
676
677 tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session)));
678 printf ("- MAC: %s\n", tmp);
679
680 tmp =
681 SU (gnutls_compression_get_name
682 (gnutls_compression_get (session)));
683 printf ("- Compression: %s\n", tmp);
684
685 if (verbose)
686 {
687 gnutls_datum_t cb;
688 int rc;
689
690 rc = gnutls_session_channel_binding (session,
691 GNUTLS_CB_TLS_UNIQUE, &cb);
692 if (rc)
693 fprintf (stderr, "Channel binding error: %s\n",
694 gnutls_strerror (rc));
695 else
696 {
697 size_t i;
698
699 printf ("- Channel binding 'tls-unique': ");
700 for (i = 0; i < cb.size; i++)
701 printf ("%02x", cb.data[i]);
702 printf ("\n");
703 }
704 }
705
706 /* Warning: Do not print anything more here. The 'Compression:'
707 output MUST be the last non-verbose output. This is used by
708 Emacs starttls.el code. */
709
710 fflush (stdout);
711
712 return 0;
713 }
714
715 void
716 print_cert_info (gnutls_session_t session, int verbose, int print_cert)
717 {
718 int flag;
719
720 if (verbose) flag = GNUTLS_CRT_PRINT_FULL;
721 else flag = GNUTLS_CRT_PRINT_COMPACT;
722
723 if (gnutls_certificate_client_get_request_status (session) != 0)
724 printf ("- Server has requested a certificate.\n");
725
726 switch (gnutls_certificate_type_get (session))
727 {
728 case GNUTLS_CRT_X509:
729 print_x509_info (session, flag, print_cert);
730 break;
731 #ifdef ENABLE_OPENPGP
732 case GNUTLS_CRT_OPENPGP:
733 print_openpgp_info (session, flag, print_cert);
734 break;
735 #endif
736 default:
737 printf ("Unknown type\n");
738 break;
739 }
740 }
741
742 void
743 print_cert_info_compact (gnutls_session_t session)
744 {
745
746 if (gnutls_certificate_client_get_request_status (session) != 0)
747 printf ("- Server has requested a certificate.\n");
748
749 switch (gnutls_certificate_type_get (session))
750 {
751 case GNUTLS_CRT_X509:
752 print_x509_info_compact (session);
753 break;
754 #ifdef ENABLE_OPENPGP
755 case GNUTLS_CRT_OPENPGP:
756 print_openpgp_info_compact (session);
757 break;
758 #endif
759 default:
760 printf ("Unknown type\n");
761 break;
762 }
763 }
764
765 void
766 print_list (const char *priorities, int verbose)
767 {
768 size_t i;
769 int ret;
770 unsigned int idx;
771 const char *name;
772 const char *err;
773 unsigned char id[2];
774 gnutls_kx_algorithm_t kx;
775 gnutls_cipher_algorithm_t cipher;
776 gnutls_mac_algorithm_t mac;
777 gnutls_protocol_t version;
778 gnutls_priority_t pcache;
779 const unsigned int *list;
780
781 if (priorities != NULL)
782 {
783 printf ("Cipher suites for %s\n", priorities);
784
785 ret = gnutls_priority_init (&pcache, priorities, &err);
786 if (ret < 0)
787 {
788 fprintf (stderr, "Syntax error at: %s\n", err);
789 exit (1);
790 }
791
792 for (i = 0;; i++)
793 {
794 ret =
795 gnutls_priority_get_cipher_suite_index (pcache, i,
796 &idx);
797 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
798 break;
799 if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
800 continue;
801
802 name =
803 gnutls_cipher_suite_info (idx, id, NULL, NULL, NULL,
804 &version);
805
806 if (name != NULL)
807 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
808 name, (unsigned char) id[0],
809 (unsigned char) id[1],
810 gnutls_protocol_get_name (version));
811 }
812
813 printf("\n");
814 {
815 ret = gnutls_priority_certificate_type_list (pcache, &list);
816
817 printf ("Certificate types: ");
818 if (ret == 0) printf("none\n");
819 for (i = 0; i < (unsigned)ret; i++)
820 {
821 printf ("CTYPE-%s",
822 gnutls_certificate_type_get_name (list[i]));
823 if (i+1!=(unsigned)ret)
824 printf (", ");
825 else
826 printf ("\n");
827 }
828 }
829
830 {
831 ret = gnutls_priority_protocol_list (pcache, &list);
832
833 printf ("Protocols: ");
834 if (ret == 0) printf("none\n");
835 for (i = 0; i < (unsigned)ret; i++)
836 {
837 printf ("VERS-%s", gnutls_protocol_get_name (list[i]));
838 if (i+1!=(unsigned)ret)
839 printf (", ");
840 else
841 printf ("\n");
842 }
843 }
844
845 {
846 ret = gnutls_priority_compression_list (pcache, &list);
847
848 printf ("Compression: ");
849 if (ret == 0) printf("none\n");
850 for (i = 0; i < (unsigned)ret; i++)
851 {
852 printf ("COMP-%s",
853 gnutls_compression_get_name (list[i]));
854 if (i+1!=(unsigned)ret)
855 printf (", ");
856 else
857 printf ("\n");
858 }
859 }
860
861 {
862 ret = gnutls_priority_ecc_curve_list (pcache, &list);
863
864 printf ("Elliptic curves: ");
865 if (ret == 0) printf("none\n");
866 for (i = 0; i < (unsigned)ret; i++)
867 {
868 printf ("CURVE-%s",
869 gnutls_ecc_curve_get_name (list[i]));
870 if (i+1!=(unsigned)ret)
871 printf (", ");
872 else
873 printf ("\n");
874 }
875 }
876
877 {
878 ret = gnutls_priority_sign_list (pcache, &list);
879
880 printf ("PK-signatures: ");
881 if (ret == 0) printf("none\n");
882 for (i = 0; i < (unsigned)ret; i++)
883 {
884 printf ("SIGN-%s",
885 gnutls_sign_algorithm_get_name (list[i]));
886 if (i+1!=(unsigned)ret)
887 printf (", ");
888 else
889 printf ("\n");
890 }
891 }
892
893 return;
894 }
895
896 printf ("Cipher suites:\n");
897 for (i = 0; (name = gnutls_cipher_suite_info
898 (i, id, &kx, &cipher, &mac, &version)); i++)
899 {
900 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
901 name,
902 (unsigned char) id[0], (unsigned char) id[1],
903 gnutls_protocol_get_name (version));
904 if (verbose)
905 printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
906 gnutls_kx_get_name (kx),
907 gnutls_cipher_get_name (cipher),
908 gnutls_mac_get_name (mac));
909 }
910
911 printf("\n");
912 {
913 const gnutls_certificate_type_t *p =
914 gnutls_certificate_type_list ();
915
916 printf ("Certificate types: ");
917 for (; *p; p++)
918 {
919 printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p));
920 if (*(p + 1))
921 printf (", ");
922 else
923 printf ("\n");
924 }
925 }
926
927 {
928 const gnutls_protocol_t *p = gnutls_protocol_list ();
929
930 printf ("Protocols: ");
931 for (; *p; p++)
932 {
933 printf ("VERS-%s", gnutls_protocol_get_name (*p));
934 if (*(p + 1))
935 printf (", ");
936 else
937 printf ("\n");
938 }
939 }
940
941 {
942 const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
943
944 printf ("Ciphers: ");
945 for (; *p; p++)
946 {
947 printf ("%s", gnutls_cipher_get_name (*p));
948 if (*(p + 1))
949 printf (", ");
950 else
951 printf ("\n");
952 }
953 }
954
955 {
956 const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
957
958 printf ("MACs: ");
959 for (; *p; p++)
960 {
961 printf ("%s", gnutls_mac_get_name (*p));
962 if (*(p + 1))
963 printf (", ");
964 else
965 printf ("\n");
966 }
967 }
968
969 {
970 const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
971
972 printf ("Key exchange algorithms: ");
973 for (; *p; p++)
974 {
975 printf ("%s", gnutls_kx_get_name (*p));
976 if (*(p + 1))
977 printf (", ");
978 else
979 printf ("\n");
980 }
981 }
982
983 {
984 const gnutls_compression_method_t *p = gnutls_compression_list ();
985
986 printf ("Compression: ");
987 for (; *p; p++)
988 {
989 printf ("COMP-%s", gnutls_compression_get_name (*p));
990 if (*(p + 1))
991 printf (", ");
992 else
993 printf ("\n");
994 }
995 }
996
997 {
998 const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list ();
999
1000 printf ("Elliptic curves: ");
1001 for (; *p; p++)
1002 {
1003 printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p));
1004 if (*(p + 1))
1005 printf (", ");
1006 else
1007 printf ("\n");
1008 }
1009 }
1010
1011 {
1012 const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
1013
1014 printf ("Public Key Systems: ");
1015 for (; *p; p++)
1016 {
1017 printf ("%s", gnutls_pk_algorithm_get_name (*p));
1018 if (*(p + 1))
1019 printf (", ");
1020 else
1021 printf ("\n");
1022 }
1023 }
1024
1025 {
1026 const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
1027
1028 printf ("PK-signatures: ");
1029 for (; *p; p++)
1030 {
1031 printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p));
1032 if (*(p + 1))
1033 printf (", ");
1034 else
1035 printf ("\n");
1036 }
1037 }
1038 }
1039
1040 int check_command(gnutls_session_t session, const char* str)
1041 {
1042 int len = strlen(str);
1043
1044 if (len > 2 && str[0] == str[1] && str[0] == '*')
1045 {
1046 if (strncmp(str, "**REHANDSHAKE**",
1047 sizeof ("**REHANDSHAKE**") - 1) == 0)
1048 {
1049 fprintf (stderr, "*** Sending rehandshake request\n");
1050 gnutls_rehandshake (session);
1051 return 1;
1052 }
1053 }
1054 return 0;
1055 }
1056
1057 #define MIN(x,y) ((x)<(y))?(x):(y)
1058 #define MAX_CACHE_TRIES 5
1059 int
1060 pin_callback (void *user, int attempt, const char *token_url,
1061 const char *token_label, unsigned int flags, char *pin,
1062 size_t pin_max)
1063 {
1064 const char *password;
1065 const char * desc;
1066 int len, cache = MAX_CACHE_TRIES;
1067 /* allow caching of PIN */
1068 static char *cached_url = NULL;
1069 static char cached_pin[32] = "";
1070
1071 if (flags & GNUTLS_PIN_SO)
1072 desc = "security officer";
1073 else
1074 desc = "user";
1075
1076 if (flags & GNUTLS_PIN_FINAL_TRY)
1077 {
1078 cache = 0;
1079 printf ("*** This is the final try before locking!\n");
1080 }
1081 if (flags & GNUTLS_PIN_COUNT_LOW)
1082 {
1083 cache = 0;
1084 printf ("*** Only few tries left before locking!\n");
1085 }
1086
1087 if (flags & GNUTLS_PIN_WRONG)
1088 {
1089 cache = 0;
1090 printf ("*** Wrong PIN has been provided!\n");
1091 }
1092
1093 if (cache > 0 && cached_url != NULL)
1094 {
1095 if (strcmp (cached_url, token_url) == 0)
1096 {
1097 if (strlen(pin) >= sizeof(cached_pin))
1098 {
1099 fprintf (stderr, "Too long PIN given\n");
1100 exit (1);
1101 }
1102
1103 fprintf(stderr, "Re-using cached PIN for token '%s'\n", token_label);
1104 strcpy (pin, cached_pin);
1105 cache--;
1106 return 0;
1107 }
1108 }
1109
1110 printf ("Token '%s' with URL '%s' ", token_label, token_url);
1111 printf ("requires %s PIN\n", desc);
1112
1113 password = getpass ("Enter PIN: ");
1114 if (password == NULL || password[0] == 0)
1115 {
1116 fprintf (stderr, "No password given\n");
1117 exit (1);
1118 }
1119
1120 len = MIN (pin_max, strlen (password));
1121 memcpy (pin, password, len);
1122 pin[len] = 0;
1123
1124 /* cache */
1125 strcpy (cached_pin, pin);
1126 free (cached_url);
1127 cached_url = strdup (token_url);
1128 cache = MAX_CACHE_TRIES;
1129
1130 return 0;
1131 }
1132
1133 #ifdef ENABLE_PKCS11
1134
1135 static int
1136 token_callback (void *user, const char *label, const unsigned retry)
1137 {
1138 char buf[32];
1139
1140 if (retry > 0)
1141 {
1142 fprintf (stderr, "Could not find token %s\n", label);
1143 return -1;
1144 }
1145 printf ("Please insert token '%s' in slot and press enter\n", label);
1146 fgets (buf, sizeof (buf), stdin);
1147
1148 return 0;
1149 }
1150
1151 void
1152 pkcs11_common (void)
1153 {
1154
1155 gnutls_pkcs11_set_pin_function (pin_callback, NULL);
1156 gnutls_pkcs11_set_token_function (token_callback, NULL);
1157
1158 }
1159
1160 #endif
Implementation of the SSL/TLS protocol