commit cafcdb1b08e18530b9a184a22c7655b3661701bb parent dfd057b9b6e0b022f73c1bdb4b845230f29fae3a Author: lv-426 <oxcafebaby@yahoo.com> Date: Sat, 9 Aug 2008 02:06:38 +0000 temporary IP binding option added to MHD_daemon_start_va added support for initiating the daemon in anonymous authentication mode DH parameter initiation when using anonymous authentication added daemon credential type field added daemon option testing flexibility removed db support Diffstat:
27 files changed, 777 insertions(+), 890 deletions(-)
diff --git a/configure.ac b/configure.ac @@ -260,7 +260,8 @@ AC_SUBST(GCRYPT_CPPFLAGS) AC_DEFINE([ENABLE_MINITASN1],[1],[Include minitasn1 support]) AC_DEFINE([GNULIB_GC_HMAC_SHA1],[1],[GNULIB_GC_HMAC_SHA1]) AC_DEFINE([GNULIB_GC_RANDOM],[1],[GNULIB_GC_RANDOM]) -AC_DEFINE([ENABLE_PKI],[1],[Include ENABLE_OPENPGP support]) +AC_DEFINE([ENABLE_ANON],[1],[Enable anonymous authentication]) +AC_DEFINE([ENABLE_PKI],[1],[Include PKI support]) AC_DEFINE([ENABLE_INCLUDED_OPENCDK],[1],[Include ENABLE_INCLUDED_OPENCDK support]) # gnutls debug support AC_DEFINE([DEBUG],[1],[Include gnutls debug message support]) diff --git a/src/daemon/connection_https.c b/src/daemon/connection_https.c @@ -37,7 +37,7 @@ #include "gnutls_int.h" #include "gnutls_record.h" -/* TODO rm #include "gnutls_errors.h" */ +/* TODO #include rm "gnutls_errors.h" */ #include "gnutls_errors.h" /* forward declarations used when setting secure connection callbacks */ @@ -168,6 +168,9 @@ MHD_tls_connection_handle_idle (struct MHD_Connection *connection) switch (connection->state) { + /* on newly created connections we might reach here before any reply has been received */ + case MHD_TLS_CONNECTION_INIT: + return MHD_YES; /* close connection if necessary */ case MHD_CONNECTION_CLOSED: MHD_tls_connection_close (connection); diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c @@ -32,6 +32,7 @@ #if HTTPS_SUPPORT #include "gnutls_int.h" #include "gnutls_global.h" +#include "auth_anon.h" #endif /** @@ -56,26 +57,14 @@ */ #define DEBUG_CONNECT MHD_NO -#if HTTPS_SUPPORT -/* initialize security aspects of the HTTPS daemon */ +/* TODO unite with code in gnutls_priority.c */ static int -MHD_TLS_init (struct MHD_Daemon *daemon) +MHD_init_daemon_certificate (struct MHD_Daemon *daemon) { - int i; - priority_st st; gnutls_datum_t key; gnutls_datum_t cert; - gnutls_global_set_log_function (MHD_tls_log_func); - - /* setup server certificate */ - gnutls_certificate_allocate_credentials (&daemon->x509_cret); - - /* TODO remove if unused - gnutls_certificate_set_x509_trust_file(x509_cret, CAFILE,GNUTLS_X509_FMT_PEM); - gnutls_certificate_set_x509_crl_file(x509_cret, CRLFILE, GNUTLS_X509_FMT_PEM); */ - - /* sets a certificate private key pair */ + /* certificate & key loaded from file */ if (daemon->https_cert_path && daemon->https_key_path) { /* test for private key & certificate file exsitance */ @@ -98,20 +87,21 @@ MHD_TLS_init (struct MHD_Daemon *daemon) CLOSE (daemon->socket_fd); return -1; } - gnutls_certificate_set_x509_key_file (daemon->x509_cret, - daemon->https_cert_path, - daemon->https_key_path, - GNUTLS_X509_FMT_PEM); + return gnutls_certificate_set_x509_key_file (daemon->x509_cred, + daemon->https_cert_path, + daemon->https_key_path, + GNUTLS_X509_FMT_PEM); } + /* certificate & key loaded from memory */ else if (daemon->https_mem_cert && daemon->https_mem_key) { - key.data = (char *) daemon->https_mem_key; + key.data = (unsigned char *) daemon->https_mem_key; key.size = strlen (daemon->https_mem_key); - cert.data = (char *) daemon->https_mem_cert; + cert.data = (unsigned char *) daemon->https_mem_cert; cert.size = strlen (daemon->https_mem_cert); - gnutls_certificate_set_x509_key_mem (daemon->x509_cret, &cert, &key, - GNUTLS_X509_FMT_PEM); + return gnutls_certificate_set_x509_key_mem (daemon->x509_cred, &cert, + &key, GNUTLS_X509_FMT_PEM); } else { @@ -120,29 +110,44 @@ MHD_TLS_init (struct MHD_Daemon *daemon) #endif return MHD_NO; } +} - /* generate DH parameters if necessary */ - st = daemon->priority_cache->kx; - for (i = 0; i < st.algorithms; i++) +/* initialize security aspects of the HTTPS daemon */ +int +MHD_TLS_init (struct MHD_Daemon *daemon) +{ + int ret; + + switch (daemon->cred_type) { - /* initialize Diffie Hellman parameters if necessary */ - /* TODO add other cipher suits */ - if (st.priority[i] == MHD_GNUTLS_KX_DHE_RSA) - { - gnutls_dh_params_init (&daemon->dh_params); - gnutls_dh_params_generate2 (daemon->dh_params, 1024); - break; - } + case MHD_GNUTLS_CRD_ANON: + ret = gnutls_anon_allocate_server_credentials (&daemon->anon_cred); + ret += gnutls_dh_params_init (&daemon->dh_params); + if (ret != 0) { + return GNUTLS_E_MEMORY_ERROR; + } + gnutls_dh_params_generate2 (daemon->dh_params, 1024); + gnutls_anon_set_server_dh_params (daemon->anon_cred, daemon->dh_params); + break; + case MHD_GNUTLS_CRD_CERTIFICATE: + ret = gnutls_certificate_allocate_credentials (&daemon->x509_cred) ; + if (ret != 0) { + return GNUTLS_E_MEMORY_ERROR; + } + if ((ret = MHD_init_daemon_certificate (daemon)) != 0) + return ret; + default: +#if HAVE_MESSAGES + MHD_DLOG (daemon, + "Error: no daemon credentials type found. f: %s, l: %d\n", + __FUNCTION__, __LINE__); +#endif + break; } - gnutls_certificate_set_dh_params (daemon->x509_cret, daemon->dh_params); - - /* TODO address error case return value */ - return MHD_YES; + return MHD_NO; } -/* TODO unite with code in gnutls_priority.c */ -/* this is used to set HTTPS related daemon priorities */ inline static int _set_priority (priority_st * st, const int *list) { @@ -152,7 +157,7 @@ _set_priority (priority_st * st, const int *list) num++; if (num > MAX_ALGOS) num = MAX_ALGOS; - st->algorithms = num; + st->num_algorithms = num; for (i = 0; i < num; i++) { @@ -161,7 +166,6 @@ _set_priority (priority_st * st, const int *list) return 0; } -#endif /* HTTPS_SUPPORT */ /** * Obtain the select sets for this daemon. @@ -300,12 +304,13 @@ gnutls_push_param_adapter (void *connection, } #endif + /** * Handle an individual TLS connection. */ #if HTTPS_SUPPORT static void * -MHD_TLS_handle_connection (void *data) +MHD_TLS_init_connection (void *data) { struct MHD_Connection *con = data; @@ -320,16 +325,37 @@ MHD_TLS_handle_connection (void *data) /* sets cipher priorities */ gnutls_priority_set (con->tls_session, con->daemon->priority_cache); - /* set needed credentials for certificate authentication. */ - gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_CERTIFICATE, - con->daemon->x509_cret); + switch (con->daemon->cred_type) + { + /* set needed credentials for certificate authentication. */ + case MHD_GNUTLS_CRD_CERTIFICATE: + gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_CERTIFICATE, + con->daemon->x509_cred); + break; + case MHD_GNUTLS_CRD_ANON: + /* set needed credentials for anonymous authentication. */ + gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_ANON, + con->daemon->anon_cred); + gnutls_dh_set_prime_bits (con->tls_session, 1024); + break; + default: + +#if HAVE_MESSAGES + MHD_DLOG (con->daemon, + "Error: couldn't init HTTPS session. no appropriate KX algorithm found. f: %s, l: %d\n", + __FUNCTION__, __LINE__); +#endif + break; + } /* TODO avoid gnutls blocking recv / write calls gnutls_transport_set_pull_function(tls_session, &recv); gnutls_transport_set_push_function(tls_session, &send); */ - gnutls_transport_set_ptr (con->tls_session, con->socket_fd); + gnutls_transport_set_ptr (con->tls_session, + (gnutls_transport_ptr_t) ((void *) con-> + socket_fd)); return MHD_handle_connection (data); } @@ -489,7 +515,7 @@ MHD_accept_connection (struct MHD_Daemon *daemon) #if HTTPS_SUPPORT if (daemon->options & MHD_USE_SSL) res_thread_create = pthread_create (&connection->pid, NULL, - &MHD_TLS_handle_connection, + &MHD_TLS_init_connection, connection); else #endif @@ -768,7 +794,7 @@ MHD_select_thread (void *cls) */ struct MHD_Daemon * MHD_start_daemon_va (unsigned int options, - unsigned short port, + unsigned short port, char *ip, MHD_AcceptPolicyCallback apc, void *apc_cls, MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap) @@ -875,6 +901,7 @@ MHD_start_daemon_va (unsigned int options, pthread_mutex_unlock (&gnutls_init_mutex); /* set default priorities */ gnutls_priority_init (&retVal->priority_cache, "", NULL); + retVal->cred_type = MHD_GNUTLS_CRD_CERTIFICATE; } #endif /* initializes the argument pointer variable */ @@ -906,7 +933,7 @@ MHD_start_daemon_va (unsigned int options, #if HTTPS_SUPPORT case MHD_OPTION_PROTOCOL_VERSION: _set_priority (&retVal->priority_cache->protocol, - va_arg (ap, const int *)); + va_arg (ap, const int *)); break; case MHD_OPTION_HTTPS_KEY_PATH: retVal->https_key_path = va_arg (ap, const char *); @@ -920,8 +947,11 @@ MHD_start_daemon_va (unsigned int options, case MHD_OPTION_HTTPS_MEM_CERT: retVal->https_mem_cert = va_arg (ap, const char *); break; + case MHD_OPTION_CRED_TYPE: + retVal->cred_type = va_arg (ap, const int); + break; case MHD_OPTION_KX_PRIORITY: - _set_priority (&retVal->priority_cache->cipher, + _set_priority (&retVal->priority_cache->kx, va_arg (ap, const int *)); break; case MHD_OPTION_CIPHER_ALGORITHM: @@ -929,16 +959,17 @@ MHD_start_daemon_va (unsigned int options, va_arg (ap, const int *)); break; case MHD_OPTION_MAC_ALGO: - _set_priority (&retVal->priority_cache->mac, - va_arg (ap, const int *)); - break; + _set_priority (&retVal->priority_cache->mac, + va_arg (ap, const int *)); + break; #endif default: #if HAVE_MESSAGES if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) { fprintf (stderr, - "Error: HTTPS option %d passed to non HTTPS daemon\n", opt); + "Error: HTTPS option %d passed to non HTTPS daemon\n", + opt); } else { @@ -952,7 +983,7 @@ MHD_start_daemon_va (unsigned int options, #if HTTPS_SUPPORT /* initialize HTTPS daemon certificate aspects & send / recv functions */ - if (options & MHD_USE_SSL && MHD_NO == MHD_TLS_init (retVal)) + if (options & MHD_USE_SSL && MHD_TLS_init (retVal) != 0) { #if HAVE_MESSAGES MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n"); @@ -985,18 +1016,244 @@ MHD_start_daemon (unsigned int options, unsigned short port, MHD_AcceptPolicyCallback apc, void *apc_cls, - MHD_AccessHandlerCallback dh, void *dh_cls, ...){ - - int ret; - va_list ap; - va_start (ap, dh_cls); - ret = MHD_start_daemon_va (options, - port, - apc, - apc_cls, - dh, dh_cls, ap); - va_end (ap); - return ret; + MHD_AccessHandlerCallback dh, void *dh_cls, ...) +{ + const int on = 1; + struct MHD_Daemon *retVal; + + /* listeningss sockets used by the daemon */ + int socket_fd; + va_list ap; + + struct sockaddr_in servaddr4; + struct sockaddr_in6 servaddr6; + const struct sockaddr *servaddr; + socklen_t addrlen; + enum MHD_OPTION opt; + + if ((port == 0) || (dh == NULL)) + return NULL; + if ((options & MHD_USE_IPv6) != 0) + socket_fd = SOCKET (PF_INET6, SOCK_STREAM, 0); + else + socket_fd = SOCKET (PF_INET, SOCK_STREAM, 0); + if (socket_fd < 0) + { +#if HAVE_MESSAGES + if ((options & MHD_USE_DEBUG) != 0) + fprintf (stderr, "Call to socket failed: %s\n", STRERROR (errno)); +#endif + return NULL; + } + if ((SETSOCKOPT (socket_fd, + SOL_SOCKET, + SO_REUSEADDR, + &on, sizeof (on)) < 0) && (options & MHD_USE_DEBUG) != 0) + { +#if HAVE_MESSAGES + fprintf (stderr, "setsockopt failed: %s\n", STRERROR (errno)); +#endif + } + if ((options & MHD_USE_IPv6) != 0) + { + memset (&servaddr6, 0, sizeof (struct sockaddr_in6)); + servaddr6.sin6_family = AF_INET6; + servaddr6.sin6_port = htons (port); + servaddr = (struct sockaddr *) &servaddr6; + addrlen = sizeof (struct sockaddr_in6); + } + else + { + memset (&servaddr4, 0, sizeof (struct sockaddr_in)); + servaddr4.sin_family = AF_INET; + servaddr4.sin_port = htons (port); + servaddr = (struct sockaddr *) &servaddr4; + addrlen = sizeof (struct sockaddr_in); + } + if (BIND (socket_fd, servaddr, addrlen) < 0) + { +#if HAVE_MESSAGES + if ((options & MHD_USE_DEBUG) != 0) + fprintf (stderr, + "Failed to bind to port %u: %s\n", port, STRERROR (errno)); +#endif + CLOSE (socket_fd); + return NULL; + } + if (LISTEN (socket_fd, 20) < 0) + { +#if HAVE_MESSAGES + if ((options & MHD_USE_DEBUG) != 0) + fprintf (stderr, + "Failed to listen for connections: %s\n", STRERROR (errno)); +#endif + CLOSE (socket_fd); + return NULL; + } + + /* allocate the mhd daemon */ + + retVal = malloc (sizeof (struct MHD_Daemon)); + + if (retVal == NULL) + { + CLOSE (socket_fd); + return NULL; + } + + memset (retVal, 0, sizeof (struct MHD_Daemon)); + retVal->options = options; + retVal->port = port; + retVal->apc = apc; + retVal->apc_cls = apc_cls; + retVal->socket_fd = socket_fd; + retVal->default_handler = dh; + retVal->default_handler_cls = dh_cls; + retVal->max_connections = MHD_MAX_CONNECTIONS_DEFAULT; + retVal->pool_size = MHD_POOL_SIZE_DEFAULT; + retVal->connection_timeout = 0; /* no timeout */ +#if HTTPS_SUPPORT + if (options & MHD_USE_SSL) + { + /* lock gnutls_global mutex since it uses reference counting */ + pthread_mutex_lock (&gnutls_init_mutex); + gnutls_global_init (); + pthread_mutex_unlock (&gnutls_init_mutex); + /* set default priorities */ + gnutls_priority_init (&retVal->priority_cache, "", NULL); + retVal->cred_type = MHD_GNUTLS_CRD_CERTIFICATE; + } +#endif + /* initializes the argument pointer variable */ + + va_start (ap, dh_cls); + + /* + * loop through daemon options + */ + while (MHD_OPTION_END != (opt = va_arg (ap, enum MHD_OPTION))) + { + switch (opt) + { + case MHD_OPTION_CONNECTION_MEMORY_LIMIT: + retVal->pool_size = va_arg (ap, unsigned int); + break; + case MHD_OPTION_CONNECTION_LIMIT: + retVal->max_connections = va_arg (ap, unsigned int); + break; + case MHD_OPTION_CONNECTION_TIMEOUT: + retVal->connection_timeout = va_arg (ap, unsigned int); + break; + case MHD_OPTION_NOTIFY_COMPLETED: + retVal->notify_completed = + va_arg (ap, MHD_RequestCompletedCallback); + retVal->notify_completed_cls = va_arg (ap, void *); + break; + case MHD_OPTION_PER_IP_CONNECTION_LIMIT: + retVal->per_ip_connection_limit = va_arg (ap, unsigned int); + break; +#if HTTPS_SUPPORT + case MHD_OPTION_PROTOCOL_VERSION: + _set_priority (&retVal->priority_cache->protocol, + va_arg (ap, const int *)); + break; + case MHD_OPTION_HTTPS_KEY_PATH: + retVal->https_key_path = va_arg (ap, const char *); + break; + case MHD_OPTION_HTTPS_CERT_PATH: + retVal->https_cert_path = va_arg (ap, const char *); + break; + case MHD_OPTION_HTTPS_MEM_KEY: + retVal->https_mem_key = va_arg (ap, const char *); + break; + case MHD_OPTION_HTTPS_MEM_CERT: + retVal->https_mem_cert = va_arg (ap, const char *); + break; + case MHD_OPTION_CRED_TYPE: + retVal->cred_type = va_arg (ap, const int); + break; + case MHD_OPTION_KX_PRIORITY: + _set_priority (&retVal->priority_cache->kx, + va_arg (ap, const int *)); + break; + case MHD_OPTION_CIPHER_ALGORITHM: + _set_priority (&retVal->priority_cache->cipher, + va_arg (ap, const int *)); + break; + case MHD_OPTION_MAC_ALGO: + _set_priority (&retVal->priority_cache->mac, + va_arg (ap, const int *)); + break; +#endif + default: +#if HAVE_MESSAGES + if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) + { + fprintf (stderr, + "Error: HTTPS option %d passed to non HTTPS daemon\n", + opt); + } + else + { + fprintf (stderr, + "Invalid MHD_OPTION argument! (Did you terminate the list with MHD_OPTION_END?)\n"); + } +#endif + abort (); + } + } + va_end (ap); + + /* initialize HTTPS daemon certificate aspects & send / recv functions */ + if (options & MHD_USE_SSL && MHD_TLS_init (retVal) != 0) + { +#if HAVE_MESSAGES + MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n"); +#endif + free (retVal); + return NULL; + } + + if (((0 != (options & MHD_USE_THREAD_PER_CONNECTION)) || (0 != (options + & + MHD_USE_SELECT_INTERNALLY))) + && (0 != + pthread_create (&retVal->pid, NULL, &MHD_select_thread, retVal))) + { +#if HAVE_MESSAGES + MHD_DLOG (retVal, "Failed to create listen thread: %s\n", + STRERROR (errno)); +#endif + free (retVal); + CLOSE (socket_fd); + return NULL; + } + + return retVal; +} + + +/* + * start the MHD_Daemon while binding to a specific ip address. + * + * TODO : address adding ip parameter to MHD_start_daemon + */ +struct MHD_Daemon * +MHD_start_daemon_ip (unsigned int options, + unsigned short port, char *ip, + MHD_AcceptPolicyCallback apc, + void *apc_cls, + MHD_AccessHandlerCallback dh, void *dh_cls, ...) +{ + + gnutls_global_set_log_level (5); + + struct MHD_Daemon *ret; + va_list ap; + va_start (ap, dh_cls); + ret = MHD_start_daemon_va (options, port, ip, apc, apc_cls, dh, dh_cls, ap); + va_end (ap); + return ret; } /** @@ -1066,7 +1323,10 @@ MHD_stop_daemon (struct MHD_Daemon *daemon) { gnutls_priority_deinit (daemon->priority_cache); - gnutls_certificate_free_credentials (daemon->x509_cret); + if (daemon->x509_cred) + gnutls_certificate_free_credentials (daemon->x509_cred); + if (daemon->anon_cred) + gnutls_anon_free_server_credentials (daemon->anon_cred); /* lock gnutls_global mutex since it uses reference counting */ pthread_mutex_lock (&gnutls_init_mutex); diff --git a/src/daemon/https/tls/Makefile.am b/src/daemon/https/tls/Makefile.am @@ -43,7 +43,6 @@ gnutls_compress.c \ gnutls_compress_int.c \ gnutls_constate.c \ gnutls_datum.c \ -gnutls_db.c \ gnutls_dh.c \ gnutls_dh_primes.c \ gnutls_errors.c \ diff --git a/src/daemon/https/tls/auth_cert.h b/src/daemon/https/tls/auth_cert.h @@ -34,6 +34,7 @@ /* This structure may be complex, but it's the only way to * support a server that has multiple certificates */ + typedef struct gnutls_certificate_credentials_st { gnutls_dh_params_t dh_params; @@ -45,7 +46,7 @@ typedef struct gnutls_certificate_credentials_st gnutls_cert **cert_list; /* contains a list of a list of certificates. - * eg (X509): [0] certificate1, certificate11, certificate111 + * eg (X509): [0] certificate1, certificate11, certificate111 * (if more than one, one certificate certifies the one before) * [1] certificate2, certificate22, ... */ @@ -75,14 +76,14 @@ typedef struct gnutls_certificate_credentials_st /* X509 specific stuff */ gnutls_x509_crt_t *x509_ca_list; - unsigned x509_ncas; /* number of CAs in the ca_list + unsigned x509_ncas; /* number of CAs in the ca_list */ gnutls_x509_crl_t *x509_crl_list; - unsigned x509_ncrls; /* number of CRLs in the crl_list + unsigned x509_ncrls; /* number of CRLs in the crl_list */ - unsigned int verify_flags; /* flags to be used at + unsigned int verify_flags; /* flags to be used at * certificate verification. */ unsigned int verify_depth; diff --git a/src/daemon/https/tls/ext_cert_type.c b/src/daemon/https/tls/ext_cert_type.c @@ -150,10 +150,10 @@ _gnutls_cert_type_send_params (gnutls_session_t session, opaque * data, if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (session->internals.priorities.cert_type.algorithms > 0) + if (session->internals.priorities.cert_type.num_algorithms > 0) { - len = session->internals.priorities.cert_type.algorithms; + len = session->internals.priorities.cert_type.num_algorithms; if (len == 1 && session->internals.priorities.cert_type.priority[0] == diff --git a/src/daemon/https/tls/gnutls_alert.c b/src/daemon/https/tls/gnutls_alert.c @@ -148,7 +148,7 @@ gnutls_alert_send (gnutls_session_t session, gnutls_alert_level_t level, * alert should be sent to the peer indicating that no renegotiation will * be performed. * - * If there is no mapping to a valid alert the alert to indicate internal error + * If there is no mapping to a valid alert the alert to indicate internal error * is returned. * **/ @@ -163,7 +163,7 @@ gnutls_error_to_alert (int err, int *level) /* GNUTLS_A_DECRYPTION_FAILED is not sent, because * it is not defined in SSL3. Note that we must * not distinguish Decryption failures from mac - * check failures, due to the possibility of some + * check failures, due to the possibility of some * attacks. */ ret = GNUTLS_A_BAD_RECORD_MAC; diff --git a/src/daemon/https/tls/gnutls_algorithms.c b/src/daemon/https/tls/gnutls_algorithms.c @@ -767,7 +767,7 @@ _gnutls_mac_priority (gnutls_session_t session, gnutls_mac_algorithm_t algorithm) { /* actually returns the priority */ unsigned int i; - for (i = 0; i < session->internals.priorities.mac.algorithms; i++) + for (i = 0; i < session->internals.priorities.mac.num_algorithms; i++) { if (session->internals.priorities.mac.priority[i] == algorithm) return i; @@ -893,7 +893,7 @@ _gnutls_compression_priority (gnutls_session_t session, gnutls_compression_method_t algorithm) { /* actually returns the priority */ unsigned int i; - for (i = 0; i < session->internals.priorities.compression.algorithms; i++) + for (i = 0; i < session->internals.priorities.compression.num_algorithms; i++) { if (session->internals.priorities.compression.priority[i] == algorithm) return i; @@ -1040,7 +1040,7 @@ _gnutls_cipher_priority (gnutls_session_t session, gnutls_cipher_algorithm_t algorithm) { unsigned int i; - for (i = 0; i < session->internals.priorities.cipher.algorithms; i++) + for (i = 0; i < session->internals.priorities.cipher.num_algorithms; i++) { if (session->internals.priorities.cipher.priority[i] == algorithm) return i; @@ -1176,7 +1176,7 @@ _gnutls_kx_priority (gnutls_session_t session, gnutls_kx_algorithm_t algorithm) { unsigned int i; - for (i = 0; i < session->internals.priorities.kx.algorithms; i++) + for (i = 0; i < session->internals.priorities.kx.num_algorithms; i++) { if (session->internals.priorities.kx.priority[i] == algorithm) return i; @@ -1276,7 +1276,7 @@ _gnutls_version_priority (gnutls_session_t session, gnutls_protocol_t version) return -1; } - for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) + for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) { if (session->internals.priorities.protocol.priority[i] == version) return i; @@ -1294,7 +1294,7 @@ _gnutls_version_lowest (gnutls_session_t session) return MHD_GNUTLS_VERSION_UNKNOWN; } else - for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) + for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) { if (session->internals.priorities.protocol.priority[i] < min) min = session->internals.priorities.protocol.priority[i]; @@ -1316,7 +1316,7 @@ _gnutls_version_max (gnutls_session_t session) return MHD_GNUTLS_VERSION_UNKNOWN; } else - for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) + for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++) { if (session->internals.priorities.protocol.priority[i] > max) max = session->internals.priorities.protocol.priority[i]; @@ -1886,7 +1886,7 @@ _gnutls_supported_ciphersuites (gnutls_session_t session, /* returns the TLS numbers of the compression methods we support */ -#define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.algorithms +#define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.num_algorithms int _gnutls_supported_compression_methods (gnutls_session_t session, uint8_t ** comp) diff --git a/src/daemon/https/tls/gnutls_anon_cred.c b/src/daemon/https/tls/gnutls_anon_cred.c @@ -62,8 +62,9 @@ int gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t * sc) { - *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st)); + if (*sc == NULL) + return GNUTLS_E_MEMORY_ERROR; return 0; } diff --git a/src/daemon/https/tls/gnutls_db.c b/src/daemon/https/tls/gnutls_db.c @@ -1,386 +0,0 @@ -/* - * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GNUTLS. - * - * The GNUTLS library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, - * USA - * - */ - -/* This file contains functions that manipulate a database backend - * for resumed sessions. - */ - -#include "gnutls_int.h" -#include "gnutls_errors.h" -// #include "gnutls_session.h" -#include <gnutls_db.h> -#include "debug.h" -#include <gnutls_session_pack.h> -#include <gnutls_datum.h> - -/** - * gnutls_db_set_retrieve_function - Sets the function that will be used to get data - * @session: is a #gnutls_session_t structure. - * @retr_func: is the function. - * - * Sets the function that will be used to retrieve data from the resumed - * sessions database. This function must return a gnutls_datum_t containing the - * data on success, or a gnutls_datum_t containing null and 0 on failure. - * - * The datum's data must be allocated using the function - * gnutls_malloc(). - * - * The first argument to retr_func() will be null unless gnutls_db_set_ptr() - * has been called. - * - **/ -void -gnutls_db_set_retrieve_function (gnutls_session_t session, - gnutls_db_retr_func retr_func) -{ - session->internals.db_retrieve_func = retr_func; -} - -/** - * gnutls_db_set_remove_function - Sets the function that will be used to remove data - * @session: is a #gnutls_session_t structure. - * @rem_func: is the function. - * - * Sets the function that will be used to remove data from the resumed - * sessions database. This function must return 0 on success. - * - * The first argument to rem_func() will be null unless gnutls_db_set_ptr() - * has been called. - * - **/ -void -gnutls_db_set_remove_function (gnutls_session_t session, - gnutls_db_remove_func rem_func) -{ - session->internals.db_remove_func = rem_func; -} - -/** - * gnutls_db_set_store_function - Sets the function that will be used to put data - * @session: is a #gnutls_session_t structure. - * @store_func: is the function - * - * Sets the function that will be used to store data from the resumed - * sessions database. This function must remove 0 on success. - * - * The first argument to store_func() will be null unless gnutls_db_set_ptr() - * has been called. - * - **/ -void -gnutls_db_set_store_function (gnutls_session_t session, - gnutls_db_store_func store_func) -{ - session->internals.db_store_func = store_func; -} - -/** - * gnutls_db_set_ptr - Sets a pointer to be sent to db functions - * @session: is a #gnutls_session_t structure. - * @ptr: is the pointer - * - * Sets the pointer that will be provided to db store, retrieve and delete functions, as - * the first argument. - * - **/ -void -gnutls_db_set_ptr (gnutls_session_t session, void *ptr) -{ - session->internals.db_ptr = ptr; -} - -/** - * gnutls_db_get_ptr - Returns the pointer which is sent to db functions - * @session: is a #gnutls_session_t structure. - * - * Returns the pointer that will be sent to db store, retrieve and delete functions, as - * the first argument. - * - **/ -void * -gnutls_db_get_ptr (gnutls_session_t session) -{ - return session->internals.db_ptr; -} - -/** - * gnutls_db_set_cache_expiration - Sets the expiration time for resumed sessions. - * @session: is a #gnutls_session_t structure. - * @seconds: is the number of seconds. - * - * Sets the expiration time for resumed sessions. The default is 3600 (one hour) - * at the time writing this. - **/ -void -gnutls_db_set_cache_expiration (gnutls_session_t session, int seconds) -{ - session->internals.expire_time = seconds; -} - -/** - * gnutls_db_check_entry - checks if the given db entry has expired - * @session: is a #gnutls_session_t structure. - * @session_entry: is the session data (not key) - * - * This function returns GNUTLS_E_EXPIRED, if the database entry - * has expired or 0 otherwise. This function is to be used when - * you want to clear unnesessary session which occupy space in your - * backend. - * - **/ -int -gnutls_db_check_entry (gnutls_session_t session, gnutls_datum_t session_entry) -{ - time_t timestamp; - - timestamp = time (0); - - if (session_entry.data != NULL) - if (timestamp - - ((security_parameters_st *) (session_entry.data))->timestamp <= - session->internals.expire_time - || ((security_parameters_st *) (session_entry.data))-> - timestamp > timestamp - || ((security_parameters_st *) (session_entry.data))->timestamp == 0) - return GNUTLS_E_EXPIRED; - - return 0; -} - -/* The format of storing data is: - * (forget it). Check gnutls_session_pack.c - */ -int -_gnutls_server_register_current_session (gnutls_session_t session) -{ - gnutls_datum_t key; - gnutls_datum_t content; - int ret = 0; - - key.data = session->security_parameters.session_id; - key.size = session->security_parameters.session_id_size; - - if (session->internals.resumable == RESUME_FALSE) - { - gnutls_assert (); - return GNUTLS_E_INVALID_SESSION; - } - - if (session->security_parameters.session_id == NULL - || session->security_parameters.session_id_size == 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_SESSION; - } - -/* copy data */ - ret = _gnutls_session_pack (session, &content); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_store_session (session, key, content); - _gnutls_free_datum (&content); - - return ret; -} - -/* Checks if both db_store and db_retrieve functions have - * been set up. - */ -static int -_gnutls_db_func_is_ok (gnutls_session_t session) -{ - if (session->internals.db_store_func != NULL && - session->internals.db_retrieve_func != NULL && - session->internals.db_remove_func != NULL) - return 0; - else - return GNUTLS_E_DB_ERROR; -} - - -int -_gnutls_server_restore_session (gnutls_session_t session, - uint8_t * session_id, int session_id_size) -{ - gnutls_datum_t data; - gnutls_datum_t key; - int ret; - - key.data = session_id; - key.size = session_id_size; - - if (_gnutls_db_func_is_ok (session) != 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_SESSION; - } - - data = _gnutls_retrieve_session (session, key); - - if (data.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_SESSION; - } - - /* expiration check is performed inside */ - ret = gnutls_session_set_data (session, data.data, data.size); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - gnutls_free (data.data); - - return 0; -} - -int -_gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id, - int session_id_size) -{ - gnutls_datum_t key; - - key.data = session_id; - key.size = session_id_size; - - return _gnutls_remove_session (session, key); -} - - -/* Stores session data to the db backend. - */ -int -_gnutls_store_session (gnutls_session_t session, - gnutls_datum_t session_id, gnutls_datum_t session_data) -{ - int ret = 0; - - if (session->internals.resumable == RESUME_FALSE) - { - gnutls_assert (); - return GNUTLS_E_INVALID_SESSION; - } - - if (_gnutls_db_func_is_ok (session) != 0) - { - return GNUTLS_E_DB_ERROR; - } - - if (session_id.data == NULL || session_id.size == 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_SESSION; - } - - if (session_data.data == NULL || session_data.size == 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_SESSION; - } - /* if we can't read why bother writing? */ - - if (session->internals.db_store_func != NULL) - ret = - session->internals.db_store_func (session->internals.db_ptr, - session_id, session_data); - - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); - -} - -/* Retrieves session data from the db backend. - */ -gnutls_datum_t -_gnutls_retrieve_session (gnutls_session_t session, gnutls_datum_t session_id) -{ - gnutls_datum_t ret = { NULL, 0 }; - - if (session_id.data == NULL || session_id.size == 0) - { - gnutls_assert (); - return ret; - } - - if (session->internals.db_retrieve_func != NULL) - ret = - session->internals.db_retrieve_func (session->internals.db_ptr, - session_id); - - return ret; - -} - -/* Removes session data from the db backend. - */ -int -_gnutls_remove_session (gnutls_session_t session, gnutls_datum_t session_id) -{ - int ret = 0; - - if (_gnutls_db_func_is_ok (session) != 0) - { - return GNUTLS_E_DB_ERROR; - } - - if (session_id.data == NULL || session_id.size == 0) - return GNUTLS_E_INVALID_SESSION; - - /* if we can't read why bother writing? */ - if (session->internals.db_remove_func != NULL) - ret = - session->internals.db_remove_func (session->internals.db_ptr, - session_id); - - return (ret == 0 ? ret : GNUTLS_E_DB_ERROR); - -} - -/** - * gnutls_db_remove_session - This function will remove the current session data from the database - * @session: is a #gnutls_session_t structure. - * - * This function will remove the current session data from the session - * database. This will prevent future handshakes reusing these session - * data. This function should be called if a session was terminated - * abnormally, and before gnutls_deinit() is called. - * - * Normally gnutls_deinit() will remove abnormally terminated sessions. - * - **/ -void -gnutls_db_remove_session (gnutls_session_t session) -{ - /* if the session has failed abnormally it has - * to be removed from the db - */ - _gnutls_db_remove_session (session, - session->security_parameters.session_id, - session->security_parameters.session_id_size); -} diff --git a/src/daemon/https/tls/gnutls_db.h b/src/daemon/https/tls/gnutls_db.h @@ -1,37 +0,0 @@ -/* - * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation - * - * Author: Nikos Mavrogiannopoulos - * - * This file is part of GNUTLS. - * - * The GNUTLS library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public License - * as published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, - * USA - * - */ - -int _gnutls_server_register_current_session (gnutls_session_t session); -int _gnutls_server_restore_session (gnutls_session_t session, - uint8_t * session_id, - int session_id_size); -int _gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id, - int session_id_size); -int _gnutls_store_session (gnutls_session_t session, - gnutls_datum_t session_id, - gnutls_datum_t session_data); -gnutls_datum_t _gnutls_retrieve_session (gnutls_session_t session, - gnutls_datum_t session_id); -int _gnutls_remove_session (gnutls_session_t session, - gnutls_datum_t session_id); diff --git a/src/daemon/https/tls/gnutls_handshake.c b/src/daemon/https/tls/gnutls_handshake.c @@ -37,7 +37,6 @@ #include "gnutls_handshake.h" #include "gnutls_num.h" #include "gnutls_hash_int.h" -#include "gnutls_db.h" #include "gnutls_extensions.h" #include "gnutls_supplemental.h" #include "gnutls_auth_int.h" @@ -338,7 +337,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, int datalen) { uint8_t session_id_len; - int pos = 0, ret; + int pos = 0, ret = 0; uint16_t suite_size, comp_size; gnutls_protocol_t adv_version; int neg_version; @@ -383,10 +382,10 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data, } DECR_LEN (len, session_id_len); - ret = _gnutls_server_restore_session (session, &data[pos], session_id_len); pos += session_id_len; - if (ret == 0) + /* TODO rm if support for resumed sessions won't be supported */ + if (0) { /* resumed! */ resume_copy_required_values (session); session->internals.resumed = RESUME_TRUE; @@ -2647,12 +2646,6 @@ _gnutls_handshake_common (gnutls_session_t session) IMED_RET ("recv handshake final 2", ret); } - if (session->security_parameters.entity == GNUTLS_SERVER) - { - /* in order to support session resuming */ - _gnutls_server_register_current_session (session); - } - /* clear handshake buffer */ _gnutls_handshake_hash_buffers_clear (session); return ret; diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h @@ -380,7 +380,7 @@ typedef struct typedef struct { unsigned int priority[MAX_ALGOS]; - unsigned int algorithms; + unsigned int num_algorithms; } priority_st; /* For the external api */ @@ -391,6 +391,8 @@ struct gnutls_priority_st priority_st kx; priority_st compression; priority_st protocol; + + /* certificate type : x509, OpenPGP, etc. */ priority_st cert_type; /* to disable record padding */ diff --git a/src/daemon/https/tls/gnutls_priority.c b/src/daemon/https/tls/gnutls_priority.c @@ -56,7 +56,7 @@ gnutls_cipher_set_priority (gnutls_session_t session, const int *list) num++; if (num > MAX_ALGOS) num = MAX_ALGOS; - session->internals.priorities.cipher.algorithms = num; + session->internals.priorities.cipher.num_algorithms = num; for (i = 0; i < num; i++) { @@ -75,7 +75,7 @@ _set_priority (priority_st * st, const int *list) num++; if (num > MAX_ALGOS) num = MAX_ALGOS; - st->algorithms = num; + st->num_algorithms = num; for (i = 0; i < num; i++) { diff --git a/src/daemon/https/tls/gnutls_record.c b/src/daemon/https/tls/gnutls_record.c @@ -35,7 +35,6 @@ #include "gnutls_hash_int.h" #include "gnutls_cipher_int.h" #include "gnutls_algorithms.h" -#include "gnutls_db.h" #include "gnutls_auth_int.h" #include "gnutls_num.h" #include "gnutls_record.h" @@ -289,7 +288,7 @@ session_is_valid (gnutls_session_t session) return 0; } -/* Copies the record version into the headers. The +/* Copies the record version into the headers. The * version must have 2 bytes at least. */ inline static void @@ -316,7 +315,7 @@ copy_record_version (gnutls_session_t session, /* This function behaves exactly like write(). The only difference is * that it accepts, the gnutls_session_t and the content_type_t of data to * send (if called by the user the Content is specific) - * It is intended to transfer data, under the current session. + * It is intended to transfer data, under the current session. * * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE. * This makes the function much easier to read, and more error resistant @@ -376,7 +375,7 @@ _gnutls_send_int (gnutls_session_t session, else data2send_size = sizeofdata; - /* Only encrypt if we don't have data to send + /* Only encrypt if we don't have data to send * from the previous run. - probably interrupted. */ if (session->internals.record_send_buffer.length > 0) @@ -469,7 +468,7 @@ _gnutls_send_int (gnutls_session_t session, return retval; } -/* This function is to be called if the handshake was successfully +/* This function is to be called if the handshake was successfully * completed. This sends a Change Cipher Spec packet to the peer. */ ssize_t @@ -556,8 +555,8 @@ record_check_headers (gnutls_session_t session, uint16_t * length, uint16_t * header_size) { - /* Read the first two bytes to determine if this is a - * version 2 message + /* Read the first two bytes to determine if this is a + * version 2 message */ if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE @@ -565,7 +564,7 @@ record_check_headers (gnutls_session_t session, { /* if msb set and expecting handshake message - * it should be SSL 2 hello + * it should be SSL 2 hello */ version[0] = 3; /* assume SSL 3.0 */ version[1] = 0; @@ -593,7 +592,7 @@ record_check_headers (gnutls_session_t session, version[0] = headers[1]; version[1] = headers[2]; - /* No DECR_LEN, since headers has enough size. + /* No DECR_LEN, since headers has enough size. */ *length = _gnutls_read_uint16 (&headers[3]); } @@ -676,7 +675,7 @@ record_check_type (gnutls_session_t session, */ if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) { - /* If we have been expecting for an alert do + /* If we have been expecting for an alert do */ session->internals.read_eof = 1; return GNUTLS_E_INT_RET_0; /* EOF */ @@ -911,7 +910,7 @@ begin: } /* Here we check if the Type of the received packet is - * ok. + * ok. */ if ((ret = check_recv_type (recv_type)) < 0) { @@ -952,7 +951,7 @@ begin: return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } - /* check if we have that data into buffer. + /* check if we have that data into buffer. */ if ((ret = _gnutls_io_read_buffered (session, &recv_data, header_size + length, recv_type)) @@ -1017,7 +1016,7 @@ begin: read_sequence_number), _gnutls_packet2str (recv_type), recv_type, decrypted_length); - /* increase sequence number + /* increase sequence number */ if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0) { @@ -1037,7 +1036,7 @@ begin: return ret; } - /* Get Application data from buffer + /* Get Application data from buffer */ if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type == GNUTLS_HANDSHAKE @@ -1051,7 +1050,7 @@ begin: return ret; } - /* if the buffer just got empty + /* if the buffer just got empty */ if (_gnutls_record_buffer_get_size (type, session) == 0) { @@ -1066,11 +1065,11 @@ begin: { gnutls_assert (); return GNUTLS_E_UNEXPECTED_PACKET; - /* we didn't get what we wanted to + /* we didn't get what we wanted to */ } - /* (originally for) TLS 1.0 CBC protection. + /* (originally for) TLS 1.0 CBC protection. * Actually this code is called if we just received * an empty packet. An empty TLS packet is usually * sent to protect some vulnerabilities in the CBC mode. diff --git a/src/daemon/https/tls/gnutls_session.c b/src/daemon/https/tls/gnutls_session.c @@ -24,7 +24,7 @@ #include "gnutls_int.h" #include "gnutls_errors.h" #include "debug.h" -#include <gnutls_session_pack.h> +#include "gnutls_session_pack.h" #include <gnutls_datum.h> /** @@ -123,10 +123,10 @@ gnutls_session_get_data2 (gnutls_session_t session, gnutls_datum_t * data) * * Returns the current session id. This can be used if you want to check if * the next session you tried to resume was actually resumed. - * This is because resumed sessions have the same sessionID with the + * This is because resumed sessions have the same sessionID with the * original session. * - * Session id is some data set by the server, that identify the current session. + * Session id is some data set by the server, that identify the current session. * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. * * Returns zero on success. diff --git a/src/daemon/https/tls/gnutls_session_pack.c b/src/daemon/https/tls/gnutls_session_pack.c @@ -54,6 +54,169 @@ static int unpack_security_parameters (gnutls_session_t session, static int pack_security_parameters (gnutls_session_t session, gnutls_datum_t * packed_session); +/* Packs the ANON session authentication data. */ +#ifdef ENABLE_ANON + +/* Format: + * 1 byte the credentials type + * 4 bytes the size of the whole structure + * 2 bytes the size of secret key in bits + * 4 bytes the size of the prime + * x bytes the prime + * 4 bytes the size of the generator + * x bytes the generator + * 4 bytes the size of the public key + * x bytes the public key + */ +static int +pack_anon_auth_info (gnutls_session_t session, gnutls_datum_t * packed_session) +{ + anon_auth_info_t info = _gnutls_get_auth_info (session); + int pos = 0; + size_t pack_size; + + if (info) + pack_size = 2 + 4 * 3 + info->dh.prime.size + + info->dh.generator.size + info->dh.public_key.size; + else + pack_size = 0; + + packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t); + + /* calculate the size and allocate the data. + */ + packed_session->data = + gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); + + if (packed_session->data == NULL) + { + gnutls_assert (); + return GNUTLS_E_MEMORY_ERROR; + } + + packed_session->data[0] = MHD_GNUTLS_CRD_ANON; + _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); + pos += 4 + PACK_HEADER_SIZE; + + if (pack_size > 0) + { + _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); + pos += 2; + + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); + pos += 4 + info->dh.prime.size; + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); + pos += 4 + info->dh.generator.size; + _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); + pos += 4 + info->dh.public_key.size; + + } + + return 0; +} + +/* Format: + * 1 byte the credentials type + * 4 bytes the size of the whole structure + * 2 bytes the size of secret key in bits + * 4 bytes the size of the prime + * x bytes the prime + * 4 bytes the size of the generator + * x bytes the generator + * 4 bytes the size of the public key + * x bytes the public key + */ +static int +unpack_anon_auth_info (gnutls_session_t session, + const gnutls_datum_t * packed_session) +{ + size_t pack_size; + int pos = 0, size, ret; + anon_auth_info_t info; + + if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); + pos += PACK_HEADER_SIZE + 4; + + + if (pack_size == 0) + return 0; /* nothing to be done */ + + /* a simple check for integrity */ + if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) + { + gnutls_assert (); + return GNUTLS_E_INVALID_REQUEST; + } + + /* client and serer have the same auth_info here + */ + ret = + _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON, + sizeof (anon_auth_info_st), 1); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + + info = _gnutls_get_auth_info (session); + if (info == NULL) + { + gnutls_assert (); + return GNUTLS_E_INTERNAL_ERROR; + } + + info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); + pos += 2; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + pos += size; + + size = _gnutls_read_uint32 (&packed_session->data[pos]); + pos += 4; + ret = + _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], + size); + if (ret < 0) + { + gnutls_assert (); + goto error; + } + pos += size; + + return 0; + +error: + _gnutls_free_datum (&info->dh.prime); + _gnutls_free_datum (&info->dh.generator); + _gnutls_free_datum (&info->dh.public_key); + return ret; +} +#endif /* ANON */ /* Since auth_info structures contain malloced data, this function * is required in order to pack these structures in a vector in @@ -121,7 +284,7 @@ _gnutls_session_pack (gnutls_session_t session, } - /* Auth_info structures copied. Now copy security_parameters_st. + /* Auth_info structures copied. Now copy security_parameters_st. * packed_session must have allocated space for the security parameters. */ ret = pack_security_parameters (session, packed_session); @@ -201,7 +364,7 @@ _gnutls_session_unpack (gnutls_session_t session, } - /* Auth_info structures copied. Now copy security_parameters_st. + /* Auth_info structures copied. Now copy security_parameters_st. * packed_session must have allocated space for the security parameters. */ ret = unpack_security_parameters (session, packed_session); @@ -477,7 +640,7 @@ error: /* Packs the SRP session authentication data. */ -/* Format: +/* Format: * 1 byte the credentials type * 4 bytes the size of the SRP username (x) * x bytes the SRP username @@ -569,167 +732,12 @@ unpack_srp_auth_info (gnutls_session_t session, #endif -#ifdef ENABLE_ANON -/* Packs the ANON session authentication data. - */ - -/* Format: - * 1 byte the credentials type - * 4 bytes the size of the whole structure - * 2 bytes the size of secret key in bits - * 4 bytes the size of the prime - * x bytes the prime - * 4 bytes the size of the generator - * x bytes the generator - * 4 bytes the size of the public key - * x bytes the public key - */ -static int -pack_anon_auth_info (gnutls_session_t session, - gnutls_datum_t * packed_session) -{ - anon_auth_info_t info = _gnutls_get_auth_info (session); - int pos = 0; - size_t pack_size; - - if (info) - pack_size = 2 + 4 * 3 + info->dh.prime.size + - info->dh.generator.size + info->dh.public_key.size; - else - pack_size = 0; - - packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t); - - /* calculate the size and allocate the data. - */ - packed_session->data = - gnutls_malloc (packed_session->size + MAX_SEC_PARAMS); - - if (packed_session->data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - packed_session->data[0] = MHD_GNUTLS_CRD_ANON; - _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]); - pos += 4 + PACK_HEADER_SIZE; - - if (pack_size > 0) - { - _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]); - pos += 2; - - _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime); - pos += 4 + info->dh.prime.size; - _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator); - pos += 4 + info->dh.generator.size; - _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key); - pos += 4 + info->dh.public_key.size; - - } - - return 0; -} - - -static int -unpack_anon_auth_info (gnutls_session_t session, - const gnutls_datum_t * packed_session) -{ - size_t pack_size; - int pos = 0, size, ret; - anon_auth_info_t info; - - if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]); - pos += PACK_HEADER_SIZE + 4; - - - if (pack_size == 0) - return 0; /* nothing to be done */ - - /* a simple check for integrity */ - if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* client and serer have the same auth_info here - */ - ret = - _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON, - sizeof (anon_auth_info_st), 1); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - info = _gnutls_get_auth_info (session); - if (info == NULL) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]); - pos += 2; - - size = _gnutls_read_uint32 (&packed_session->data[pos]); - pos += 4; - ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - pos += size; - - size = _gnutls_read_uint32 (&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - pos += size; - - size = _gnutls_read_uint32 (&packed_session->data[pos]); - pos += 4; - ret = - _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos], - size); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - pos += size; - - return 0; - -error: - _gnutls_free_datum (&info->dh.prime); - _gnutls_free_datum (&info->dh.generator); - _gnutls_free_datum (&info->dh.public_key); - return ret; -} -#endif /* ANON */ #ifdef ENABLE_PSK /* Packs the PSK session authentication data. */ -/* Format: +/* Format: * 1 byte the credentials type * 4 bytes the size of the whole structure * 4 bytes the size of the PSK username (x) @@ -909,7 +917,7 @@ error: /* Packs the security parameters. */ -/* Format: +/* Format: * 4 bytes the total security data size * 1 byte the entity type (client/server) * 1 byte the key exchange algorithm used @@ -947,7 +955,7 @@ error: * * 2 bytes the number of server name extensions (up to MAX_SERVER_NAME_EXTENSIONS) * 1 byte the first name type - * 2 bytes the size of the first name + * 2 bytes the size of the first name * x bytes the first name (MAX_SERVER_NAME_SIZE) * and so on... * diff --git a/src/daemon/https/tls/gnutls_state.c b/src/daemon/https/tls/gnutls_state.c @@ -32,7 +32,6 @@ #include <gnutls_auth_int.h> #include <gnutls_num.h> #include <gnutls_datum.h> -#include <gnutls_db.h> #include <gnutls_record.h> #include <gnutls_handshake.h> #include <gnutls_dh.h> @@ -154,11 +153,11 @@ _gnutls_session_cert_type_supported (gnutls_session_t session, } } - if (session->internals.priorities.cert_type.algorithms == 0 && cert_type + if (session->internals.priorities.cert_type.num_algorithms == 0 && cert_type == DEFAULT_CERT_TYPE) return 0; - for (i = 0; i < session->internals.priorities.cert_type.algorithms; i++) + for (i = 0; i < session->internals.priorities.cert_type.num_algorithms; i++) { if (session->internals.priorities.cert_type.priority[i] == cert_type) { diff --git a/src/daemon/https/tls/gnutls_x509.c b/src/daemon/https/tls/gnutls_x509.c @@ -93,9 +93,9 @@ check_bits (gnutls_x509_crt_t crt, unsigned int max_bits) * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status * @session: is a gnutls session * - * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). + * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements. - * However you must also check the peer's name in order to check if the verified certificate belongs to the + * However you must also check the peer's name in order to check if the verified certificate belongs to the * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. * -*/ @@ -178,7 +178,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, } - /* Verify certificate + /* Verify certificate */ ret = gnutls_x509_crt_list_verify (peer_certificate_list, @@ -522,7 +522,7 @@ parse_pem_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts, } _gnutls_free_datum (&tmp); /* free ptr2 */ - /* now we move ptr after the pem header + /* now we move ptr after the pem header */ ptr++; /* find the next certificate (if any) @@ -794,18 +794,18 @@ read_key_file (gnutls_certificate_credentials_t res, * @key: is the private key, or %NULL * @type: is PEM or DER * - * This function sets a certificate/private key pair in the + * This function sets a certificate/private key pair in the * gnutls_certificate_credentials_t structure. This function may be called * more than once (in case multiple keys/certificates exist for the * server). * - * Currently are supported: RSA PKCS-1 encoded private keys, + * Currently are supported: RSA PKCS-1 encoded private keys, * DSA private keys. * * DSA private keys are encoded the OpenSSL way, which is an ASN.1 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv. * - * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates + * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates * is supported. This means that certificates intended for signing cannot * be used for ciphersuites that require encryption. * @@ -825,7 +825,7 @@ gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t { int ret; - /* this should be first + /* this should be first */ if ((ret = read_key_mem (res, key ? key->data : NULL, key ? key->size : 0, type)) < 0) @@ -867,7 +867,7 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, { int ret, i; - /* this should be first + /* this should be first */ res->pkey = @@ -956,7 +956,7 @@ gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t { int ret; - /* this should be first + /* this should be first */ if ((ret = read_key_file (res, KEYFILE, type)) < 0) return ret; @@ -983,7 +983,7 @@ generate_rdn_seq (gnutls_certificate_credentials_t res) unsigned size, i; opaque *pdata; - /* Generate the RDN sequence + /* Generate the RDN sequence * This will be sent to clients when a certificate * request message is sent. */ @@ -1036,11 +1036,8 @@ generate_rdn_seq (gnutls_certificate_credentials_t res) return 0; } - - - -/* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this - * certificate (uses the KeyUsage field). +/* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this + * certificate (uses the KeyUsage field). */ int _gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg) @@ -1158,7 +1155,7 @@ parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts, return ret; } - /* now we move ptr after the pem header + /* now we move ptr after the pem header */ ptr++; size--; @@ -1452,7 +1449,7 @@ parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls, return ret; } - /* now we move ptr after the pem header + /* now we move ptr after the pem header */ ptr++; /* find the next certificate (if any) diff --git a/src/daemon/https/x509/pkcs12.h b/src/daemon/https/x509/pkcs12.h @@ -23,7 +23,6 @@ */ /* TODO clean */ - #ifndef GNUTLS_PKCS12_H #define GNUTLS_PKCS12_H diff --git a/src/daemon/internal.h b/src/daemon/internal.h @@ -627,8 +627,13 @@ struct MHD_Daemon unsigned short port; #if HTTPS_SUPPORT - /* server credintials */ - gnutls_certificate_credentials_t x509_cret; + gnutls_credentials_type_t cred_type; + + /* server x509 credintials */ + gnutls_certificate_credentials_t x509_cred; + + /* credentials used for anonymous authentication */ + gnutls_anon_server_credentials_t anon_cred; /* cipher priority cache */ gnutls_priority_t priority_cache; diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h @@ -64,8 +64,6 @@ * depend on your platform; for possible suggestions consult * "platform.h" in the MHD distribution). * - * TODO: - * - Add option codes for SSL support */ #ifndef MHD_MICROHTTPD_H @@ -380,6 +378,13 @@ enum MHD_OPTION MHD_OPTION_HTTPS_MEM_CERT, /* + * daemon credentials type. either certificate or anonymous, + * this option should be followed by one of the values listed in + * gnutls_credentials_type_t. + */ + MHD_OPTION_CRED_TYPE, + + /* * SSL/TLS protocol version * * Memory pointer to a zero terminated int array representing the @@ -714,11 +719,17 @@ typedef int */ struct MHD_Daemon * MHD_start_daemon_va (unsigned int options, - unsigned short port, + unsigned short port, char * ip, MHD_AcceptPolicyCallback apc, void *apc_cls, MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap); +struct MHD_Daemon * +MHD_start_daemon_ip (unsigned int options, + unsigned short port, char *ip, + MHD_AcceptPolicyCallback apc, + void *apc_cls, + MHD_AccessHandlerCallback dh, void *dh_cls, ...); /* * Variadic version of MHD_start_daemon_va. This function will delegate calls @@ -1025,6 +1036,7 @@ typedef enum MHD_GNUTLS_KX_SRP_DSS } gnutls_kx_algorithm_t; +/* server credentials type */ typedef enum { MHD_GNUTLS_CRD_CERTIFICATE = 1, @@ -1034,6 +1046,7 @@ typedef enum MHD_GNUTLS_CRD_IA } gnutls_credentials_type_t; +/* mac algorithm */ typedef enum { MHD_GNUTLS_MAC_UNKNOWN = 0, @@ -1056,7 +1069,7 @@ typedef enum MHD_GNUTLS_DIG_SHA256 = MHD_GNUTLS_MAC_SHA256 } gnutls_digest_algorithm_t; - +/* compression method */ typedef enum { MHD_GNUTLS_COMP_UNKNOWN = 0, @@ -1067,6 +1080,7 @@ typedef enum */ } gnutls_compression_method_t; +/* protocol type */ typedef enum { MHD_GNUTLS_SSL3 = 1, @@ -1076,6 +1090,7 @@ typedef enum MHD_GNUTLS_VERSION_UNKNOWN = 0xff } gnutls_protocol_t; +/* certificate_type */ typedef enum { MHD_GNUTLS_CRT_UNKNOWN = 0, diff --git a/src/testcurl/https/tls_alert_test.c b/src/testcurl/https/tls_alert_test.c @@ -62,7 +62,7 @@ setup (gnutls_session_t * session, gnutls_datum_t * cert, gnutls_certificate_credentials_t * xcred) { int ret; - const char **err_pos; + const char ** err_pos; gnutls_certificate_allocate_credentials (xcred); diff --git a/src/testcurl/https/tls_authentication_test.c b/src/testcurl/https/tls_authentication_test.c @@ -39,10 +39,12 @@ extern int curl_check_version (const char *req_version, ...); +const int DEBUG_GNUTLS_LOG_LEVEL = 6; const char *ca_cert_file_name = "ca_cert_pem"; const char *test_file_name = "https_test_file"; const char test_file_data[] = "Hello World\n"; + struct CBC { char *buf; @@ -173,8 +175,8 @@ test_daemon_get (FILE * test_fd, char *cipher_suite, int proto_version) #endif curl_easy_setopt (c, CURLOPT_URL, url); curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); - curl_easy_setopt (c, CURLOPT_TIMEOUT, 3L); - curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 3L); + curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L); + curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 10L); curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, ©Buffer); curl_easy_setopt (c, CURLOPT_FILE, &cbc); @@ -224,14 +226,13 @@ test_secure_get (FILE * test_fd, char *cipher_suite, int proto_version) { int ret; struct MHD_Daemon *d; - int kx[] = { MHD_GNUTLS_KX_DHE_RSA, 0 }; - d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | + d = MHD_start_daemon(MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | MHD_USE_DEBUG, 42433, NULL, NULL, &http_ahc, NULL, MHD_OPTION_HTTPS_MEM_KEY, srv_signed_key_pem, MHD_OPTION_HTTPS_MEM_CERT, srv_signed_cert_pem, - MHD_OPTION_KX_PRIORITY, kx, MHD_OPTION_END); + MHD_OPTION_END); if (d == NULL) { @@ -308,7 +309,7 @@ main (int argc, char *const *argv) FILE *test_fd; unsigned int errorCount = 0; - /* gnutls_global_set_log_level (11); */ + gnutls_global_set_log_level (DEBUG_GNUTLS_LOG_LEVEL); if (curl_check_version (MHD_REQ_CURL_VERSION)) { @@ -330,7 +331,7 @@ main (int argc, char *const *argv) } errorCount += - test_secure_get (test_fd, "AES256-SHA", CURL_SSLVERSION_SSLv3); + test_secure_get (test_fd, "AES256-SHA", CURL_SSLVERSION_TLSv1); if (errorCount != 0) fprintf (stderr, "Failed test: %s.\n", argv[0]); diff --git a/src/testcurl/https/tls_daemon_options_test.c b/src/testcurl/https/tls_daemon_options_test.c @@ -32,6 +32,7 @@ #include "gnutls.h" #include <curl/curl.h> +#define DEBUG_CURL_VERBOSE 0 #define PAGE_NOT_FOUND "<html><head><title>File not found</title></head><body>File not found</body></html>" #define MHD_E_MEM "Error: memory error\n" @@ -42,6 +43,7 @@ #include "tls_test_keys.h" +const int DEBUG_GNUTLS_LOG_LEVEL = 0; const char *test_file_name = "https_test_file"; const char test_file_data[] = "Hello World\n"; @@ -123,7 +125,7 @@ http_ahc (void *cls, struct MHD_Connection *connection, * @param test_fd: file to attempt transfering */ static int -test_https_transfer (FILE * test_fd, char * cipher_suite, int proto_version) +test_https_transfer (FILE * test_fd, char *cipher_suite, int proto_version) { CURL *c; CURLcode errornum; @@ -172,7 +174,7 @@ test_https_transfer (FILE * test_fd, char * cipher_suite, int proto_version) doc_path, test_file_name); c = curl_easy_init (); -#ifdef DEBUG +#if DEBUG_CURL_VERBOSE curl_easy_setopt (c, CURLOPT_VERBOSE, 1); #endif curl_easy_setopt (c, CURLOPT_URL, url); @@ -249,14 +251,11 @@ setupTestFile () } static int -setup (struct MHD_Daemon **d, enum MHD_OPTION option, void * value ) +setup (struct MHD_Daemon **d, va_list arg_list) { - *d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | - MHD_USE_DEBUG, 42433, - NULL, NULL, &http_ahc, NULL, - MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, - MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, - option, value, MHD_OPTION_END); + *d = MHD_start_daemon_va (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | + MHD_USE_DEBUG, 42433, "127.0.0.1", + NULL, NULL, &http_ahc, NULL, arg_list); if (*d == NULL) { @@ -273,19 +272,37 @@ teardown (struct MHD_Daemon *d) MHD_stop_daemon (d); } +/* TODO test_wrap: change sig to (setup_func, test, va_list test_arg) & move to test_util.c */ int -test_wrap (int +test_wrap (char *test_name, int (*test) (FILE * test_fd, char *cipher_suite, int proto_version), - FILE * test_fd, char *cipher_suite, int proto_version, - enum MHD_OPTION option, void * value) + FILE * test_fd, char *cipher_suite, int proto_version, ...) { int ret; + va_list arg_list; struct MHD_Daemon *d; - if (setup (&d, option, value) != 0) - return -1; + va_start (arg_list, proto_version); + if (setup (&d, arg_list) != 0) + { + va_end (arg_list); + return -1; + } + + fprintf (stdout, "running test: %s ", test_name); ret = test (test_fd, cipher_suite, proto_version); + + if (ret == 0) + { + fprintf (stdout, "[pass]\n"); + } + else + { + fprintf (stdout, "[fail]\n"); + } + teardown (d); + va_end (arg_list); return ret; } @@ -336,6 +353,9 @@ test_file_certificates (FILE * test_fd, char *cipher_suite, int proto_version) return ret; } +/* + * test server refuses to negotiate connections with unsupported protocol versions + */ int test_protocol_version (FILE * test_fd, char *cipher_suite, int curl_proto_version) @@ -344,7 +364,7 @@ test_protocol_version (FILE * test_fd, char *cipher_suite, CURLcode errornum; c = curl_easy_init (); -#ifdef DEBUG +#if DEBUG_CURL_VERBOSE curl_easy_setopt (c, CURLOPT_VERBOSE, 1); #endif curl_easy_setopt (c, CURLOPT_URL, "https://localhost:42433/"); @@ -384,7 +404,7 @@ main (int argc, char *const *argv) FILE *test_fd; unsigned int errorCount = 0; - gnutls_global_set_log_level(11); + gnutls_global_set_log_level (DEBUG_GNUTLS_LOG_LEVEL); if (curl_check_version (MHD_REQ_CURL_VERSION)) { @@ -403,54 +423,61 @@ main (int argc, char *const *argv) return -1; } - int mac[] = {MHD_GNUTLS_MAC_SHA1, 0}; - int p [] = {MHD_GNUTLS_SSL3, 0}; + int mac[] = { MHD_GNUTLS_MAC_SHA1, 0 }; + int p[] = { MHD_GNUTLS_SSL3, 0 }; int cipher[] = { MHD_GNUTLS_CIPHER_3DES_CBC, 0 }; - int kx[] = { MHD_GNUTLS_KX_DHE_RSA, 0 }; - - -// errorCount += -// test_wrap (&test_https_transfer, test_fd, "AES256-SHA", -// CURL_SSLVERSION_TLSv1, MHD_OPTION_END, 0); -// errorCount += -// test_wrap (&test_file_certificates, test_fd, "AES256-SHA", -// CURL_SSLVERSION_TLSv1, MHD_OPTION_END, 0); -// -// errorCount += -// test_wrap (&test_protocol_version, test_fd, "AES256-SHA", -// CURL_SSLVERSION_TLSv1, MHD_OPTION_PROTOCOL_VERSION, p); -// -// errorCount += -// test_wrap (&test_https_transfer, test_fd, "DES-CBC3-SHA", -// CURL_SSLVERSION_TLSv1, MHD_OPTION_CIPHER_ALGORITHM, cipher); + int kx[] = { MHD_GNUTLS_KX_ANON_DH, 0 }; errorCount += - test_wrap (&test_https_transfer, test_fd, "AES256-SHA", - CURL_SSLVERSION_TLSv1, MHD_OPTION_MAC_ALGO, mac); - - // errorCount += - // test_wrap (&test_https_transfer, test_fd, "EDH-RSA-DES-CBC3-SHA", - // CURL_SSLVERSION_TLSv1, MHD_OPTION_KX_PRIORITY, kx); + test_wrap ("https_transfer", &test_https_transfer, test_fd, "AES256-SHA", + CURL_SSLVERSION_TLSv1, + MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, + MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, + MHD_OPTION_END); + errorCount += + test_wrap ("file certificates", &test_file_certificates, test_fd, + "AES256-SHA", CURL_SSLVERSION_TLSv1, MHD_OPTION_HTTPS_MEM_KEY, + srv_key_pem, MHD_OPTION_HTTPS_MEM_CERT, + srv_self_signed_cert_pem, MHD_OPTION_END); + errorCount += + test_wrap ("protocol_version", &test_protocol_version, test_fd, + "AES256-SHA", CURL_SSLVERSION_TLSv1, MHD_OPTION_HTTPS_MEM_KEY, + srv_key_pem, MHD_OPTION_HTTPS_MEM_CERT, + srv_self_signed_cert_pem, MHD_OPTION_PROTOCOL_VERSION, p, + MHD_OPTION_END); + errorCount += + test_wrap ("cipher DES-CBC3-SHA", &test_https_transfer, test_fd, + "DES-CBC3-SHA", CURL_SSLVERSION_TLSv1, + MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, + MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, + MHD_OPTION_CIPHER_ALGORITHM, cipher, MHD_OPTION_END); + errorCount += + test_wrap ("mac SH1", &test_https_transfer, test_fd, "AES256-SHA", + CURL_SSLVERSION_TLSv1, MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, + MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, + MHD_OPTION_MAC_ALGO, mac, MHD_OPTION_END); + errorCount += + test_wrap ("kx ANON_DH", &test_https_transfer, test_fd, + "ADH-DES-CBC3-SHA", CURL_SSLVERSION_TLSv1, + MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, + MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem, + MHD_OPTION_CRED_TYPE, MHD_GNUTLS_CRD_ANON, + MHD_OPTION_CIPHER_ALGORITHM, cipher, MHD_OPTION_KX_PRIORITY, + kx, MHD_OPTION_END); /*gnutls_mac_algorithm_t mac[] = { - {MHD_GNUTLS_MAC_MD5, 0}, 0}; - gnutls_mac_algorithm_t * cur_mac; - - for ( cur_mac = &mac[0]; (*cur_mac) != 0; cur_mac++ ){ - option[0] = MHD_GNUTLS_MAC_SHA1; - errorCount += - test_wrap (&test_https_transfer, test_fd, "AES256-SHA", - CURL_SSLVERSION_TLSv1, MHD_OPTION_MAC_ALGO, option); - }*/ - + {MHD_GNUTLS_MAC_MD5, 0}, 0}; + gnutls_mac_algorithm_t * cur_mac; + for ( cur_mac = &mac[0]; (*cur_mac) != 0; cur_mac++ ){ + option[0] = MHD_GNUTLS_MAC_SHA1; + errorCount += + test_wrap (&test_https_transfer, test_fd, "AES256-SHA", + CURL_SSLVERSION_TLSv1, MHD_OPTION_MAC_ALGO, option); + } */ if (errorCount != 0) fprintf (stderr, "Failed test: %s.\n", argv[0]); - else - { - fprintf (stderr, "ok\n"); - } curl_global_cleanup (); fclose (test_fd); diff --git a/src/testcurl/https/tls_session_time_out_test.c b/src/testcurl/https/tls_session_time_out_test.c @@ -101,7 +101,6 @@ static int test_tls_session_time_out (gnutls_session_t session) { int sd, ret; - char *url = "https://localhost:42433/"; struct sockaddr_in sa; sd = socket (AF_INET, SOCK_STREAM, 0); @@ -153,8 +152,8 @@ main (int argc, char *const *argv) gnutls_global_init (); gnutls_global_set_log_level (11); - d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | - MHD_USE_DEBUG, 42433, + d = MHD_start_daemon_ip(MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | + MHD_USE_DEBUG, 42433, "127.0.0.1", NULL, NULL, &http_ahc, NULL, MHD_OPTION_CONNECTION_TIMEOUT, TIME_OUT, MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, diff --git a/src/testcurl/https/tls_test_keys.h b/src/testcurl/https/tls_test_keys.h @@ -24,105 +24,106 @@ /* Certificate Authority key */ const char ca_key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIIEpAIBAAKCAQEA3vzPUd2yRjeHy9Yi22uX1vGnUPmB5zS+77/B9LubTqnNJ9eB\n" - "jiMegQJsJWFQT/CW8FurYiSMXIuTBirZX7NO6/rlcqifdfKLotSUuXLu5DBvMLCv\n" - "nQ73wCIdCJoVyJbRN0ExHsyGwCDCxaHuY8FlkIsfYo17SNmJNaMSUqdoAZoelmbq\n" - "r9oVciRCQGgrmwEJdPj7EAofWSudV77y85j5rV/t51eNy5liS2qXnoFEmeqTuBo1\n" - "1cSmRbv5dkCHbx+youLyZG39KxB0MZ124Na3qbUY41BPNj1XBljyAoHyY0J1iDqS\n" - "0Zo+njEW6vRbmSMkrA1kH45+alN50X11mSgfoQIDAQABAoIBAAmLu+4Ushpdi5Sd\n" - "P1cidjDFXfDaao5I2LTroghpnNyfaiT+zbj1jctu7K1luuX+Lh7+ZKIGH6RhVP8g\n" - "R9eYBeyWHDsWJwPqCQJkrHR7LCkEfgkRAkaUZsSgzTqCWqUAeFa/xaQcdDcOu/nR\n" - "DKMUexYmz4ZU+VJxPhWHzGuxhxM85uJOPK3rCaYCJoo1vMpF7MeFFvVljhSdyht5\n" - "KD0w6qP0Y+vDe4cD/4W3wq82qXCFPA5oImjSJveEIJumPIjOyLFF+9p9V6hzg8Em\n" - "48cpXcV3SsbaqTr6mSQl6b15zVwWq4CCt4mkeu6vK9PGzdnBiUmWaSXfprDwHaB3\n" - "t1N0GRECgYEA5gP0gmZQDDJTlaGK9Z6pWiwpMBUoYcnqvCn8MQ5uPQn+KZir19AJ\n" - "PkVLfWT9Dcaf3+2d0kBBgGYFWL+wK8DgrqALiLJfM6gP3Ts7G6Bis4GFdWY9aUnT\n" - "6ZhRYdzetVArhTZBRKh8ERQNPy4TmzWDtjVUAfezUcvXqOjl9H5Q01ECgYEA+C2b\n" - "i05t/RYcU0eFVYK8Yfl3jZJiopMdYwXCSCO21Ag2i0fjKC89rCmLlliffSSuDtNk\n" - "xFsaSjns8Vyl7sjMcAOfsGokiUIcFnK/LyVoc3ie2NCiLVzw6zKK8lJ4bhn4afnv\n" - "N9RKXP76emb8MaZroKlKkhMR8f2BvzXbv2NyU1ECgYEAtJeAXu1zhc/xnjaiQqxa\n" - "rMilYfIKrZR571hLgDyjQttYqVIMAbp9t11yorYqlKlRFuCaG9yFUQlIw2BlMkUS\n" - "YyiXRbE+W/Fk2z7I7qzjMarMnNsz9jmX3vzPULW4ScTzFnj9j6l1F3eV2vgTPrYq\n" - "fmGqXo0bRmp0HVMWUPrn/LECgYEA3qHTQkHGS16VZGPpiY8xPVbUV8z07NC6cQVO\n" - "hvZ64XTIsWN4tKjEU3glf2bbFCFef3BFmhv71pBmLRMmy7GYK/gkPdbKFdOXbM/d\n" - "EAcnz0ZqgSeQBM+2U9dQbBdtb5+eiDsszNGFMC2QN1PBcyzOqh6UBbxTwdjfls9S\n" - "5Trp6TECgYAzCZmmJuBW6WDK5ttOF/do6r0aurHr2mOr8oYxmBkhI3wphyUMNuaH\n" - "rUk+R8LAmC1U4MbvvqoZH27xe+xd25mn6whitgZBH3DIetN7myDJep8wEG6aW4R5\n" - "S82zk+LQJ7LTa1nPVPMS10qUXSH9cjShhszfeRIQM+lWbPoaEuo3yQ==\n" - "-----END RSA PRIVATE KEY-----\n"; + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEowIBAAKCAQEAthkEJMVt/l06gPJQCfdMKJdYXdQZGSBkOroWGZfs0oYBcSU3\n" + "JeszCWwDgzw5Ac4o2no9/P7FLVm6+zaIO9gexVi2p1fDhT1+6Lir7O6waS94vLdu\n" + "jxdJPGfakZTktRAA3MBbC1XuMYPYXZ6nUrRkmHLeG6Oj+L0U3iVq0ZjLYjekCmqV\n" + "FXRaDmoLWkmxplKz6UyzUXmNlyU4EzLpek2NjTtEUxh0Te+wD4RivBhCPGr7PRlY\n" + "JhjkTk1u75HP41yQC6MnnfY3IALWwuabBQsreR0W0h17lB3YHdHKjP5xJfEeJPtb\n" + "625+lHQpH4nfzGcna/RFok6xRpjZu7mB3t7XGwIDAQABAoIBABhD2x5/RHn5uFsI\n" + "bwv07SwXhsnyAmoru89rjphYe1FOVBDcsa2W2tUtlIY/VyVbcGw0j+APnvy9EUJ6\n" + "cMrwsKEBgk1oT4CIwkmGmjpXUCCkF8Wl99CPfM3U1PZDTfqmqEbCRx+KktP8Sq+m\n" + "/YryyNjbracnNilmIMq9V6+YWbm7kJHRLVQWHqh/ljji+kCx5y9VII7HYz4217Er\n" + "I5HrnPJodmYrH5Tj8Hj9NY7Ok/IeqD186fPuYH/qf9zWcyg7aa0rTPt/E4XjeOjU\n" + "kxb68+Ybozm0EY1ypa1Yxf3B4hkyrlQ5lfzDSBKqvQkGA92yNDPYiZX71nDHDj9H\n" + "wf8tWlECgYEAxN8bnMXzmGLbNJUQFuEFBCDFE/tAMhBWcN6eyupIwyXXNA8/xGnJ\n" + "rYO4U08YrgvQ6d71xLXAJnsypeJ3FsyIXDar21o5DwVj1ON0nW6xuXsfQWYGEsXm\n" + "fDVf4LVO+P58uAnM3+lKXWMwsw7/ja9VECrOvfTlf7CwwIPfmRzxZEMCgYEA7Mn+\n" + "PBO352EXzXbGTuLY9iFXo3GL4EXB2nbkXBdTxEbPl+ICjg/1MPtRN9l03y8l06/G\n" + "MpbxkpPnSXdjXQ1fgXfG9FuKS89BNUfoEfG/3015w49ZAcBYRmvCSGTspu/hshdQ\n" + "iom2AFy2aRXfvsoUlePRccs1/7RKclK7ahfdwEkCgYBXQOLGCt25rialGWO2ICjO\n" + "+Y8fGf4Lsj39bE1IdammBAFrK08ByDkAVB6/nZC8orQG0zBt7HerFnMOHl7VlfTh\n" + "mcF1SHl9dNAYLG8kz0ipgi4KGCOc8mUCq81AlFrZ9EBmeMF6g7TXyvxsf7s3mnvC\n" + "3JYgjoegnjjYOhpBjBhYbQKBgQCpwJmBakVyG/obcyXx0dDmirqwUquLaZbyzj8i\n" + "AhssX/NdGErqm2gU6GauWjfd9IfyvVWiWPHwOhYaZfuW7wpj34GDFskLVhaSYu1t\n" + "R9lc9cbwOqj9h24Bdik/CxNZDinIKcy0tMsEcXLX3TWdKnQdjMhPAvbATPj+Am+X\n" + "PGrd+QKBgF5U2i0d2Mgw/JmlVCY79uD9eERivF5HLOYv3XUr9N1/bgIqKSQnrKJC\n" + "pXC+ZHP9yTmcznwFkbMbJ9cTwMVU1n+hguvyjIJHmmeGrpBuaiT4HwPgV6IZY3N2\n" + "a05cOyYYE3I7h9fQs1MfZRK44rRiXycwb+HA4lwuFWTI7h5qdc/U\n" + "-----END RSA PRIVATE KEY-----\n"; /* Certificate Authority cert */ const char ca_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIC6DCCAdKgAwIBAgIESHv2uDALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n" - "dF9jYV9jZXJ0MB4XDTA4MDcxNTAxMDA0MFoXDTA5MDcxNTAxMDA0MFowFzEVMBMG\n" - "A1UEAxMMdGVzdF9jYV9jZXJ0MIIBHzALBgkqhkiG9w0BAQEDggEOADCCAQkCggEA\n" - "3vzPUd2yRjeHy9Yi22uX1vGnUPmB5zS+77/B9LubTqnNJ9eBjiMegQJsJWFQT/CW\n" - "8FurYiSMXIuTBirZX7NO6/rlcqifdfKLotSUuXLu5DBvMLCvnQ73wCIdCJoVyJbR\n" - "N0ExHsyGwCDCxaHuY8FlkIsfYo17SNmJNaMSUqdoAZoelmbqr9oVciRCQGgrmwEJ\n" - "dPj7EAofWSudV77y85j5rV/t51eNy5liS2qXnoFEmeqTuBo11cSmRbv5dkCHbx+y\n" - "ouLyZG39KxB0MZ124Na3qbUY41BPNj1XBljyAoHyY0J1iDqS0Zo+njEW6vRbmSMk\n" - "rA1kH45+alN50X11mSgfoQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud\n" - "DwEB/wQFAwMHBAAwHQYDVR0OBBYEFB3x03+3Qa2SDwRF6RkNcjg9zRHJMAsGCSqG\n" - "SIb3DQEBBQOCAQEAjPoKMve8aqtL8fFXfSkYwLJUwuTG4E4mX804O5dsdvOEWR2/\n" - "UQm5IDiAZ3fnHE8zh0C1Kg+dWnCv0i1Q5CYZJ5sSY3tKikG5UBPVJGV1tT0vDfmJ\n" - "X7b52y35eN8qe5DsdyDAcF2GNRBU8opkLkyXb8U095AQiCHzTPpiesZd5phJlMPm\n" - "AJaB4VtHAykDMeKd7HJAeelRi/1dP8xsYNc1z67cSrkt2f+B0WAyuAUBBr1NdYmS\n" - "duegptXCh8OeGEL/v6mbIWoszDbOjk/0zwsgW8BD/eXaZgPPEUtmHizYPIRPdeW1\n" - "MSCwccjl/XjDkIoN8kKss4Ftt+Wyajjjxeh6YA==\n" "-----END CERTIFICATE-----\n"; + "-----BEGIN CERTIFICATE-----\n" + "MIIC6DCCAdKgAwIBAgIESJ2sXDALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n" + "dF9jYV9jZXJ0MB4XDTA4MDgwOTE0NDAyOFoXDTA5MDgwOTE0NDAyOFowFzEVMBMG\n" + "A1UEAxMMdGVzdF9jYV9jZXJ0MIIBHzALBgkqhkiG9w0BAQEDggEOADCCAQkCggEA\n" + "thkEJMVt/l06gPJQCfdMKJdYXdQZGSBkOroWGZfs0oYBcSU3JeszCWwDgzw5Ac4o\n" + "2no9/P7FLVm6+zaIO9gexVi2p1fDhT1+6Lir7O6waS94vLdujxdJPGfakZTktRAA\n" + "3MBbC1XuMYPYXZ6nUrRkmHLeG6Oj+L0U3iVq0ZjLYjekCmqVFXRaDmoLWkmxplKz\n" + "6UyzUXmNlyU4EzLpek2NjTtEUxh0Te+wD4RivBhCPGr7PRlYJhjkTk1u75HP41yQ\n" + "C6MnnfY3IALWwuabBQsreR0W0h17lB3YHdHKjP5xJfEeJPtb625+lHQpH4nfzGcn\n" + "a/RFok6xRpjZu7mB3t7XGwIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud\n" + "DwEB/wQFAwMHBAAwHQYDVR0OBBYEFGTWojUUrKbS/Uid9S3hPxmgKeaxMAsGCSqG\n" + "SIb3DQEBBQOCAQEAWP1f/sfNsvA/oz7OJSBCsQxAnjrKMIXgbVnop+4bEWPxk4e9\n" + "TETSk5MMXt2BfaCtaLZw19Zbqlh4ZFuVw+QC1GTa0xlagHiRgXU2DOvPT5+y+XUR\n" + "TSy0Pqou7spgEkLcFxlXYlx3tpDu+Awmx9DBGHMCysVynnEzeBYW4woCfBG2UiVA\n" + "iHVz6jBc4bBkylKVkA42GiroExuPc+W9qtHGuVX045R7gz78KK0CMIObdySbogBe\n" + "gYZUbyVvPVHINEc929PoV12dHP7wrKnqPbiwb+h1SHui8bVinE+1JY3mRB1VGVTa\n" + "rgvlVGs2S+Zq48XMs4aeLgHkGWFAIXbpX34HSw==\n" + "-----END CERTIFICATE-----\n"; /* test server CA signed certificates */ const char srv_signed_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIDHzCCAgmgAwIBAgIESHv6kTALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n" - "dF9jYV9jZXJ0MB4XDTA4MDcxNTAxMTcwNVoXDTA5MDcxNTAxMTcwNVowGzEZMBcG\n" - "A1UEAxMQdGVzdF9zZXJ2ZXJfY2VydDCCAR8wCwYJKoZIhvcNAQEBA4IBDgAwggEJ\n" - "AoIBAJIY2+Wn+TRHIJ92tpNvCIE6FOsGclRxOFJwK0T6k3SK68LwQ9PkQTTB/DJu\n" - "+hU2u6w6lt1+Q8PHTDMLtnkEeXnxPn1uQZnnMEBcHAGY1U99iJh0At68AyoG7nkb\n" - "AzgzxxjMom+dEhGEFHOg9JKmJp138RzIWcMN2l4pKIryiBUh5AWt/7uqtA+9fQMq\n" - "nOeO8OU5FM3eKevl3VSZ6usptbePbUDNs5uEmG+PTR0bc2rYgGeC4+wExWcJ+CAq\n" - "voNVPno//MoMeJjWgXqF4wTBFdfsewngkflwRDPuZuLsxVrKnIx6jsBKIMuhVuxT\n" - "66vnEmuR34TUIzLlVPcJ5wmby2UCAwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNV\n" - "HSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDByAAMB0GA1UdDgQWBBSHX75y\n" - "gpEjstognUu4If50qWXQaDAfBgNVHSMEGDAWgBQd8dN/t0Gtkg8ERekZDXI4Pc0R\n" - "yTALBgkqhkiG9w0BAQUDggEBAF56YMCdp0C88ZF9yaXJZ4PMuTpW83Mhg5Ar0a9H\n" - "DasF58p8eeRLhsTJPi+NpFSMTujEabGS3+8l6Iu5F5stFgvbvnjLHdYu2Pjakos8\n" - "NjZCCkuEmIO4PLd6h5ToOZf3ZXNHmFjRTtKHQKNrYizlHlgnEDcUbU4gB5KOg3jU\n" - "rv/Mtar+5LRK7KvByswp26nRH1ijGV23sy9StK7tV/cJPe/UkxyUfSQwUmQzzWe6\n" - "QGAQtppUjGabWXjuLuOUyiG5LReYC5ri7XZuVekCAfUHbOdPYTHPczvpKBnUyKIv\n" - "BRKOarmNfNc3w5G7Ast3jNOE2JfiJ8+x9+rMWI01PlWVYvQ=\n" - "-----END CERTIFICATE-----\n"; + "-----BEGIN CERTIFICATE-----\n" + "MIIDBDCCAe6gAwIBAgIESJ2sXzALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n" + "dF9jYV9jZXJ0MB4XDTA4MDgwOTE0NDAzMloXDTA5MDgwOTE0NDAzNVowADCCAR8w\n" + "CwYJKoZIhvcNAQEBA4IBDgAwggEJAoIBAOb6G6WJrrNC48NSh5i4eT7J1BCqlMB4\n" + "e0No+td/PQf+sPywbQToYGiPfOFfMyge1G6SyRpXavKbPwuw1BN183WoYzID5mtz\n" + "shAOl/JRhdusScFijS3pITiNK4G5NLToCP4KZhqguqHUzEdanifSb/D4x54Rq/Tc\n" + "A7oHGp0wjdWC/AMtGWv6v55xMe00ALZ1zDxCOi8nri9W7mLy+hyduETCq+1Y7uHl\n" + "mqbAk8D7ruu0JtNU2N8WuJJcAtxgZhCCfIHTgAUWqepeRBM8cy8uu0tywgxcJiyt\n" + "Uu1wXQHnnpWrr/9r6IfhjFpc9pr5giHBeM4KdlU49UsYgaS1tAZsDJcCAwEAAaN2\n" + "MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8E\n" + "BQMDB6AAMB0GA1UdDgQWBBSxP229okDqlKyMCyg0cnzbf+eb4DAfBgNVHSMEGDAW\n" + "gBRk1qI1FKym0v1InfUt4T8ZoCnmsTALBgkqhkiG9w0BAQUDggEBAEabY4FLsFQr\n" + "PACNe3p5tU3hWvvQ9S1pRlfnc/z1o+k9NDWTHlNjXfVTl6/6cIKHA+r8SvRks27+\n" + "lScfxFkiCi22YC7uPbn8fW1nWcsqEkK4e0TDekSUi1o6SDx6cU07kMpx3iKvpLs3\n" + "5QiCFjivMjrY8pEFJIke/ucI8QuLVZLLUSdTHb9Ck128PtPKA4y2uZA/MmYS/OtR\n" + "/UZN67pJ+BqcQBE5vNolWQTM+NxfMzb48IV9q32HRT4HErvUjLIWV0nwwedUSdDG\n" + "63tr9jp0GF6b5Eum0MTVV/zbBxfyRFg+Q8xRn70zJlB/W7byaFq/95Rpfqjdnta2\n" + "aO/omlvGHrI=\n" + "-----END CERTIFICATE-----\n"; /* test server key */ const char srv_signed_key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIIEpAIBAAKCAQEAkhjb5af5NEcgn3a2k28IgToU6wZyVHE4UnArRPqTdIrrwvBD\n" - "0+RBNMH8Mm76FTa7rDqW3X5Dw8dMMwu2eQR5efE+fW5BmecwQFwcAZjVT32ImHQC\n" - "3rwDKgbueRsDODPHGMyib50SEYQUc6D0kqYmnXfxHMhZww3aXikoivKIFSHkBa3/\n" - "u6q0D719Ayqc547w5TkUzd4p6+XdVJnq6ym1t49tQM2zm4SYb49NHRtzatiAZ4Lj\n" - "7ATFZwn4ICq+g1U+ej/8ygx4mNaBeoXjBMEV1+x7CeCR+XBEM+5m4uzFWsqcjHqO\n" - "wEogy6FW7FPrq+cSa5HfhNQjMuVU9wnnCZvLZQIDAQABAoIBABISPh0FrocfZzMi\n" - "YYoSGWi2sQCzTvAQAyn7UvbY0eWAC5KU2qb6nHA0sIfif0+hcgxnQOML68DrRYso\n" - "3zzP52DEjPjB6x5o4OiNHC+8YmJPQlatPu+jLPcFXXkgdMD+cpmoMk2BDcuZ3VfC\n" - "KI59O9iNjgcD50p/y6uLBsdNIbUPSMe8ONWT7f5DN/DqEL+3tVZaRAOL+C8iKYf4\n" - "EPI5z6gOyL0aEpulbMKc0YoZZ2kDmu5IyMLgkF3DJV440Y/6IGan88ZSjk6i/d7f\n" - "ciKVtzIIbr5ubbuGe3htphTpRP0aA5WuVTzHrKk83/u3hG1RFv1q/cRD28tVUIII\n" - "0pcwLmECgYEAwMdaR5Y2NqBk/fOvU/oCDAQ6w8jmIa4zMxskvq9Pr753jhT13j+T\n" - "eQ1A590PF4PPvGFTqJ2vl3kj6JT5dzu7mGKoJLFsnttpw+0NYUgp0waPPZx010pp\n" - "QGeyQ/cPsZEZkCehh9c5CsfO1YpjKLV/wdpBQ2xAnkV5dfFmzlzLOTECgYEAwgJf\n" - "gxlR9Jgv7Qg/6Prs+SarqT4xDsJKKbD7wH2jveGFXVnkYTPVstwLCAus4LaLFKZ9\n" - "1POQDUgO24E1GzuL7mqSuvymdl5gZICfpkHstOAfpqep96pUv4aI9BY/g5l4Lvep\n" - "9c52tgQGwz0qgBUJBi6AvzxqRkBsxrXjX2m7KHUCgYEAtjx94ohkTXWIouy2xFrl\n" - "jnh9GNGUgyhK7Dfvn3bYjJkwKZc06dkNzvQxdD5r4t3PBhS3YgFWmYmB4X7a6NUF\n" - "vMMekjlLJkziib1Q1bLDHuLni+WYKmEEaEbepRMrub8h/D0KnQBewwspQoJkxHn3\n" - "AMkSwurVlwi0DkOa3N+pmTECgYBXyCUZN1qqtjVxJXttWiPg88tWD2q5B9XwmUC/\n" - "rtlor+LdAzBffsmhXQiswkOdhVrWpCJpOS8jo0f9r6+su7ury5LKgkh7ZGZu8vfJ\n" - "jSiiCoqnqFMyWWJxKllLP8nLLKSBc9P2AU4bOyUoL8PMIjhsEJx2asqXMM1G98OC\n" - "R1/EhQKBgQCmSkabsj8u5iEScicyJU87/sVkRIRE0GhjU8uuvcTe+dRiHuj2CENx\n" - "hh967E0nUCiJzx3is0/nYByDles9W4BLEA8JSuM5r6E7UifHR4XwIi2tQcNhCWIu\n" - "vGbfvxwqcm7Uj3XHb1GbYK5nnaRNailoJ7iyqHWxB1Q3iFIiMipcfg==\n" - "-----END RSA PRIVATE KEY-----\n"; + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEowIBAAKCAQEA5vobpYmus0Ljw1KHmLh5PsnUEKqUwHh7Q2j61389B/6w/LBt\n" + "BOhgaI984V8zKB7UbpLJGldq8ps/C7DUE3XzdahjMgPma3OyEA6X8lGF26xJwWKN\n" + "LekhOI0rgbk0tOgI/gpmGqC6odTMR1qeJ9Jv8PjHnhGr9NwDugcanTCN1YL8Ay0Z\n" + "a/q/nnEx7TQAtnXMPEI6LyeuL1buYvL6HJ24RMKr7Vju4eWapsCTwPuu67Qm01TY\n" + "3xa4klwC3GBmEIJ8gdOABRap6l5EEzxzLy67S3LCDFwmLK1S7XBdAeeelauv/2vo\n" + "h+GMWlz2mvmCIcF4zgp2VTj1SxiBpLW0BmwMlwIDAQABAoIBACJGvGKQ74V3qDAc\n" + "p7WwroF0Vw2QGtoDJxumUQ84uRheIeqlzc/cIi5yGLCjPYa3KIQuMTzA+0R8aFs2\n" + "RwqKRvJPZkUOUhvhA+whFkhl86zZQOq7UsMc5Qqs3Gd4UguEoYz9gxBxiLCqURRH\n" + "rM+xCV6jtI/PBIsmOUFae4cXJP0pljUXyYmwwb/WrsvnJXf9Gz8/VLZGBMchMH7R\n" + "MwD7xdwc/ht2XfZ0TuDntpJDtj0JrW9i/Cxt8PnNhQjgLsAe+oUUZt7Bo+vXBxhu\n" + "JPKj6BHcj768l+gDn5zzaXKq0eF7mMXc7fgAp0u8lJkC0LxLq/WmIfqw4Z4mEjkX\n" + "DremIoUCgYEA53vX9Hd8V85hCfeaTDf3B5q6g9kIliR+Y2tX2aSqN06df9J/KOdL\n" + "G/lEQn4rsOOtOwyTU2luPmcr0XgbXA1T1kj56+UZrxtRducsdsVbVixzD2KswtJO\n" + "wUH6XAJNdpI++64TuZadnKAaKiqim7CPzQYrBXYKKRFGSDd50urkTRMCgYEA/3CG\n" + "NMaG3qtzQceQUw7BBAhey387MR+1FUQHQ7xoq2jc3yAx4H2NEyGa6wL5CtFKn5In\n" + "BP6f30sk2ilXRv5pbIIiS8Xzngxy3m17GH33YrSc3ff/u+LWgR/EOVpa9F+sMAjp\n" + "ohDgI8iH8GtahrRA0BxQKfNIo2zUTqNwFP88xu0CgYADOY1zoWqBCqX9bo6euzTc\n" + "zUIF7jMZbF66Yddyd8HLTXQSQMt2tWotdJaH2pwfNbzHEtDGm7RmeCd7HpI7ARCG\n" + "7rNUnvdxog7LekL7UJqKI8pij3xapnVkadfkCkAsA7OO7AjoT/nYIb7bkYZ8ZsRK\n" + "FejphZB0rAHvpZ4z2wPdMwKBgQCfkr70RzVH81lcNXwutt/TUhtOCxyCMqmgMFBN\n" + "e2zz791TMjyWXjh8RBkQSVok7NwuVVI055AeIUZTV1IjkplvZNhh97aZ/HLiCwjE\n" + "IyUhL21zqRLEYA/auGqP3adGVGIv29GAIgSztfleMuJplj+LArT9j/LHzRvQSH+j\n" + "TlO8fQKBgE5og4pTfPrD0A7W/Li1HDGf8Ylb+DZlxoyMriW82Z/zCBvYvn1UvQRi\n" + "b8f3IQFXuXdf3Bx4C91kQJPovxDp14FOHJxO7F32fGMnJaU2kyp4sf4WAJZZOLnd\n" + "l64hMUsgYPI8qfsanAudD4gTAsLEP+ueWqkcb3SJNLSoQAtcGzYs\n" + "-----END RSA PRIVATE KEY-----\n"; /* test server self signed certificates */ const char srv_self_signed_cert_pem[] =