2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 * Author: Nikos Mavrogiannopoulos
5 * This file is part of GnuTLS.
7 * GnuTLS is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuTLS is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
23 /* Work around problem reported in
24 <http://permalink.gmane.org/gmane.comp.lib.gnulib.bugs/15755>.*/
25 #if GETTIMEOFDAY_CLOBBERS_LOCALTIME
34 #include <gnutls/gnutls.h>
35 #include <gnutls/x509.h>
36 #include <gnutls/openpgp.h>
40 #define SU(x) (x!=NULL?x:"Unknown")
44 const char str_unknown
[] = "(unknown)";
46 /* Hex encodes the given data.
49 raw_to_string (const unsigned char *raw
, size_t raw_size
)
51 static char buf
[1024];
56 if (raw_size
* 3 + 1 >= sizeof (buf
))
59 for (i
= 0; i
< raw_size
; i
++)
61 sprintf (&(buf
[i
* 3]), "%02X%s", raw
[i
],
62 (i
== raw_size
- 1) ? "" : ":");
64 buf
[sizeof (buf
) - 1] = '\0';
70 print_x509_info_compact (gnutls_session_t session
)
72 gnutls_x509_crt_t crt
;
73 const gnutls_datum_t
*cert_list
;
74 unsigned int cert_list_size
= 0;
78 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
79 if (cert_list_size
== 0)
81 fprintf (stderr
, "No certificates found!\n");
85 gnutls_x509_crt_init (&crt
);
87 gnutls_x509_crt_import (crt
, &cert_list
[0],
91 fprintf (stderr
, "Decoding error: %s\n",
92 gnutls_strerror (ret
));
97 gnutls_x509_crt_print (crt
, GNUTLS_CRT_PRINT_COMPACT
, &cinfo
);
100 printf ("- X.509 cert: %s\n", cinfo
.data
);
101 gnutls_free (cinfo
.data
);
104 gnutls_x509_crt_deinit (crt
);
108 print_x509_info (gnutls_session_t session
, int flag
, int print_cert
)
110 gnutls_x509_crt_t crt
;
111 const gnutls_datum_t
*cert_list
;
112 unsigned int cert_list_size
= 0, j
;
115 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
116 if (cert_list_size
== 0)
118 fprintf (stderr
, "No certificates found!\n");
122 printf ("- Certificate type: X.509\n");
123 printf ("- Got a certificate list of %d certificates.\n",
126 for (j
= 0; j
< cert_list_size
; j
++)
128 gnutls_datum_t cinfo
;
130 gnutls_x509_crt_init (&crt
);
132 gnutls_x509_crt_import (crt
, &cert_list
[j
],
133 GNUTLS_X509_FMT_DER
);
136 fprintf (stderr
, "Decoding error: %s\n",
137 gnutls_strerror (ret
));
141 printf ("- Certificate[%d] info:\n - ", j
);
144 gnutls_x509_crt_print (crt
, flag
, &cinfo
);
147 printf ("%s\n", cinfo
.data
);
148 gnutls_free (cinfo
.data
);
157 gnutls_x509_crt_export (crt
, GNUTLS_X509_FMT_PEM
, p
,
159 if (ret
== GNUTLS_E_SHORT_MEMORY_BUFFER
)
164 fprintf (stderr
, "gnutls_malloc\n");
169 gnutls_x509_crt_export (crt
, GNUTLS_X509_FMT_PEM
,
174 fprintf (stderr
, "Encoding error: %s\n",
175 gnutls_strerror (ret
));
179 fputs ("\n", stdout
);
181 fputs ("\n", stdout
);
186 gnutls_x509_crt_deinit (crt
);
190 /* returns true or false, depending on whether the hostname
191 * matches to certificate */
193 verify_x509_hostname (gnutls_session_t session
, const char *hostname
)
195 gnutls_x509_crt_t crt
;
196 const gnutls_datum_t
*cert_list
;
197 unsigned int cert_list_size
= 0;
200 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
201 if (cert_list_size
== 0)
203 fprintf (stderr
, "No certificates found!\n");
207 gnutls_x509_crt_init (&crt
);
209 gnutls_x509_crt_import (crt
, &cert_list
[0],
210 GNUTLS_X509_FMT_DER
);
213 fprintf (stderr
, "Decoding error: %s\n",
214 gnutls_strerror (ret
));
218 /* Check the hostname of the first certificate if it matches
219 * the name of the host we connected to.
221 if (hostname
!= NULL
)
223 if (gnutls_x509_crt_check_hostname (crt
, hostname
) == 0)
226 ("- The hostname in the certificate does NOT match '%s'\n",
232 printf ("- The hostname in the certificate matches '%s'.\n",
238 gnutls_x509_crt_deinit (crt
);
243 #ifdef ENABLE_OPENPGP
244 /* returns true or false, depending on whether the hostname
245 * matches to certificate */
247 verify_openpgp_hostname (gnutls_session_t session
, const char *hostname
)
249 gnutls_openpgp_crt_t crt
;
250 const gnutls_datum_t
*cert_list
;
251 unsigned int cert_list_size
= 0;
254 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
255 if (cert_list_size
== 0)
257 fprintf (stderr
, "No certificates found!\n");
261 gnutls_openpgp_crt_init (&crt
);
263 gnutls_openpgp_crt_import (crt
, &cert_list
[0],
264 GNUTLS_OPENPGP_FMT_RAW
);
267 fprintf (stderr
, "Decoding error: %s\n",
268 gnutls_strerror (ret
));
272 /* Check the hostname of the first certificate if it matches
273 * the name of the host we connected to.
275 if (gnutls_openpgp_crt_check_hostname (crt
, hostname
) == 0)
278 ("- The hostname in the certificate does NOT match '%s'\n",
284 printf ("- The hostname in the certificate matches '%s'.\n",
289 gnutls_openpgp_crt_deinit (crt
);
295 print_openpgp_info_compact (gnutls_session_t session
)
298 gnutls_openpgp_crt_t crt
;
299 const gnutls_datum_t
*cert_list
;
300 unsigned int cert_list_size
= 0;
303 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
305 if (cert_list_size
> 0)
307 gnutls_datum_t cinfo
;
309 gnutls_openpgp_crt_init (&crt
);
310 ret
= gnutls_openpgp_crt_import (crt
, &cert_list
[0],
311 GNUTLS_OPENPGP_FMT_RAW
);
314 fprintf (stderr
, "Decoding error: %s\n",
315 gnutls_strerror (ret
));
320 gnutls_openpgp_crt_print (crt
, GNUTLS_CRT_PRINT_COMPACT
, &cinfo
);
323 printf ("- OpenPGP cert: %s\n", cinfo
.data
);
324 gnutls_free (cinfo
.data
);
327 gnutls_openpgp_crt_deinit (crt
);
332 print_openpgp_info (gnutls_session_t session
, int flag
, int print_cert
)
335 gnutls_openpgp_crt_t crt
;
336 const gnutls_datum_t
*cert_list
;
337 unsigned int cert_list_size
= 0;
340 printf ("- Certificate type: OpenPGP\n");
342 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
344 if (cert_list_size
> 0)
346 gnutls_datum_t cinfo
;
348 gnutls_openpgp_crt_init (&crt
);
349 ret
= gnutls_openpgp_crt_import (crt
, &cert_list
[0],
350 GNUTLS_OPENPGP_FMT_RAW
);
353 fprintf (stderr
, "Decoding error: %s\n",
354 gnutls_strerror (ret
));
359 gnutls_openpgp_crt_print (crt
, flag
, &cinfo
);
362 printf ("- %s\n", cinfo
.data
);
363 gnutls_free (cinfo
.data
);
372 gnutls_openpgp_crt_export (crt
,
373 GNUTLS_OPENPGP_FMT_BASE64
,
375 if (ret
== GNUTLS_E_SHORT_MEMORY_BUFFER
)
380 fprintf (stderr
, "gnutls_malloc\n");
385 gnutls_openpgp_crt_export (crt
,
386 GNUTLS_OPENPGP_FMT_BASE64
,
391 fprintf (stderr
, "Encoding error: %s\n",
392 gnutls_strerror (ret
));
397 fputs ("\n", stdout
);
402 gnutls_openpgp_crt_deinit (crt
);
408 /* returns false (0) if not verified, or true (1) otherwise
411 cert_verify (gnutls_session_t session
, const char* hostname
)
414 unsigned int status
= 0;
417 rc
= gnutls_certificate_verify_peers2 (session
, &status
);
418 if (rc
== GNUTLS_E_NO_CERTIFICATE_FOUND
)
420 printf ("- Peer did not send any certificate.\n");
426 printf ("- Could not verify certificate (err: %s)\n",
427 gnutls_strerror (rc
));
431 type
= gnutls_certificate_type_get (session
);
432 if (type
== GNUTLS_CRT_X509
)
435 if (status
& GNUTLS_CERT_REVOKED
)
436 printf ("- Peer's certificate chain revoked\n");
437 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
438 printf ("- Peer's certificate issuer is unknown\n");
439 if (status
& GNUTLS_CERT_SIGNER_NOT_CA
)
440 printf ("- Peer's certificate issuer is not a CA\n");
441 if (status
& GNUTLS_CERT_INSECURE_ALGORITHM
)
443 ("- Peer's certificate chain uses insecure algorithm\n");
444 if (status
& GNUTLS_CERT_NOT_ACTIVATED
)
446 ("- Peer's certificate chain uses not yet valid certificate\n");
447 if (status
& GNUTLS_CERT_EXPIRED
)
449 ("- Peer's certificate chain uses expired certificate\n");
450 if (status
& GNUTLS_CERT_INVALID
)
451 printf ("- Peer's certificate is NOT trusted\n");
453 printf ("- Peer's certificate is trusted\n");
455 rc
= verify_x509_hostname (session
, hostname
);
456 if (rc
== 0) status
|= GNUTLS_CERT_INVALID
;
458 else if (type
== GNUTLS_CRT_OPENPGP
)
460 if (status
& GNUTLS_CERT_INVALID
)
461 printf ("- Peer's key is invalid\n");
463 printf ("- Peer's key is valid\n");
464 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
465 printf ("- Could not find a signer of the peer's key\n");
467 rc
= verify_openpgp_hostname (session
, hostname
);
468 if (rc
== 0) status
|= GNUTLS_CERT_INVALID
;
472 fprintf(stderr
, "Unknown certificate type\n");
473 status
|= GNUTLS_CERT_INVALID
;
483 print_dh_info (gnutls_session_t session
, const char *str
, int print
)
485 printf ("- %sDiffie-Hellman parameters\n", str
);
486 printf (" - Using prime: %d bits\n",
487 gnutls_dh_get_prime_bits (session
));
488 printf (" - Secret key: %d bits\n",
489 gnutls_dh_get_secret_bits (session
));
490 printf (" - Peer's public key: %d bits\n",
491 gnutls_dh_get_peers_public_bits (session
));
496 gnutls_datum_t raw_gen
= { NULL
, 0 };
497 gnutls_datum_t raw_prime
= { NULL
, 0 };
498 gnutls_dh_params_t dh_params
= NULL
;
499 unsigned char *params_data
= NULL
;
500 size_t params_data_size
= 0;
502 ret
= gnutls_dh_get_group (session
, &raw_gen
, &raw_prime
);
505 fprintf (stderr
, "gnutls_dh_get_group %d\n", ret
);
509 ret
= gnutls_dh_params_init (&dh_params
);
512 fprintf (stderr
, "gnutls_dh_params_init %d\n", ret
);
517 gnutls_dh_params_import_raw (dh_params
, &raw_prime
,
521 fprintf (stderr
, "gnutls_dh_params_import_raw %d\n", ret
);
525 ret
= gnutls_dh_params_export_pkcs3 (dh_params
,
529 if (ret
!= GNUTLS_E_SHORT_MEMORY_BUFFER
)
531 fprintf (stderr
, "gnutls_dh_params_export_pkcs3 %d\n",
536 params_data
= gnutls_malloc (params_data_size
);
539 fprintf (stderr
, "gnutls_malloc %d\n", ret
);
543 ret
= gnutls_dh_params_export_pkcs3 (dh_params
,
549 fprintf (stderr
, "gnutls_dh_params_export_pkcs3-2 %d\n",
554 printf (" - PKCS#3 format:\n\n%.*s\n", (int) params_data_size
,
558 gnutls_free (params_data
);
559 gnutls_free (raw_prime
.data
);
560 gnutls_free (raw_gen
.data
);
561 gnutls_dh_params_deinit (dh_params
);
566 print_ecdh_info (gnutls_session_t session
, const char *str
)
570 printf ("- %sEC Diffie-Hellman parameters\n", str
);
572 curve
= gnutls_ecc_curve_get (session
);
574 printf (" - Using curve: %s\n", gnutls_ecc_curve_get_name (curve
));
575 printf (" - Curve size: %d bits\n",
576 gnutls_ecc_curve_get_size (curve
) * 8);
581 print_info (gnutls_session_t session
, int print_cert
)
584 gnutls_credentials_type_t cred
;
585 gnutls_kx_algorithm_t kx
;
586 unsigned char session_id
[33];
587 size_t session_id_size
= sizeof (session_id
);
589 /* print session ID */
590 gnutls_session_get_id (session
, session_id
, &session_id_size
);
591 printf ("- Session ID: %s\n",
592 raw_to_string (session_id
, session_id_size
));
594 /* print the key exchange's algorithm name
596 kx
= gnutls_kx_get (session
);
598 cred
= gnutls_auth_get_type (session
);
602 case GNUTLS_CRD_ANON
:
603 if (kx
== GNUTLS_KX_ANON_ECDH
)
604 print_ecdh_info (session
, "Anonymous ");
606 print_dh_info (session
, "Anonymous ", verbose
);
611 /* This should be only called in server
614 if (gnutls_srp_server_get_username (session
) != NULL
)
615 printf ("- SRP authentication. Connected as '%s'\n",
616 gnutls_srp_server_get_username (session
));
621 /* This returns NULL in server side.
623 if (gnutls_psk_client_get_hint (session
) != NULL
)
624 printf ("- PSK authentication. PSK hint '%s'\n",
625 gnutls_psk_client_get_hint (session
));
626 /* This returns NULL in client side.
628 if (gnutls_psk_server_get_username (session
) != NULL
)
629 printf ("- PSK authentication. Connected as '%s'\n",
630 gnutls_psk_server_get_username (session
));
631 if (kx
== GNUTLS_KX_DHE_PSK
)
632 print_dh_info (session
, "Ephemeral ", verbose
);
633 if (kx
== GNUTLS_KX_ECDHE_PSK
)
634 print_ecdh_info (session
, "Ephemeral ");
638 printf ("- TLS/IA authentication\n");
640 case GNUTLS_CRD_CERTIFICATE
:
643 size_t dns_size
= sizeof (dns
);
646 /* This fails in client side */
647 if (gnutls_server_name_get
648 (session
, dns
, &dns_size
, &type
, 0) == 0)
650 printf ("- Given server name[%d]: %s\n", type
, dns
);
654 print_cert_info (session
, verbose
, print_cert
);
656 if (kx
== GNUTLS_KX_DHE_RSA
|| kx
== GNUTLS_KX_DHE_DSS
)
657 print_dh_info (session
, "Ephemeral ", verbose
);
658 else if (kx
== GNUTLS_KX_ECDHE_RSA
659 || kx
== GNUTLS_KX_ECDHE_ECDSA
)
660 print_ecdh_info (session
, "Ephemeral ");
664 SU (gnutls_protocol_get_name
665 (gnutls_protocol_get_version (session
)));
666 printf ("- Version: %s\n", tmp
);
668 tmp
= SU (gnutls_kx_get_name (kx
));
669 printf ("- Key Exchange: %s\n", tmp
);
671 tmp
= SU (gnutls_cipher_get_name (gnutls_cipher_get (session
)));
672 printf ("- Cipher: %s\n", tmp
);
674 tmp
= SU (gnutls_mac_get_name (gnutls_mac_get (session
)));
675 printf ("- MAC: %s\n", tmp
);
678 SU (gnutls_compression_get_name
679 (gnutls_compression_get (session
)));
680 printf ("- Compression: %s\n", tmp
);
687 rc
= gnutls_session_channel_binding (session
,
688 GNUTLS_CB_TLS_UNIQUE
, &cb
);
690 fprintf (stderr
, "Channel binding error: %s\n",
691 gnutls_strerror (rc
));
696 printf ("- Channel binding 'tls-unique': ");
697 for (i
= 0; i
< cb
.size
; i
++)
698 printf ("%02x", cb
.data
[i
]);
703 /* Warning: Do not print anything more here. The 'Compression:'
704 output MUST be the last non-verbose output. This is used by
705 Emacs starttls.el code. */
713 print_cert_info (gnutls_session_t session
, int verbose
, int print_cert
)
717 if (verbose
) flag
= GNUTLS_CRT_PRINT_FULL
;
718 else flag
= GNUTLS_CRT_PRINT_COMPACT
;
720 if (gnutls_certificate_client_get_request_status (session
) != 0)
721 printf ("- Server has requested a certificate.\n");
723 switch (gnutls_certificate_type_get (session
))
725 case GNUTLS_CRT_X509
:
726 print_x509_info (session
, flag
, print_cert
);
728 #ifdef ENABLE_OPENPGP
729 case GNUTLS_CRT_OPENPGP
:
730 print_openpgp_info (session
, flag
, print_cert
);
734 printf ("Unknown type\n");
740 print_cert_info_compact (gnutls_session_t session
)
743 if (gnutls_certificate_client_get_request_status (session
) != 0)
744 printf ("- Server has requested a certificate.\n");
746 switch (gnutls_certificate_type_get (session
))
748 case GNUTLS_CRT_X509
:
749 print_x509_info_compact (session
);
751 #ifdef ENABLE_OPENPGP
752 case GNUTLS_CRT_OPENPGP
:
753 print_openpgp_info_compact (session
);
757 printf ("Unknown type\n");
763 print_list (const char *priorities
, int verbose
)
771 gnutls_kx_algorithm_t kx
;
772 gnutls_cipher_algorithm_t cipher
;
773 gnutls_mac_algorithm_t mac
;
774 gnutls_protocol_t version
;
775 gnutls_priority_t pcache
;
776 const unsigned int *list
;
778 if (priorities
!= NULL
)
780 printf ("Cipher suites for %s\n", priorities
);
782 ret
= gnutls_priority_init (&pcache
, priorities
, &err
);
785 fprintf (stderr
, "Syntax error at: %s\n", err
);
792 gnutls_priority_get_cipher_suite_index (pcache
, i
,
794 if (ret
== GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
)
796 if (ret
== GNUTLS_E_UNKNOWN_CIPHER_SUITE
)
800 gnutls_cipher_suite_info (idx
, id
, NULL
, NULL
, NULL
,
804 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
805 name
, (unsigned char) id
[0],
806 (unsigned char) id
[1],
807 gnutls_protocol_get_name (version
));
812 ret
= gnutls_priority_certificate_type_list (pcache
, &list
);
814 printf ("Certificate types: ");
815 if (ret
== 0) printf("none\n");
816 for (i
= 0; i
< (unsigned)ret
; i
++)
819 gnutls_certificate_type_get_name (list
[i
]));
820 if (i
+1!=(unsigned)ret
)
828 ret
= gnutls_priority_protocol_list (pcache
, &list
);
830 printf ("Protocols: ");
831 if (ret
== 0) printf("none\n");
832 for (i
= 0; i
< (unsigned)ret
; i
++)
834 printf ("VERS-%s", gnutls_protocol_get_name (list
[i
]));
835 if (i
+1!=(unsigned)ret
)
843 ret
= gnutls_priority_compression_list (pcache
, &list
);
845 printf ("Compression: ");
846 if (ret
== 0) printf("none\n");
847 for (i
= 0; i
< (unsigned)ret
; i
++)
850 gnutls_compression_get_name (list
[i
]));
851 if (i
+1!=(unsigned)ret
)
859 ret
= gnutls_priority_ecc_curve_list (pcache
, &list
);
861 printf ("Elliptic curves: ");
862 if (ret
== 0) printf("none\n");
863 for (i
= 0; i
< (unsigned)ret
; i
++)
866 gnutls_ecc_curve_get_name (list
[i
]));
867 if (i
+1!=(unsigned)ret
)
875 ret
= gnutls_priority_sign_list (pcache
, &list
);
877 printf ("PK-signatures: ");
878 if (ret
== 0) printf("none\n");
879 for (i
= 0; i
< (unsigned)ret
; i
++)
882 gnutls_sign_algorithm_get_name (list
[i
]));
883 if (i
+1!=(unsigned)ret
)
893 printf ("Cipher suites:\n");
894 for (i
= 0; (name
= gnutls_cipher_suite_info
895 (i
, id
, &kx
, &cipher
, &mac
, &version
)); i
++)
897 printf ("%-50s\t0x%02x, 0x%02x\t%s\n",
899 (unsigned char) id
[0], (unsigned char) id
[1],
900 gnutls_protocol_get_name (version
));
902 printf ("\tKey exchange: %s\n\tCipher: %s\n\tMAC: %s\n\n",
903 gnutls_kx_get_name (kx
),
904 gnutls_cipher_get_name (cipher
),
905 gnutls_mac_get_name (mac
));
910 const gnutls_certificate_type_t
*p
=
911 gnutls_certificate_type_list ();
913 printf ("Certificate types: ");
916 printf ("CTYPE-%s", gnutls_certificate_type_get_name (*p
));
925 const gnutls_protocol_t
*p
= gnutls_protocol_list ();
927 printf ("Protocols: ");
930 printf ("VERS-%s", gnutls_protocol_get_name (*p
));
939 const gnutls_cipher_algorithm_t
*p
= gnutls_cipher_list ();
941 printf ("Ciphers: ");
944 printf ("%s", gnutls_cipher_get_name (*p
));
953 const gnutls_mac_algorithm_t
*p
= gnutls_mac_list ();
958 printf ("%s", gnutls_mac_get_name (*p
));
967 const gnutls_kx_algorithm_t
*p
= gnutls_kx_list ();
969 printf ("Key exchange algorithms: ");
972 printf ("%s", gnutls_kx_get_name (*p
));
981 const gnutls_compression_method_t
*p
= gnutls_compression_list ();
983 printf ("Compression: ");
986 printf ("COMP-%s", gnutls_compression_get_name (*p
));
995 const gnutls_ecc_curve_t
*p
= gnutls_ecc_curve_list ();
997 printf ("Elliptic curves: ");
1000 printf ("CURVE-%s", gnutls_ecc_curve_get_name (*p
));
1009 const gnutls_pk_algorithm_t
*p
= gnutls_pk_list ();
1011 printf ("Public Key Systems: ");
1014 printf ("%s", gnutls_pk_algorithm_get_name (*p
));
1023 const gnutls_sign_algorithm_t
*p
= gnutls_sign_list ();
1025 printf ("PK-signatures: ");
1028 printf ("SIGN-%s", gnutls_sign_algorithm_get_name (*p
));
1037 int check_command(gnutls_session_t session
, const char* str
)
1039 int len
= strlen(str
);
1041 if (len
> 2 && str
[0] == str
[1] && str
[0] == '*')
1043 if (strncmp(str
, "**REHANDSHAKE**",
1044 sizeof ("**REHANDSHAKE**") - 1) == 0)
1046 fprintf (stderr
, "*** Sending rehandshake request\n");
1047 gnutls_rehandshake (session
);