tests/tlsia.c

   1 /*
   2  * Copyright (C) 2004, 2005, 2007 Free Software Foundation
   3  *
   4  * Author: Simon Josefsson
   5  *
   6  * This file is part of GNUTLS.
   7  *
   8  * GNUTLS is free software; you can redistribute it and/or modify it
   9  * under the terms of the GNU General Public License as published by
  10  * the Free Software Foundation; either version 3 of the License, or
  11  * (at your option) any later version.
  12  *
  13  * GNUTLS is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with GNUTLS; if not, write to the Free Software Foundation,
  20  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
  21  */
  22
  23 /* Parts copied from GnuTLS example programs. */
  24
  25 #if HAVE_CONFIG_H
  26 # include <config.h>
  27 #endif
  28
  29 #include <stdio.h>
  30 #include <stdlib.h>
  31 #include <string.h>
  32 #include <sys/types.h>
  33 #include <sys/socket.h>
  34 #include <sys/wait.h>
  35 #include <netinet/in.h>
  36 #include <arpa/inet.h>
  37 #include <unistd.h>
  38 #include <gnutls/gnutls.h>
  39 #include <gnutls/extra.h>
  40
  41 #include "utils.h"
  42
  43 #include <readline.h>
  44
  45 /* A very basic TLS client, with anonymous authentication.
  46  */
  47
  48 #define MAX_BUF 1024
  49 #define MSG "Hello TLS"
  50
  51 /* Connects to the peer and returns a socket
  52  * descriptor.
  53  */
  54 int
  55 tcp_connect (void)
  56 {
  57   const char *PORT = "5556";
  58   const char *SERVER = "127.0.0.1";
  59   int err, sd;
  60   struct sockaddr_in sa;
  61
  62   /* connects to server
  63    */
  64   sd = socket (AF_INET, SOCK_STREAM, 0);
  65
  66   memset (&sa, '\0', sizeof (sa));
  67   sa.sin_family = AF_INET;
  68   sa.sin_port = htons (atoi (PORT));
  69   inet_pton (AF_INET, SERVER, &sa.sin_addr);
  70
  71   err = connect (sd, (struct sockaddr *) &sa, sizeof (sa));
  72   if (err < 0)
  73     {
  74       fprintf (stderr, "Connect error\n");
  75       exit (1);
  76     }
  77
  78   return sd;
  79 }
  80
  81 /* closes the given socket descriptor.
  82  */
  83 void
  84 tcp_close (int sd)
  85 {
  86   shutdown (sd, SHUT_RDWR);     /* no more receptions */
  87   close (sd);
  88 }
  89
  90 int
  91 client_avp (gnutls_session_t session, void *ptr,
  92             const char *last, size_t lastlen, char **new, size_t * newlen)
  93 {
  94   static int iter = 0;
  95   char *p;
  96
  97   if (last)
  98     printf ("client: received %d bytes AVP: `%.*s'\n",
  99             lastlen, lastlen, last);
 100   else
 101     printf ("client: new application phase\n");
 102
 103   switch (iter)
 104     {
 105     case 0:
 106       p = "client's first AVP, next will be empty";
 107       break;
 108
 109     case 1:
 110       p = "";
 111       break;
 112
 113     case 2:
 114       p = "client avp";
 115       break;
 116
 117     default:
 118       p = "final client AVP, we'll restart next";
 119       iter = -1;
 120       break;
 121     }
 122
 123   iter++;
 124
 125   if (debug)
 126     p = readline ("Client TLS/IA AVP: ");
 127
 128   *new = gnutls_strdup (p);
 129   if (!*new)
 130     return -1;
 131   *newlen = strlen (*new);
 132
 133   printf ("client: sending %d bytes AVP: `%s'\n", *newlen, *new);
 134
 135   gnutls_ia_permute_inner_secret (session, 3, "foo");
 136
 137   return 0;
 138 }
 139
 140 void
 141 client (void)
 142 {
 143   int ret, sd, ii;
 144   gnutls_session_t session;
 145   char buffer[MAX_BUF + 1];
 146   gnutls_anon_client_credentials_t anoncred;
 147   gnutls_ia_client_credentials_t iacred;
 148   /* Need to enable anonymous KX specifically. */
 149   const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
 150
 151   ret = gnutls_global_init ();
 152   if (ret)
 153     fail ("global_init: %d\n", ret);
 154   ret = gnutls_global_init_extra ();
 155   if (ret)
 156     fail ("global_init_extra: %d\n", ret);
 157
 158   gnutls_anon_allocate_client_credentials (&anoncred);
 159   gnutls_ia_allocate_client_credentials (&iacred);
 160
 161   /* Initialize TLS session
 162    */
 163   gnutls_init (&session, GNUTLS_CLIENT);
 164
 165   /* Use default priorities */
 166   gnutls_set_default_priority (session);
 167   gnutls_kx_set_priority (session, kx_prio);
 168
 169   /* put the anonymous credentials to the current session
 170    */
 171   gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
 172   gnutls_credentials_set (session, GNUTLS_CRD_IA, iacred);
 173
 174   /* connect to the peer
 175    */
 176   sd = tcp_connect ();
 177
 178   gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
 179
 180   /* Enable TLS/IA. */
 181   gnutls_ia_set_client_avp_function (iacred, client_avp);
 182
 183   /* Perform the TLS handshake
 184    */
 185   ret = gnutls_handshake (session);
 186
 187   if (ret < 0)
 188     {
 189       fail ("client: Handshake failed\n");
 190       gnutls_perror (ret);
 191       goto end;
 192     }
 193   else
 194     {
 195       success ("client: Handshake was completed\n");
 196     }
 197
 198   /*
 199      To test TLS/IA alert's (the server will print that a fatal alert
 200      was received):
 201      gnutls_alert_send(session, GNUTLS_AL_FATAL,
 202      GNUTLS_A_INNER_APPLICATION_FAILURE);
 203    */
 204
 205   if (!gnutls_ia_handshake_p (session))
 206     fail ("client: No TLS/IA negotiation\n");
 207   else
 208     {
 209       success ("client: TLS/IA handshake\n");
 210
 211       ret = gnutls_ia_handshake (session);
 212
 213       if (ret < 0)
 214         {
 215           fail ("client: TLS/IA handshake failed\n");
 216           gnutls_perror (ret);
 217           goto end;
 218         }
 219       else
 220         {
 221           success ("client: TLS/IA Handshake was completed\n");
 222         }
 223     }
 224
 225   gnutls_record_send (session, MSG, strlen (MSG));
 226
 227   ret = gnutls_record_recv (session, buffer, MAX_BUF);
 228   if (ret == 0)
 229     {
 230       success ("client: Peer has closed the TLS connection\n");
 231       goto end;
 232     }
 233   else if (ret < 0)
 234     {
 235       fail ("client: Error: %s\n", gnutls_strerror (ret));
 236       goto end;
 237     }
 238
 239   if (debug)
 240     {
 241       printf ("- Received %d bytes: ", ret);
 242       for (ii = 0; ii < ret; ii++)
 243         {
 244           fputc (buffer[ii], stdout);
 245         }
 246       fputs ("\n", stdout);
 247     }
 248
 249   gnutls_bye (session, GNUTLS_SHUT_RDWR);
 250
 251 end:
 252
 253   tcp_close (sd);
 254
 255   gnutls_deinit (session);
 256
 257   gnutls_ia_free_client_credentials (iacred);
 258
 259   gnutls_anon_free_client_credentials (anoncred);
 260
 261   gnutls_global_deinit ();
 262 }
 263
 264 /* This is a sample TLS 1.0 echo server, for anonymous authentication only.
 265  */
 266
 267 #define SA struct sockaddr
 268 #define MAX_BUF 1024
 269 #define PORT 5556               /* listen to 5556 port */
 270 #define DH_BITS 1024
 271
 272 /* These are global */
 273 gnutls_anon_server_credentials_t anoncred;
 274 gnutls_ia_server_credentials_t iacred;
 275
 276 gnutls_session_t
 277 initialize_tls_session (void)
 278 {
 279   gnutls_session_t session;
 280   const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
 281
 282   gnutls_init (&session, GNUTLS_SERVER);
 283
 284   /* avoid calling all the priority functions, since the defaults
 285    * are adequate.
 286    */
 287   gnutls_set_default_priority (session);
 288   gnutls_kx_set_priority (session, kx_prio);
 289
 290   gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred);
 291
 292   gnutls_dh_set_prime_bits (session, DH_BITS);
 293
 294   return session;
 295 }
 296
 297 static gnutls_dh_params_t dh_params;
 298
 299 static int
 300 generate_dh_params (void)
 301 {
 302   const gnutls_datum_t p3 = { pkcs3, strlen (pkcs3) };
 303   /* Generate Diffie Hellman parameters - for use with DHE
 304    * kx algorithms. These should be discarded and regenerated
 305    * once a day, once a week or once a month. Depending on the
 306    * security requirements.
 307    */
 308   gnutls_dh_params_init (&dh_params);
 309   return gnutls_dh_params_import_pkcs3 (dh_params, &p3, GNUTLS_X509_FMT_PEM);
 310 }
 311
 312 int err, listen_sd, i;
 313 int sd, ret;
 314 struct sockaddr_in sa_serv;
 315 struct sockaddr_in sa_cli;
 316 socklen_t client_len;
 317 char topbuf[512];
 318 gnutls_session_t session;
 319 char buffer[MAX_BUF + 1];
 320 int optval = 1;
 321
 322 int
 323 server_avp (gnutls_session_t session, void *ptr,
 324             const char *last, size_t lastlen, char **new, size_t * newlen)
 325 {
 326   static int iter = 0;
 327   char *p;
 328
 329   if (last)
 330     printf ("server: received %d bytes AVP: `%.*s'\n",
 331             lastlen, lastlen, last);
 332
 333   gnutls_ia_permute_inner_secret (session, 3, "foo");
 334
 335   switch (iter)
 336     {
 337     case 0:
 338       p = "first server AVP";
 339       break;
 340
 341     case 1:
 342       p = "second server AVP, next will be empty, then a intermediate finish";
 343       break;
 344
 345     case 2:
 346       p = "";
 347       break;
 348
 349     case 3:
 350       p = "1";
 351       break;
 352
 353     case 4:
 354       p = "server avp, after intermediate finish, next another intermediate";
 355       break;
 356
 357     case 5:
 358       p = "1";
 359       break;
 360
 361     case 6:
 362       p = "server avp, next will be the finish phase";
 363       break;
 364
 365     default:
 366       p = "2";
 367       break;
 368     }
 369
 370   iter++;
 371
 372   if (debug)
 373     p = readline ("Server TLS/IA AVP (type '1' to sync, '2' to finish): ");
 374
 375   if (!p)
 376     return -1;
 377
 378   if (strcmp (p, "1") == 0)
 379     {
 380       success ("server: Sending IntermediatePhaseFinished...\n");
 381       return 1;
 382     }
 383
 384   if (strcmp (p, "2") == 0)
 385     {
 386       success ("server: Sending FinalPhaseFinished...\n");
 387       return 2;
 388     }
 389
 390   *new = gnutls_strdup (p);
 391   if (!*new)
 392     return -1;
 393   *newlen = strlen (*new);
 394
 395   printf ("server: sending %d bytes AVP: `%s'\n", *newlen, *new);
 396
 397   return 0;
 398 }
 399
 400 void
 401 server_start (void)
 402 {
 403   /* this must be called once in the program
 404    */
 405   gnutls_global_init ();
 406
 407   gnutls_anon_allocate_server_credentials (&anoncred);
 408   gnutls_ia_allocate_server_credentials (&iacred);
 409
 410   success ("Launched, generating DH parameters...\n");
 411
 412   generate_dh_params ();
 413
 414   gnutls_anon_set_server_dh_params (anoncred, dh_params);
 415
 416   /* Socket operations
 417    */
 418   listen_sd = socket (AF_INET, SOCK_STREAM, 0);
 419   if (err == -1)
 420     {
 421       perror ("socket");
 422       fail ("server: socket failed\n");
 423       return;
 424     }
 425
 426   memset (&sa_serv, '\0', sizeof (sa_serv));
 427   sa_serv.sin_family = AF_INET;
 428   sa_serv.sin_addr.s_addr = INADDR_ANY;
 429   sa_serv.sin_port = htons (PORT);      /* Server Port number */
 430
 431   setsockopt (listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
 432
 433   err = bind (listen_sd, (SA *) & sa_serv, sizeof (sa_serv));
 434   if (err == -1)
 435     {
 436       perror ("bind");
 437       fail ("server: bind failed\n");
 438       return;
 439     }
 440
 441   err = listen (listen_sd, 1024);
 442   if (err == -1)
 443     {
 444       perror ("listen");
 445       fail ("server: listen failed\n");
 446       return;
 447     }
 448
 449   success ("server: ready. Listening to port '%d'\n", PORT);
 450 }
 451
 452 void
 453 server (void)
 454 {
 455   client_len = sizeof (sa_cli);
 456
 457   session = initialize_tls_session ();
 458
 459   sd = accept (listen_sd, (SA *) & sa_cli, &client_len);
 460
 461   success ("server: connection from %s, port %d\n",
 462            inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf,
 463                       sizeof (topbuf)), ntohs (sa_cli.sin_port));
 464
 465   gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sd);
 466
 467   /* Enable TLS/IA. */
 468   gnutls_credentials_set (session, GNUTLS_CRD_IA, iacred);
 469   gnutls_ia_set_server_avp_function (iacred, server_avp);
 470
 471   ret = gnutls_handshake (session);
 472   if (ret < 0)
 473     {
 474       close (sd);
 475       gnutls_deinit (session);
 476       fail ("server: Handshake has failed (%s)\n\n", gnutls_strerror (ret));
 477       return;
 478     }
 479   success ("server: Handshake was completed\n");
 480
 481   if (!gnutls_ia_handshake_p (session))
 482     fail ("server: No TLS/IA negotiation\n");
 483   else
 484     {
 485       success ("server: TLS/IA handshake\n");
 486
 487       ret = gnutls_ia_handshake (session);
 488
 489       if (ret < 0)
 490         {
 491           fail ("server: TLS/IA handshake failed\n");
 492           gnutls_perror (ret);
 493           return;
 494         }
 495       else
 496         {
 497           success ("server: TLS/IA Handshake was completed\n");
 498         }
 499     }
 500
 501   /* see the Getting peer's information example */
 502   /* print_info(session); */
 503
 504   i = 0;
 505   for (;;)
 506     {
 507       bzero (buffer, MAX_BUF + 1);
 508       ret = gnutls_record_recv (session, buffer, MAX_BUF);
 509
 510       if (ret == 0)
 511         {
 512           success ("server: Peer has closed the GNUTLS connection\n");
 513           break;
 514         }
 515       else if (ret < 0)
 516         {
 517           if (ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
 518             {
 519               gnutls_alert_description_t alert;
 520               const char *err;
 521               alert = gnutls_alert_get (session);
 522               err = gnutls_alert_get_name (alert);
 523               if (err)
 524                 printf ("Fatal alert: %s\n", err);
 525             }
 526
 527           fail ("server: Received corrupted data(%d). Closing...\n", ret);
 528           break;
 529         }
 530       else if (ret > 0)
 531         {
 532           /* echo data back to the client
 533            */
 534           gnutls_record_send (session, buffer, strlen (buffer));
 535         }
 536     }
 537   /* do not wait for the peer to close the connection.
 538    */
 539   gnutls_bye (session, GNUTLS_SHUT_WR);
 540
 541   close (sd);
 542   gnutls_deinit (session);
 543
 544   close (listen_sd);
 545
 546   gnutls_ia_free_server_credentials (iacred);
 547
 548   gnutls_anon_free_server_credentials (anoncred);
 549
 550   gnutls_global_deinit ();
 551
 552   success ("server: finished\n");
 553 }
 554
 555 void
 556 doit (void)
 557 {
 558   pid_t child;
 559
 560   server_start ();
 561   if (error_count)
 562     return;
 563
 564   child = fork ();
 565   if (child < 0)
 566     {
 567       perror ("fork");
 568       fail ("fork");
 569       return;
 570     }
 571
 572   if (child)
 573     {
 574       int status;
 575       /* parent */
 576       server ();
 577       wait (&status);
 578     }
 579   else
 580     client ();
 581 }