search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Increased maximum password len in PKCS #12.
[gnutls.git] / src / common.c
blob75048c621c6464c0d3df9551f3f2184763c0a1c0
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos
4 *
5 * This file is part of GnuTLS.
6 *
7 * GnuTLS is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuTLS is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22
23 /* Work around problem reported in
24 <http://permalink.gmane.org/gmane.comp.lib.gnulib.bugs/15755>.*/
25 #if GETTIMEOFDAY_CLOBBERS_LOCALTIME
26 #undef localtime
27 #endif
28
29 #include <getpass.h>
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <gnutls/gnutls.h>
35 #include <gnutls/x509.h>
36 #include <gnutls/openpgp.h>
37 #include <gnutls/crypto.h>
38 #include <time.h>
39 #include <common.h>
40
41 #ifdef ENABLE_PKCS11
42 # include <gnutls/pkcs11.h>
43 #endif
44
45 #define SU(x) (x!=NULL?x:"Unknown")
46
47 const char str_unknown[] = "(unknown)";
48
49 /* Hex encodes the given data.
50 */
51 const char *
52 raw_to_string (const unsigned char *raw, size_t raw_size)
53 {
54 static char buf[1024];
55 size_t i;
56 if (raw_size == 0)
57 return "(empty)";
58
59 if (raw_size * 3 + 1 >= sizeof (buf))
60 return "(too large)";
61
62 for (i = 0; i < raw_size; i++)
63 {
64 sprintf (&(buf[i * 3]), "%02X%s", raw[i],
65 (i == raw_size - 1) ? "" : ":");
66 }
67 buf[sizeof (buf) - 1] = '\0';
68
69 return buf;
70 }
71
72 static void
73 print_x509_info_compact (gnutls_session_t session)
74 {
75 gnutls_x509_crt_t crt;
76 const gnutls_datum_t *cert_list;
77 unsigned int cert_list_size = 0;
78 int ret;
79 gnutls_datum_t cinfo;
80
81 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
82 if (cert_list_size == 0)
83 {
84 fprintf (stderr, "No certificates found!\n");
85 return;
86 }
87
88 gnutls_x509_crt_init (&crt);
89 ret =
90 gnutls_x509_crt_import (crt, &cert_list[0],
91 GNUTLS_X509_FMT_DER);
92 if (ret < 0)
93 {
94 fprintf (stderr, "Decoding error: %s\n",
95 gnutls_strerror (ret));
96 return;
97 }
98
99 ret =
100 gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
101 if (ret == 0)
102 {
103 printf ("- X.509 cert: %s\n", cinfo.data);
104 gnutls_free (cinfo.data);
105 }
106
107 gnutls_x509_crt_deinit (crt);
108 }
109
110 static void
111 print_x509_info (gnutls_session_t session, int flag, int print_cert)
112 {
113 gnutls_x509_crt_t crt;
114 const gnutls_datum_t *cert_list;
115 unsigned int cert_list_size = 0, j;
116 int ret;
117
118 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
119 if (cert_list_size == 0)
120 {
121 fprintf (stderr, "No certificates found!\n");
122 return;
123 }
124
125 printf ("- Certificate type: X.509\n");
126 printf ("- Got a certificate list of %d certificates.\n",
127 cert_list_size);
128
129 for (j = 0; j < cert_list_size; j++)
130 {
131 gnutls_datum_t cinfo;
132
133 gnutls_x509_crt_init (&crt);
134 ret =
135 gnutls_x509_crt_import (crt, &cert_list[j],
136 GNUTLS_X509_FMT_DER);
137 if (ret < 0)
138 {
139 fprintf (stderr, "Decoding error: %s\n",
140 gnutls_strerror (ret));
141 return;
142 }
143
144 printf ("- Certificate[%d] info:\n - ", j);
145 if (flag == GNUTLS_CRT_PRINT_COMPACT && j > 0) flag = GNUTLS_CRT_PRINT_ONELINE;
146
147 ret =
148 gnutls_x509_crt_print (crt, flag, &cinfo);
149 if (ret == 0)
150 {
151 printf ("%s\n", cinfo.data);
152 gnutls_free (cinfo.data);
153 }
154
155 if (print_cert)
156 {
157 size_t size = 0;
158 char *p = NULL;
159
160 ret =
161 gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p,
162 &size);
163 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
164 {
165 p = malloc (size+1);
166 if (!p)
167 {
168 fprintf (stderr, "gnutls_malloc\n");
169 exit (1);
170 }
171
172 ret =
173 gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM,
174 p, &size);
175 }
176 if (ret < 0)
177 {
178 fprintf (stderr, "Encoding error: %s\n",
179 gnutls_strerror (ret));
180 return;
181 }
182
183 p[size] = 0;
184 fputs ("\n", stdout);
185 fputs (p, stdout);
186 fputs ("\n", stdout);
187
188 gnutls_free (p);
189 }
190
191 gnutls_x509_crt_deinit (crt);
192 }
193 }
194
195 /* returns true or false, depending on whether the hostname
196 * matches to certificate */
197 static int
198 verify_x509_hostname (gnutls_session_t session, const char *hostname)
199 {
200 gnutls_x509_crt_t crt;
201 const gnutls_datum_t *cert_list;
202 unsigned int cert_list_size = 0;
203 int ret;
204
205 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
206 if (cert_list_size == 0)
207 {
208 fprintf (stderr, "No certificates found!\n");
209 return 0;
210 }
211
212 gnutls_x509_crt_init (&crt);
213 ret =
214 gnutls_x509_crt_import (crt, &cert_list[0],
215 GNUTLS_X509_FMT_DER);
216 if (ret < 0)
217 {
218 fprintf (stderr, "Decoding error: %s\n",
219 gnutls_strerror (ret));
220 return 0;
221 }
222
223 /* Check the hostname of the first certificate if it matches
224 * the name of the host we connected to.
225 */
226 if (hostname != NULL)
227 {
228 if (gnutls_x509_crt_check_hostname (crt, hostname) == 0)
229 {
230 printf
231 ("- The hostname in the certificate does NOT match '%s'\n",
232 hostname);
233 ret = 0;
234 }
235 else
236 {
237 printf ("- The hostname in the certificate matches '%s'.\n",
238 hostname);
239 ret = 1;
240 }
241 }
242
243 gnutls_x509_crt_deinit (crt);
244
245 return ret;
246 }
247
248 #ifdef ENABLE_OPENPGP
249 /* returns true or false, depending on whether the hostname
250 * matches to certificate */
251 static int
252 verify_openpgp_hostname (gnutls_session_t session, const char *hostname)
253 {
254 gnutls_openpgp_crt_t crt;
255 const gnutls_datum_t *cert_list;
256 unsigned int cert_list_size = 0;
257 int ret;
258
259 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
260 if (cert_list_size == 0)
261 {
262 fprintf (stderr, "No certificates found!\n");
263 return 0;
264 }
265
266 gnutls_openpgp_crt_init (&crt);
267 ret =
268 gnutls_openpgp_crt_import (crt, &cert_list[0],
269 GNUTLS_OPENPGP_FMT_RAW);
270 if (ret < 0)
271 {
272 fprintf (stderr, "Decoding error: %s\n",
273 gnutls_strerror (ret));
274 return 0;
275 }
276
277 /* Check the hostname of the first certificate if it matches
278 * the name of the host we connected to.
279 */
280 if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
281 {
282 printf
283 ("- The hostname in the certificate does NOT match '%s'\n",
284 hostname);
285 ret = 0;
286 }
287 else
288 {
289 printf ("- The hostname in the certificate matches '%s'.\n",
290 hostname);
291 ret = 1;
292 }
293
294 gnutls_openpgp_crt_deinit (crt);
295
296 return ret;
297 }
298
299 static void
300 print_openpgp_info_compact (gnutls_session_t session)
301 {
302
303 gnutls_openpgp_crt_t crt;
304 const gnutls_datum_t *cert_list;
305 unsigned int cert_list_size = 0;
306 int ret;
307
308 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
309
310 if (cert_list_size > 0)
311 {
312 gnutls_datum_t cinfo;
313
314 gnutls_openpgp_crt_init (&crt);
315 ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
316 GNUTLS_OPENPGP_FMT_RAW);
317 if (ret < 0)
318 {
319 fprintf (stderr, "Decoding error: %s\n",
320 gnutls_strerror (ret));
321 return;
322 }
323
324 ret =
325 gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
326 if (ret == 0)
327 {
328 printf ("- OpenPGP cert: %s\n", cinfo.data);
329 gnutls_free (cinfo.data);
330 }
331
332 gnutls_openpgp_crt_deinit (crt);
333 }
334 }
335
336 static void
337 print_openpgp_info (gnutls_session_t session, int flag, int print_cert)
338 {
339
340 gnutls_openpgp_crt_t crt;
341 const gnutls_datum_t *cert_list;
342 unsigned int cert_list_size = 0;
343 int ret;
344
345 printf ("- Certificate type: OpenPGP\n");
346
347 cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
348
349 if (cert_list_size > 0)
350 {
351 gnutls_datum_t cinfo;
352
353 gnutls_openpgp_crt_init (&crt);
354 ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
355 GNUTLS_OPENPGP_FMT_RAW);
356 if (ret < 0)
357 {
358 fprintf (stderr, "Decoding error: %s\n",
359 gnutls_strerror (ret));
360 return;
361 }
362
363 ret =
364 gnutls_openpgp_crt_print (crt, flag, &cinfo);
365 if (ret == 0)
366 {
367 printf ("- %s\n", cinfo.data);
368 gnutls_free (cinfo.data);
369 }
370
371 if (print_cert)
372 {
373 size_t size = 0;
374 char *p = NULL;
375
376 ret =
377 gnutls_openpgp_crt_export (crt,
378 GNUTLS_OPENPGP_FMT_BASE64,
379 p, &size);
380 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
381 {
382 p = malloc (size);
383 if (!p)
384 {
385 fprintf (stderr, "gnutls_malloc\n");
386 exit (1);
387 }
388
389 ret =
390 gnutls_openpgp_crt_export (crt,
391 GNUTLS_OPENPGP_FMT_BASE64,
392 p, &size);
393 }
394 if (ret < 0)
395 {
396 fprintf (stderr, "Encoding error: %s\n",
397 gnutls_strerror (ret));
398 return;
399 }
400
401 fputs (p, stdout);
402 fputs ("\n", stdout);
403
404 gnutls_free (p);
405 }
406
407 gnutls_openpgp_crt_deinit (crt);
408 }
409 }
410
411 #endif
412
413 /* returns false (0) if not verified, or true (1) otherwise
414 */
415 int
416 cert_verify (gnutls_session_t session, const char* hostname)
417 {
418 int rc;
419 unsigned int status = 0;
420 int type;
421
422 rc = gnutls_certificate_verify_peers2 (session, &status);
423 if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND)
424 {
425 printf ("- Peer did not send any certificate.\n");
426 return 0;
427 }
428
429 if (rc < 0)
430 {
431 printf ("- Could not verify certificate (err: %s)\n",
432 gnutls_strerror (rc));
433 return 0;
434 }
435
436 type = gnutls_certificate_type_get (session);
437 if (type == GNUTLS_CRT_X509)
438 {
439
440 if (status & GNUTLS_CERT_REVOKED)
441 printf ("- Peer's certificate chain revoked\n");
442 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
443 printf ("- Peer's certificate issuer is unknown\n");
444 if (status & GNUTLS_CERT_SIGNER_NOT_CA)
445 printf ("- Peer's certificate issuer is not a CA\n");
446 if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
447 printf
448 ("- Peer's certificate chain uses insecure algorithm\n");
449 if (status & GNUTLS_CERT_NOT_ACTIVATED)
450 printf
451 ("- Peer's certificate chain uses not yet valid certificate\n");
452 if (status & GNUTLS_CERT_EXPIRED)
453 printf
454 ("- Peer's certificate chain uses expired certificate\n");
455 if (status & GNUTLS_CERT_INVALID)
456 printf ("- Peer's certificate is NOT trusted\n");
457 else
458 printf ("- Peer's certificate is trusted\n");
459
460 rc = verify_x509_hostname (session, hostname);
461 if (rc == 0) status |= GNUTLS_CERT_INVALID;
462 }
463 else if (type == GNUTLS_CRT_OPENPGP)
464 {
465 if (status & GNUTLS_CERT_INVALID)
466 printf ("- Peer's key is invalid\n");
467 else
468 printf ("- Peer's key is valid\n");
469 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
470 printf ("- Could not find a signer of the peer's key\n");
471
472 rc = verify_openpgp_hostname (session, hostname);
473 if (rc == 0) status |= GNUTLS_CERT_INVALID;
474 }
475 else
476 {
477 fprintf(stderr, "Unknown certificate type\n");
478 status |= GNUTLS_CERT_INVALID;
479 }
480
481 if (status)
482 return 0;
483
484 return 1;
485 }
486
487 static void
488 print_dh_info (gnutls_session_t session, const char *str, int print)
489 {
490 printf ("- %sDiffie-Hellman parameters\n", str);
491 printf (" - Using prime: %d bits\n",
492 gnutls_dh_get_prime_bits (session));
493 printf (" - Secret key: %d bits\n",
494 gnutls_dh_get_secret_bits (session));
495 printf (" - Peer's public key: %d bits\n",
496 gnutls_dh_get_peers_public_bits (session));
497
498 if (print)
499 {
500 int ret;
501 gnutls_datum_t raw_gen = { NULL, 0 };
502 gnutls_datum_t raw_prime = { NULL, 0 };
503 gnutls_dh_params_t dh_params = NULL;
504 unsigned char *params_data = NULL;
505 size_t params_data_size = 0;
506
507 ret = gnutls_dh_get_group (session, &raw_gen, &raw_prime);
508 if (ret)
509 {
510 fprintf (stderr, "gnutls_dh_get_group %d\n", ret);
511 goto out;
512 }
513
514 ret = gnutls_dh_params_init (&dh_params);
515 if (ret)
516 {
517 fprintf (stderr, "gnutls_dh_params_init %d\n", ret);
518 goto out;
519 }
520
521 ret =
522 gnutls_dh_params_import_raw (dh_params, &raw_prime,
523 &raw_gen);
524 if (ret)
525 {
526 fprintf (stderr, "gnutls_dh_params_import_raw %d\n", ret);
527 goto out;
528 }
529
530 ret = gnutls_dh_params_export_pkcs3 (dh_params,
531 GNUTLS_X509_FMT_PEM,
532 params_data,
533 &params_data_size);
534 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
535 {
536 fprintf (stderr, "gnutls_dh_params_export_pkcs3 %d\n",
537 ret);
538 goto out;
539 }
540
541 params_data = gnutls_malloc (params_data_size);
542 if (!params_data)
543 {
544 fprintf (stderr, "gnutls_malloc %d\n", ret);
545 goto out;
546 }
547
548 ret = gnutls_dh_params_export_pkcs3 (dh_params,
549 GNUTLS_X509_FMT_PEM,
550 params_data,
551 &params_data_size);
552 if (ret)
553 {
554 fprintf (stderr, "gnutls_dh_params_export_pkcs3-2 %d\n",
555 ret);
556 goto out;
557 }
558
559 printf (" - PKCS#3 format:\n\n%.*s\n", (int) params_data_size,
560 params_data);
561
562 out:
563 gnutls_free (params_data);
564 gnutls_free (raw_prime.data);
565 gnutls_free (raw_gen.data);
566 gnutls_dh_params_deinit (dh_params);
567 }
568 }
569
570 static void
571 print_ecdh_info (gnutls_session_t session, const char *str)
572 {
573 int curve;
574
575 printf ("- %sEC Diffie-Hellman parameters\n", str);
576
577 curve = gnutls_ecc_curve_get (session);
578
579 printf (" - Using curve: %s\n", gnutls_ecc_curve_get_name (curve));
580 printf (" - Curve size: %d bits\n",
581 gnutls_ecc_curve_get_size (curve) * 8);
582
583 }
584
585 int
586 print_info (gnutls_session_t session, int verbose, int print_cert)
587 {
588 const char *tmp;
589 gnutls_credentials_type_t cred;
590 gnutls_kx_algorithm_t kx;
591 unsigned char session_id[33];
592 size_t session_id_size = sizeof (session_id);
593
594 /* print session ID */
595 gnutls_session_get_id (session, session_id, &session_id_size);
596 printf ("- Session ID: %s\n",
597 raw_to_string (session_id, session_id_size));
598
599 /* print the key exchange's algorithm name
600 */
601 kx = gnutls_kx_get (session);
602
603 cred = gnutls_auth_get_type (session);
604 switch (cred)
605 {
606 #ifdef ENABLE_ANON
607 case GNUTLS_CRD_ANON:
608 if (kx == GNUTLS_KX_ANON_ECDH)
609 print_ecdh_info (session, "Anonymous ");
610 else
611 print_dh_info (session, "Anonymous ", verbose);
612 break;
613 #endif
614 #ifdef ENABLE_SRP
615 case GNUTLS_CRD_SRP:
616 /* This should be only called in server
617 * side.
618 */
619 if (gnutls_srp_server_get_username (session) != NULL)
620 printf ("- SRP authentication. Connected as '%s'\n",
621 gnutls_srp_server_get_username (session));
622 break;
623 #endif
624 #ifdef ENABLE_PSK
625 case GNUTLS_CRD_PSK:
626 /* This returns NULL in server side.
627 */
628 if (gnutls_psk_client_get_hint (session) != NULL)
629 printf ("- PSK authentication. PSK hint '%s'\n",
630 gnutls_psk_client_get_hint (session));
631 /* This returns NULL in client side.
632 */
633 if (gnutls_psk_server_get_username (session) != NULL)
634 printf ("- PSK authentication. Connected as '%s'\n",
635 gnutls_psk_server_get_username (session));
636 if (kx == GNUTLS_KX_DHE_PSK)
637 print_dh_info (session, "Ephemeral ", verbose);
638 if (kx == GNUTLS_KX_ECDHE_PSK)
639 print_ecdh_info (session, "Ephemeral ");
640 break;
641 #endif
642 case GNUTLS_CRD_IA:
643 printf ("- TLS/IA authentication\n");
644 break;
645 case GNUTLS_CRD_CERTIFICATE:
646 {
647 char dns[256];
648 size_t dns_size = sizeof (dns);
649 unsigned int type;
650
651 /* This fails in client side */
652 if (gnutls_server_name_get
653 (session, dns, &dns_size, &type, 0) == 0)
654 {
655 printf ("- Given server name[%d]: %s\n", type, dns);
656 }
657 }
658
659 if (print_cert)
660 print_cert_info (session, verbose, print_cert);
661
662 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
663 print_dh_info (session, "Ephemeral ", verbose);
664 else if (kx == GNUTLS_KX_ECDHE_RSA
665 || kx == GNUTLS_KX_ECDHE_ECDSA)
666 print_ecdh_info (session, "Ephemeral ");
667 }
668
669 tmp =
670 SU (gnutls_protocol_get_name
671 (gnutls_protocol_get_version (session)));
672 printf ("- Version: %s\n", tmp);
673
674 tmp = SU (gnutls_kx_get_name (kx));
675 printf ("- Key Exchange: %s\n", tmp);
676
677 tmp = SU (gnutls_cipher_get_name (gnutls_cipher_get (session)));
678 printf ("- Cipher: %s\n", tmp);
679
680 tmp = SU (gnutls_mac_get_name (gnutls_mac_get (session)));
681 printf ("- MAC: %s\n", tmp);
682
683 tmp =
684 SU (gnutls_compression_get_name
685 (gnutls_compression_get (session)));
686 printf ("- Compression: %s\n", tmp);
687
688 if (verbose)
689 {
690 gnutls_datum_t cb;
691 int rc;
692
693 rc = gnutls_session_channel_binding (session,
694 GNUTLS_CB_TLS_UNIQUE, &cb);
695 if (rc)
696 fprintf (stderr, "Channel binding error: %s\n",
697 gnutls_strerror (rc));
698 else
699 {
700 size_t i;
701
702 printf ("- Channel binding 'tls-unique': ");
703 for (i = 0; i < cb.size; i++)
704 printf ("%02x", cb.data[i]);
705 printf ("\n");
706 }
707 }
708
709 /* Warning: Do not print anything more here. The 'Compression:'
710 output MUST be the last non-verbose output. This is used by
711 Emacs starttls.el code. */
712
713 fflush (stdout);
714
715 return 0;
716 }
717
718 void
719 print_cert_info (gnutls_session_t session, int verbose, int print_cert)
720 {
721 int flag;
722
723 if (verbose) flag = GNUTLS_CRT_PRINT_FULL;
724 else flag = GNUTLS_CRT_PRINT_COMPACT;
725
726 if (gnutls_certificate_client_get_request_status (session) != 0)
727 printf ("- Server has requested a certificate.\n");
728
729 switch (gnutls_certificate_type_get (session))
730 {
731 case GNUTLS_CRT_X509:
732 print_x509_info (session, flag, print_cert);
733 break;
734 #ifdef ENABLE_OPENPGP
735 case GNUTLS_CRT_OPENPGP:
736 print_openpgp_info (session, flag, print_cert);
737 break;
738 #endif
739 default:
740 printf ("Unknown type\n");
741 break;
742 }
743 }
744
745 void
746 print_cert_info_compact (gnutls_session_t session)
747 {
748
749 if (gnutls_certificate_client_get_request_status (session) != 0)
750 printf ("- Server has requested a certificate.\n");
751
752 switch (gnutls_certificate_type_get (session))
753 {
754 case GNUTLS_CRT_X509:
755 print_x509_info_compact (session);
756 break;
757 #ifdef ENABLE_OPENPGP
758 case GNUTLS_CRT_OPENPGP:
759 print_openpgp_info_compact (session);
760 break;
761 #endif
762 default:
763 printf ("Unknown type\n");
764 break;
765 }
766 }
767
768 void
769 print_list (const char *priorities, int verbose)
770 {
771 size_t i;
772 int ret;
773 unsigned int idx;
774 const char *name;
775 const char *err;
776 unsigned char id[2];
777 gnutls_kx_algorithm_t kx;
778 gnutls_cipher_algorithm_t cipher;
779 gnutls_mac_algorithm_t mac;
780 gnutls_protocol_t version;
781 gnutls_priority_t pcache;
782 const unsigned int *list;
783
784 if (priorities != NULL)
785 {
786 printf ("Cipher suites for %s\n", priorities);
787
788 ret = gnutls_priority_init (&pcache, priorities, &err);
789 if (ret < 0)
790 {
791 fprintf (stderr, "Syntax error at: %s\n", err);
792 exit (1);
793 }
794
795 for (i = 0;; i++)
796 {
797 ret =
798 gnutls_priority_get_cipher_suite_index (pcache, i,
799 &idx);
800 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
801 break;
802 if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
803 continue;
804
805 name =
806 gnutls_cipher_suite_info (idx, id, NULL, NULL, NULL,
807 &version);
808
809 if (name != NULL)
810 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
811 name, (unsigned char) id[0],
812 (unsigned char) id[1],
813 gnutls_protocol_get_name (version));
814 }
815
816 printf("\n");
817 {
818 ret = gnutls_priority_certificate_type_list (pcache, &list);
819
820 printf ("Certificate types: ");
821 if (ret == 0) printf("none\n");
822 for (i = 0; i < (unsigned)ret; i++)
823 {
824 printf ("CTYPE-%s",
825 gnutls_certificate_type_get_name (list[i]));
826 if (i+1!=(unsigned)ret)
827 printf (", ");
828 else
829 printf ("\n");
830 }
831 }
832
833 {
834 ret = gnutls_priority_protocol_list (pcache, &list);
835
836 printf ("Protocols: ");
837 if (ret == 0) printf("none\n");
838 for (i = 0; i < (unsigned)ret; i++)
839 {
840 printf ("VERS-%s", gnutls_protocol_get_name (list[i]));
841 if (i+1!=(unsigned)ret)
842 printf (", ");
843 else
844 printf ("\n");
845 }
846 }
847
848 {
849 ret = gnutls_priority_compression_list (pcache, &list);
850
851 printf ("Compression: ");
852 if (ret == 0) printf("none\n");
853 for (i = 0; i < (unsigned)ret; i++)
854 {
855 printf ("COMP-%s",
856 gnutls_compression_get_name (list[i]));
857 if (i+1!=(unsigned)ret)
858 printf (", ");
859 else
860 printf ("\n");
861 }
862 }
863
864 {
865 ret = gnutls_priority_ecc_curve_list (pcache, &list);
866
867 printf ("Elliptic curves: ");
868 if (ret == 0) printf("none\n");
869 for (i = 0; i < (unsigned)ret; i++)
870 {
871 printf ("CURVE-%s",
872 gnutls_ecc_curve_get_name (list[i]));
873 if (i+1!=(unsigned)ret)
874 printf (", ");
875 else
876 printf ("\n");
877 }
878 }
879
880 {
881 ret = gnutls_priority_sign_list (pcache, &list);
882
883 printf ("PK-signatures: ");
884 if (ret == 0) printf("none\n");
885 for (i = 0; i < (unsigned)ret; i++)
886 {
887 printf ("SIGN-%s",
888 gnutls_sign_algorithm_get_name (list[i]));
889 if (i+1!=(unsigned)ret)
890 printf (", ");
891 else
892 printf ("\n");
893 }
894 }
895
896 return;
897 }
898
899 printf ("Cipher suites:\n");
900 for (i = 0; (name = gnutls_cipher_suite_info
901 (i, id, &kx, &cipher, &mac, &version)); i++)
902 {
903 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
904 name,
905 (unsigned char) id[0], (unsigned char) id[1],
906 gnutls_protocol_get_name (version));
907 if (verbose)
908 printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
909 gnutls_kx_get_name (kx),
910 gnutls_cipher_get_name (cipher),
911 gnutls_mac_get_name (mac));
912 }
913
914 printf("\n");
915 {
916 const gnutls_certificate_type_t *p =
917 gnutls_certificate_type_list ();
918
919 printf ("Certificate types: ");
920 for (; *p; p++)
921 {
922 printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p));
923 if (*(p + 1))
924 printf (", ");
925 else
926 printf ("\n");
927 }
928 }
929
930 {
931 const gnutls_protocol_t *p = gnutls_protocol_list ();
932
933 printf ("Protocols: ");
934 for (; *p; p++)
935 {
936 printf ("VERS-%s", gnutls_protocol_get_name (*p));
937 if (*(p + 1))
938 printf (", ");
939 else
940 printf ("\n");
941 }
942 }
943
944 {
945 const gnutls_cipher_algorithm_t *p = gnutls_cipher_list ();
946
947 printf ("Ciphers: ");
948 for (; *p; p++)
949 {
950 printf ("%s", gnutls_cipher_get_name (*p));
951 if (*(p + 1))
952 printf (", ");
953 else
954 printf ("\n");
955 }
956 }
957
958 {
959 const gnutls_mac_algorithm_t *p = gnutls_mac_list ();
960
961 printf ("MACs: ");
962 for (; *p; p++)
963 {
964 printf ("%s", gnutls_mac_get_name (*p));
965 if (*(p + 1))
966 printf (", ");
967 else
968 printf ("\n");
969 }
970 }
971
972 {
973 const gnutls_kx_algorithm_t *p = gnutls_kx_list ();
974
975 printf ("Key exchange algorithms: ");
976 for (; *p; p++)
977 {
978 printf ("%s", gnutls_kx_get_name (*p));
979 if (*(p + 1))
980 printf (", ");
981 else
982 printf ("\n");
983 }
984 }
985
986 {
987 const gnutls_compression_method_t *p = gnutls_compression_list ();
988
989 printf ("Compression: ");
990 for (; *p; p++)
991 {
992 printf ("COMP-%s", gnutls_compression_get_name (*p));
993 if (*(p + 1))
994 printf (", ");
995 else
996 printf ("\n");
997 }
998 }
999
1000 {
1001 const gnutls_ecc_curve_t *p = gnutls_ecc_curve_list ();
1002
1003 printf ("Elliptic curves: ");
1004 for (; *p; p++)
1005 {
1006 printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p));
1007 if (*(p + 1))
1008 printf (", ");
1009 else
1010 printf ("\n");
1011 }
1012 }
1013
1014 {
1015 const gnutls_pk_algorithm_t *p = gnutls_pk_list ();
1016
1017 printf ("Public Key Systems: ");
1018 for (; *p; p++)
1019 {
1020 printf ("%s", gnutls_pk_algorithm_get_name (*p));
1021 if (*(p + 1))
1022 printf (", ");
1023 else
1024 printf ("\n");
1025 }
1026 }
1027
1028 {
1029 const gnutls_sign_algorithm_t *p = gnutls_sign_list ();
1030
1031 printf ("PK-signatures: ");
1032 for (; *p; p++)
1033 {
1034 printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p));
1035 if (*(p + 1))
1036 printf (", ");
1037 else
1038 printf ("\n");
1039 }
1040 }
1041 }
1042
1043 int check_command(gnutls_session_t session, const char* str)
1044 {
1045 size_t len = strnlen(str, 128);
1046 int ret;
1047
1048 fprintf (stderr, "*** Processing %zu bytes command: %s\n", len, str);
1049 if (len > 2 && str[0] == str[1] && str[0] == '*')
1050 {
1051 if (strncmp(str, "**REHANDSHAKE**", sizeof ("**REHANDSHAKE**") - 1) == 0)
1052 {
1053 fprintf (stderr, "*** Sending rehandshake request\n");
1054 gnutls_rehandshake (session);
1055 return 1;
1056 } else if (strncmp(str, "**HEARTBEAT**", sizeof ("**HEARTBEAT**") - 1) == 0) {
1057 ret = gnutls_heartbeat_ping (session, 300, 5, GNUTLS_HEARTBEAT_WAIT);
1058 if (ret < 0)
1059 {
1060 if (ret == GNUTLS_E_INVALID_REQUEST)
1061 {
1062 fprintf(stderr, "No heartbeat in this session\n");
1063 }
1064 else
1065 {
1066 fprintf(stderr, "ping: %s\n", gnutls_strerror(ret));
1067 exit(1);
1068 }
1069 }
1070 return 2;
1071 }
1072 }
1073 return 0;
1074 }
1075
1076 #define MIN(x,y) ((x)<(y))?(x):(y)
1077 #define MAX_CACHE_TRIES 5
1078 int
1079 pin_callback (void *user, int attempt, const char *token_url,
1080 const char *token_label, unsigned int flags, char *pin,
1081 size_t pin_max)
1082 {
1083 const char *password;
1084 const char * desc;
1085 int len, cache = MAX_CACHE_TRIES;
1086 /* allow caching of PIN */
1087 static char *cached_url = NULL;
1088 static char cached_pin[32] = "";
1089
1090 if (flags & GNUTLS_PIN_SO)
1091 desc = "security officer";
1092 else
1093 desc = "user";
1094
1095 if (flags & GNUTLS_PIN_FINAL_TRY)
1096 {
1097 cache = 0;
1098 printf ("*** This is the final try before locking!\n");
1099 }
1100 if (flags & GNUTLS_PIN_COUNT_LOW)
1101 {
1102 cache = 0;
1103 printf ("*** Only few tries left before locking!\n");
1104 }
1105
1106 if (flags & GNUTLS_PIN_WRONG)
1107 {
1108 cache = 0;
1109 printf ("*** Wrong PIN has been provided!\n");
1110 }
1111
1112 if (cache > 0 && cached_url != NULL)
1113 {
1114 if (strcmp (cached_url, token_url) == 0)
1115 {
1116 if (strlen(pin) >= sizeof(cached_pin))
1117 {
1118 fprintf (stderr, "Too long PIN given\n");
1119 exit (1);
1120 }
1121
1122 fprintf(stderr, "Re-using cached PIN for token '%s'\n", token_label);
1123 strcpy (pin, cached_pin);
1124 cache--;
1125 return 0;
1126 }
1127 }
1128
1129 printf ("Token '%s' with URL '%s' ", token_label, token_url);
1130 printf ("requires %s PIN\n", desc);
1131
1132 password = getpass ("Enter PIN: ");
1133 if (password == NULL || password[0] == 0)
1134 {
1135 fprintf (stderr, "No password given\n");
1136 exit (1);
1137 }
1138
1139 len = MIN (pin_max, strlen (password));
1140 memcpy (pin, password, len);
1141 pin[len] = 0;
1142
1143 /* cache */
1144 strcpy (cached_pin, pin);
1145 free (cached_url);
1146 cached_url = strdup (token_url);
1147 cache = MAX_CACHE_TRIES;
1148
1149 return 0;
1150 }
1151
1152 #ifdef ENABLE_PKCS11
1153
1154 static int
1155 token_callback (void *user, const char *label, const unsigned retry)
1156 {
1157 char buf[32];
1158
1159 if (retry > 0)
1160 {
1161 fprintf (stderr, "Could not find token %s\n", label);
1162 return -1;
1163 }
1164 printf ("Please insert token '%s' in slot and press enter\n", label);
1165 fgets (buf, sizeof (buf), stdin);
1166
1167 return 0;
1168 }
1169
1170 void
1171 pkcs11_common (void)
1172 {
1173
1174 gnutls_pkcs11_set_pin_function (pin_callback, NULL);
1175 gnutls_pkcs11_set_token_function (token_callback, NULL);
1176
1177 }
1178
1179 #endif
Implementation of the SSL/TLS protocol