2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos
5 * This file is part of GnuTLS.
7 * GnuTLS is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuTLS is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
23 /* Work around problem reported in
24 <http://permalink.gmane.org/gmane.comp.lib.gnulib.bugs/15755>.*/
25 #if GETTIMEOFDAY_CLOBBERS_LOCALTIME
34 #include <gnutls/gnutls.h>
35 #include <gnutls/x509.h>
36 #include <gnutls/openpgp.h>
40 #define SU(x) (x!=NULL?x:"Unknown")
44 const char str_unknown
[] = "(unknown)";
46 /* Hex encodes the given data.
49 raw_to_string (const unsigned char *raw
, size_t raw_size
)
51 static char buf
[1024];
56 if (raw_size
* 3 + 1 >= sizeof (buf
))
59 for (i
= 0; i
< raw_size
; i
++)
61 sprintf (&(buf
[i
* 3]), "%02X%s", raw
[i
],
62 (i
== raw_size
- 1) ? "" : ":");
64 buf
[sizeof (buf
) - 1] = '\0';
70 print_x509_info_compact (gnutls_session_t session
)
72 gnutls_x509_crt_t crt
;
73 const gnutls_datum_t
*cert_list
;
74 unsigned int cert_list_size
= 0;
78 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
79 if (cert_list_size
== 0)
81 fprintf (stderr
, "No certificates found!\n");
85 gnutls_x509_crt_init (&crt
);
87 gnutls_x509_crt_import (crt
, &cert_list
[0],
91 fprintf (stderr
, "Decoding error: %s\n",
92 gnutls_strerror (ret
));
97 gnutls_x509_crt_print (crt
, GNUTLS_CRT_PRINT_COMPACT
, &cinfo
);
100 printf ("- X.509 cert: %s\n", cinfo
.data
);
101 gnutls_free (cinfo
.data
);
104 gnutls_x509_crt_deinit (crt
);
108 print_x509_info (gnutls_session_t session
, int flag
, int print_cert
)
110 gnutls_x509_crt_t crt
;
111 const gnutls_datum_t
*cert_list
;
112 unsigned int cert_list_size
= 0, j
;
115 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
116 if (cert_list_size
== 0)
118 fprintf (stderr
, "No certificates found!\n");
122 printf ("- Certificate type: X.509\n");
123 printf ("- Got a certificate list of %d certificates.\n",
126 for (j
= 0; j
< cert_list_size
; j
++)
128 gnutls_datum_t cinfo
;
130 gnutls_x509_crt_init (&crt
);
132 gnutls_x509_crt_import (crt
, &cert_list
[j
],
133 GNUTLS_X509_FMT_DER
);
136 fprintf (stderr
, "Decoding error: %s\n",
137 gnutls_strerror (ret
));
141 printf ("- Certificate[%d] info:\n - ", j
);
144 gnutls_x509_crt_print (crt
, flag
, &cinfo
);
147 printf ("%s\n", cinfo
.data
);
148 gnutls_free (cinfo
.data
);
157 gnutls_x509_crt_export (crt
, GNUTLS_X509_FMT_PEM
, p
,
159 if (ret
== GNUTLS_E_SHORT_MEMORY_BUFFER
)
164 fprintf (stderr
, "gnutls_malloc\n");
169 gnutls_x509_crt_export (crt
, GNUTLS_X509_FMT_PEM
,
174 fprintf (stderr
, "Encoding error: %s\n",
175 gnutls_strerror (ret
));
179 fputs ("\n", stdout
);
181 fputs ("\n", stdout
);
186 gnutls_x509_crt_deinit (crt
);
190 /* returns true or false, depending on whether the hostname
191 * matches to certificate */
193 verify_x509_hostname (gnutls_session_t session
, const char *hostname
)
195 gnutls_x509_crt_t crt
;
196 const gnutls_datum_t
*cert_list
;
197 unsigned int cert_list_size
= 0;
200 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
201 if (cert_list_size
== 0)
203 fprintf (stderr
, "No certificates found!\n");
207 gnutls_x509_crt_init (&crt
);
209 gnutls_x509_crt_import (crt
, &cert_list
[0],
210 GNUTLS_X509_FMT_DER
);
213 fprintf (stderr
, "Decoding error: %s\n",
214 gnutls_strerror (ret
));
218 /* Check the hostname of the first certificate if it matches
219 * the name of the host we connected to.
221 if (gnutls_x509_crt_check_hostname (crt
, hostname
) == 0)
224 ("- The hostname in the certificate does NOT match '%s'\n",
230 printf ("- The hostname in the certificate matches '%s'.\n",
235 gnutls_x509_crt_deinit (crt
);
240 #ifdef ENABLE_OPENPGP
241 /* returns true or false, depending on whether the hostname
242 * matches to certificate */
244 verify_openpgp_hostname (gnutls_session_t session
, const char *hostname
)
246 gnutls_openpgp_crt_t crt
;
247 const gnutls_datum_t
*cert_list
;
248 unsigned int cert_list_size
= 0;
251 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
252 if (cert_list_size
== 0)
254 fprintf (stderr
, "No certificates found!\n");
258 gnutls_openpgp_crt_init (&crt
);
260 gnutls_openpgp_crt_import (crt
, &cert_list
[0],
261 GNUTLS_OPENPGP_FMT_RAW
);
264 fprintf (stderr
, "Decoding error: %s\n",
265 gnutls_strerror (ret
));
269 /* Check the hostname of the first certificate if it matches
270 * the name of the host we connected to.
272 if (gnutls_openpgp_crt_check_hostname (crt
, hostname
) == 0)
275 ("- The hostname in the certificate does NOT match '%s'\n",
281 printf ("- The hostname in the certificate matches '%s'.\n",
286 gnutls_openpgp_crt_deinit (crt
);
292 print_openpgp_info_compact (gnutls_session_t session
)
295 gnutls_openpgp_crt_t crt
;
296 const gnutls_datum_t
*cert_list
;
297 unsigned int cert_list_size
= 0;
300 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
302 if (cert_list_size
> 0)
304 gnutls_datum_t cinfo
;
306 gnutls_openpgp_crt_init (&crt
);
307 ret
= gnutls_openpgp_crt_import (crt
, &cert_list
[0],
308 GNUTLS_OPENPGP_FMT_RAW
);
311 fprintf (stderr
, "Decoding error: %s\n",
312 gnutls_strerror (ret
));
317 gnutls_openpgp_crt_print (crt
, GNUTLS_CRT_PRINT_COMPACT
, &cinfo
);
320 printf ("- OpenPGP cert: %s\n", cinfo
.data
);
321 gnutls_free (cinfo
.data
);
324 gnutls_openpgp_crt_deinit (crt
);
329 print_openpgp_info (gnutls_session_t session
, int flag
, int print_cert
)
332 gnutls_openpgp_crt_t crt
;
333 const gnutls_datum_t
*cert_list
;
334 unsigned int cert_list_size
= 0;
337 printf ("- Certificate type: OpenPGP\n");
339 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
341 if (cert_list_size
> 0)
343 gnutls_datum_t cinfo
;
345 gnutls_openpgp_crt_init (&crt
);
346 ret
= gnutls_openpgp_crt_import (crt
, &cert_list
[0],
347 GNUTLS_OPENPGP_FMT_RAW
);
350 fprintf (stderr
, "Decoding error: %s\n",
351 gnutls_strerror (ret
));
356 gnutls_openpgp_crt_print (crt
, flag
, &cinfo
);
359 printf ("- %s\n", cinfo
.data
);
360 gnutls_free (cinfo
.data
);
369 gnutls_openpgp_crt_export (crt
,
370 GNUTLS_OPENPGP_FMT_BASE64
,
372 if (ret
== GNUTLS_E_SHORT_MEMORY_BUFFER
)
377 fprintf (stderr
, "gnutls_malloc\n");
382 gnutls_openpgp_crt_export (crt
,
383 GNUTLS_OPENPGP_FMT_BASE64
,
388 fprintf (stderr
, "Encoding error: %s\n",
389 gnutls_strerror (ret
));
394 fputs ("\n", stdout
);
399 gnutls_openpgp_crt_deinit (crt
);
405 /* returns false (0) if not verified, or true (1) otherwise
408 cert_verify (gnutls_session_t session
, const char* hostname
)
411 unsigned int status
= 0;
414 rc
= gnutls_certificate_verify_peers2 (session
, &status
);
415 if (rc
== GNUTLS_E_NO_CERTIFICATE_FOUND
)
417 printf ("- Peer did not send any certificate.\n");
423 printf ("- Could not verify certificate (err: %s)\n",
424 gnutls_strerror (rc
));
428 type
= gnutls_certificate_type_get (session
);
429 if (type
== GNUTLS_CRT_X509
)
432 if (status
& GNUTLS_CERT_REVOKED
)
433 printf ("- Peer's certificate chain revoked\n");
434 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
435 printf ("- Peer's certificate issuer is unknown\n");
436 if (status
& GNUTLS_CERT_SIGNER_NOT_CA
)
437 printf ("- Peer's certificate issuer is not a CA\n");
438 if (status
& GNUTLS_CERT_INSECURE_ALGORITHM
)
440 ("- Peer's certificate chain uses insecure algorithm\n");
441 if (status
& GNUTLS_CERT_NOT_ACTIVATED
)
443 ("- Peer's certificate chain uses not yet valid certificate\n");
444 if (status
& GNUTLS_CERT_EXPIRED
)
446 ("- Peer's certificate chain uses expired certificate\n");
447 if (status
& GNUTLS_CERT_INVALID
)
448 printf ("- Peer's certificate is NOT trusted\n");
450 printf ("- Peer's certificate is trusted\n");
452 rc
= verify_x509_hostname (session
, hostname
);
453 if (rc
== 0) status
|= GNUTLS_CERT_INVALID
;
455 else if (type
== GNUTLS_CRT_OPENPGP
)
457 if (status
& GNUTLS_CERT_INVALID
)
458 printf ("- Peer's key is invalid\n");
460 printf ("- Peer's key is valid\n");
461 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
462 printf ("- Could not find a signer of the peer's key\n");
464 rc
= verify_openpgp_hostname (session
, hostname
);
465 if (rc
== 0) status
|= GNUTLS_CERT_INVALID
;
469 fprintf(stderr
, "Unknown certificate type\n");
470 status
|= GNUTLS_CERT_INVALID
;
480 print_dh_info (gnutls_session_t session
, const char *str
, int print
)
482 printf ("- %sDiffie-Hellman parameters\n", str
);
483 printf (" - Using prime: %d bits\n",
484 gnutls_dh_get_prime_bits (session
));
485 printf (" - Secret key: %d bits\n",
486 gnutls_dh_get_secret_bits (session
));
487 printf (" - Peer's public key: %d bits\n",
488 gnutls_dh_get_peers_public_bits (session
));
493 gnutls_datum_t raw_gen
= { NULL
, 0 };
494 gnutls_datum_t raw_prime
= { NULL
, 0 };
495 gnutls_dh_params_t dh_params
= NULL
;
496 unsigned char *params_data
= NULL
;
497 size_t params_data_size
= 0;
499 ret
= gnutls_dh_get_group (session
, &raw_gen
, &raw_prime
);
502 fprintf (stderr
, "gnutls_dh_get_group %d\n", ret
);
506 ret
= gnutls_dh_params_init (&dh_params
);
509 fprintf (stderr
, "gnutls_dh_params_init %d\n", ret
);
514 gnutls_dh_params_import_raw (dh_params
, &raw_prime
,
518 fprintf (stderr
, "gnutls_dh_params_import_raw %d\n", ret
);
522 ret
= gnutls_dh_params_export_pkcs3 (dh_params
,
526 if (ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
528 fprintf (stderr
, "gnutls_dh_params_export_pkcs3 %d\n",
533 params_data
= gnutls_malloc (params_data_size
);
536 fprintf (stderr
, "gnutls_malloc %d\n", ret
);
540 ret
= gnutls_dh_params_export_pkcs3 (dh_params
,
546 fprintf (stderr
, "gnutls_dh_params_export_pkcs3-2 %d\n",
551 printf (" - PKCS#3 format:\n\n%.*s\n", (int) params_data_size
,
555 gnutls_free (params_data
);
556 gnutls_free (raw_prime
.data
);
557 gnutls_free (raw_gen
.data
);
558 gnutls_dh_params_deinit (dh_params
);
563 print_ecdh_info (gnutls_session_t session
, const char *str
)
567 printf ("- %sEC Diffie-Hellman parameters\n", str
);
569 curve
= gnutls_ecc_curve_get (session
);
571 printf (" - Using curve: %s\n", gnutls_ecc_curve_get_name (curve
));
572 printf (" - Curve size: %d bits\n",
573 gnutls_ecc_curve_get_size (curve
) * 8);
578 print_info (gnutls_session_t session
, int print_cert
)
581 gnutls_credentials_type_t cred
;
582 gnutls_kx_algorithm_t kx
;
583 unsigned char session_id
[33];
584 size_t session_id_size
= sizeof (session_id
);
586 /* print session ID */
587 gnutls_session_get_id (session
, session_id
, &session_id_size
);
588 printf ("- Session ID: %s\n",
589 raw_to_string (session_id
, session_id_size
));
591 /* print the key exchange's algorithm name
593 kx
= gnutls_kx_get (session
);
595 cred
= gnutls_auth_get_type (session
);
599 case GNUTLS_CRD_ANON
:
600 if (kx
== GNUTLS_KX_ANON_ECDH
)
601 print_ecdh_info (session
, "Anonymous ");
603 print_dh_info (session
, "Anonymous ", verbose
);
608 /* This should be only called in server
611 if (gnutls_srp_server_get_username (session
) != NULL
)
612 printf ("- SRP authentication. Connected as '%s'\n",
613 gnutls_srp_server_get_username (session
));
618 /* This returns NULL in server side.
620 if (gnutls_psk_client_get_hint (session
) != NULL
)
621 printf ("- PSK authentication. PSK hint '%s'\n",
622 gnutls_psk_client_get_hint (session
));
623 /* This returns NULL in client side.
625 if (gnutls_psk_server_get_username (session
) != NULL
)
626 printf ("- PSK authentication. Connected as '%s'\n",
627 gnutls_psk_server_get_username (session
));
628 if (kx
== GNUTLS_KX_DHE_PSK
)
629 print_dh_info (session
, "Ephemeral ", verbose
);
630 if (kx
== GNUTLS_KX_ECDHE_PSK
)
631 print_ecdh_info (session
, "Ephemeral ");
635 printf ("- TLS/IA authentication\n");
637 case GNUTLS_CRD_CERTIFICATE
:
640 size_t dns_size
= sizeof (dns
);
643 /* This fails in client side */
644 if (gnutls_server_name_get
645 (session
, dns
, &dns_size
, &type
, 0) == 0)
647 printf ("- Given server name[%d]: %s\n", type
, dns
);
651 print_cert_info (session
,
652 verbose
?GNUTLS_CRT_PRINT_FULL
:GNUTLS_CRT_PRINT_COMPACT
,
655 if (kx
== GNUTLS_KX_DHE_RSA
|| kx
== GNUTLS_KX_DHE_DSS
)
656 print_dh_info (session
, "Ephemeral ", verbose
);
657 else if (kx
== GNUTLS_KX_ECDHE_RSA
658 || kx
== GNUTLS_KX_ECDHE_ECDSA
)
659 print_ecdh_info (session
, "Ephemeral ");
663 SU (gnutls_protocol_get_name
664 (gnutls_protocol_get_version (session
)));
665 printf ("- Version: %s\n", tmp
);
667 tmp
= SU (gnutls_kx_get_name (kx
));
668 printf ("- Key Exchange: %s\n", tmp
);
670 tmp
= SU (gnutls_cipher_get_name (gnutls_cipher_get (session
)));
671 printf ("- Cipher: %s\n", tmp
);
673 tmp
= SU (gnutls_mac_get_name (gnutls_mac_get (session
)));
674 printf ("- MAC: %s\n", tmp
);
677 SU (gnutls_compression_get_name
678 (gnutls_compression_get (session
)));
679 printf ("- Compression: %s\n", tmp
);
686 rc
= gnutls_session_channel_binding (session
,
687 GNUTLS_CB_TLS_UNIQUE
, &cb
);
689 fprintf (stderr
, "Channel binding error: %s\n",
690 gnutls_strerror (rc
));
695 printf ("- Channel binding 'tls-unique': ");
696 for (i
= 0; i
< cb
.size
; i
++)
697 printf ("%02x", cb
.data
[i
]);
702 /* Warning: Do not print anything more here. The 'Compression:'
703 output MUST be the last non-verbose output. This is used by
704 Emacs starttls.el code. */
712 print_cert_info (gnutls_session_t session
, int flag
, int print_cert
)
715 if (gnutls_certificate_client_get_request_status (session
) != 0)
716 printf ("- Server has requested a certificate.\n");
718 switch (gnutls_certificate_type_get (session
))
720 case GNUTLS_CRT_X509
:
721 print_x509_info (session
, flag
, print_cert
);
723 #ifdef ENABLE_OPENPGP
724 case GNUTLS_CRT_OPENPGP
:
725 print_openpgp_info (session
, flag
, print_cert
);
729 printf ("Unknown type\n");
735 print_cert_info_compact (gnutls_session_t session
)
738 if (gnutls_certificate_client_get_request_status (session
) != 0)
739 printf ("- Server has requested a certificate.\n");
741 switch (gnutls_certificate_type_get (session
))
743 case GNUTLS_CRT_X509
:
744 print_x509_info_compact (session
);
746 #ifdef ENABLE_OPENPGP
747 case GNUTLS_CRT_OPENPGP
:
748 print_openpgp_info_compact (session
);
752 printf ("Unknown type\n");
758 print_list (const char *priorities
, int verbose
)
766 gnutls_kx_algorithm_t kx
;
767 gnutls_cipher_algorithm_t cipher
;
768 gnutls_mac_algorithm_t mac
;
769 gnutls_protocol_t version
;
770 gnutls_priority_t pcache
;
771 const unsigned int *list
;
773 if (priorities
!= NULL
)
775 printf ("Cipher suites for %s\n", priorities
);
777 ret
= gnutls_priority_init (&pcache
, priorities
, &err
);
780 fprintf (stderr
, "Syntax error at: %s\n", err
);
787 gnutls_priority_get_cipher_suite_index (pcache
, i
,
789 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
791 if (ret
== GNUTLS_E_UNKNOWN_CIPHER_SUITE
)
795 gnutls_cipher_suite_info (idx
, id
, NULL
, NULL
, NULL
,
799 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
800 name
, (unsigned char) id
[0],
801 (unsigned char) id
[1],
802 gnutls_protocol_get_name (version
));
807 ret
= gnutls_priority_certificate_type_list (pcache
, &list
);
809 printf ("Certificate types: ");
810 if (ret
== 0) printf("none\n");
811 for (i
= 0; i
< (unsigned)ret
; i
++)
814 gnutls_certificate_type_get_name (list
[i
]));
815 if (i
+1!=(unsigned)ret
)
823 ret
= gnutls_priority_protocol_list (pcache
, &list
);
825 printf ("Protocols: ");
826 if (ret
== 0) printf("none\n");
827 for (i
= 0; i
< (unsigned)ret
; i
++)
829 printf ("VERS-%s", gnutls_protocol_get_name (list
[i
]));
830 if (i
+1!=(unsigned)ret
)
838 ret
= gnutls_priority_compression_list (pcache
, &list
);
840 printf ("Compression: ");
841 if (ret
== 0) printf("none\n");
842 for (i
= 0; i
< (unsigned)ret
; i
++)
845 gnutls_compression_get_name (list
[i
]));
846 if (i
+1!=(unsigned)ret
)
854 ret
= gnutls_priority_ecc_curve_list (pcache
, &list
);
856 printf ("Elliptic curves: ");
857 if (ret
== 0) printf("none\n");
858 for (i
= 0; i
< (unsigned)ret
; i
++)
861 gnutls_ecc_curve_get_name (list
[i
]));
862 if (i
+1!=(unsigned)ret
)
870 ret
= gnutls_priority_sign_list (pcache
, &list
);
872 printf ("PK-signatures: ");
873 if (ret
== 0) printf("none\n");
874 for (i
= 0; i
< (unsigned)ret
; i
++)
877 gnutls_sign_algorithm_get_name (list
[i
]));
878 if (i
+1!=(unsigned)ret
)
888 printf ("Cipher suites:\n");
889 for (i
= 0; (name
= gnutls_cipher_suite_info
890 (i
, id
, &kx
, &cipher
, &mac
, &version
)); i
++)
892 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
894 (unsigned char) id
[0], (unsigned char) id
[1],
895 gnutls_protocol_get_name (version
));
897 printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
898 gnutls_kx_get_name (kx
),
899 gnutls_cipher_get_name (cipher
),
900 gnutls_mac_get_name (mac
));
905 const gnutls_certificate_type_t
*p
=
906 gnutls_certificate_type_list ();
908 printf ("Certificate types: ");
911 printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p
));
920 const gnutls_protocol_t
*p
= gnutls_protocol_list ();
922 printf ("Protocols: ");
925 printf ("VERS-%s", gnutls_protocol_get_name (*p
));
934 const gnutls_cipher_algorithm_t
*p
= gnutls_cipher_list ();
936 printf ("Ciphers: ");
939 printf ("%s", gnutls_cipher_get_name (*p
));
948 const gnutls_mac_algorithm_t
*p
= gnutls_mac_list ();
953 printf ("%s", gnutls_mac_get_name (*p
));
962 const gnutls_kx_algorithm_t
*p
= gnutls_kx_list ();
964 printf ("Key exchange algorithms: ");
967 printf ("%s", gnutls_kx_get_name (*p
));
976 const gnutls_compression_method_t
*p
= gnutls_compression_list ();
978 printf ("Compression: ");
981 printf ("COMP-%s", gnutls_compression_get_name (*p
));
990 const gnutls_ecc_curve_t
*p
= gnutls_ecc_curve_list ();
992 printf ("Elliptic curves: ");
995 printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p
));
1004 const gnutls_pk_algorithm_t
*p
= gnutls_pk_list ();
1006 printf ("Public Key Systems: ");
1009 printf ("%s", gnutls_pk_algorithm_get_name (*p
));
1018 const gnutls_sign_algorithm_t
*p
= gnutls_sign_list ();
1020 printf ("PK-signatures: ");
1023 printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p
));