aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/daemon/connection_https.c5
-rw-r--r--src/daemon/daemon.c398
-rw-r--r--src/daemon/https/tls/Makefile.am1
-rw-r--r--src/daemon/https/tls/auth_cert.h9
-rw-r--r--src/daemon/https/tls/ext_cert_type.c4
-rw-r--r--src/daemon/https/tls/gnutls_alert.c4
-rw-r--r--src/daemon/https/tls/gnutls_algorithms.c16
-rw-r--r--src/daemon/https/tls/gnutls_anon_cred.c3
-rw-r--r--src/daemon/https/tls/gnutls_db.c386
-rw-r--r--src/daemon/https/tls/gnutls_db.h37
-rw-r--r--src/daemon/https/tls/gnutls_handshake.c13
-rw-r--r--src/daemon/https/tls/gnutls_int.h4
-rw-r--r--src/daemon/https/tls/gnutls_priority.c4
-rw-r--r--src/daemon/https/tls/gnutls_record.c33
-rw-r--r--src/daemon/https/tls/gnutls_session.c6
-rw-r--r--src/daemon/https/tls/gnutls_session_pack.c330
-rw-r--r--src/daemon/https/tls/gnutls_state.c5
-rw-r--r--src/daemon/https/tls/gnutls_x509.c33
-rw-r--r--src/daemon/https/x509/pkcs12.h1
-rw-r--r--src/daemon/internal.h9
-rw-r--r--src/include/microhttpd.h23
-rw-r--r--src/testcurl/https/tls_alert_test.c2
-rw-r--r--src/testcurl/https/tls_authentication_test.c15
-rw-r--r--src/testcurl/https/tls_daemon_options_test.c137
-rw-r--r--src/testcurl/https/tls_session_time_out_test.c5
-rw-r--r--src/testcurl/https/tls_test_keys.h181
26 files changed, 775 insertions, 889 deletions
diff --git a/src/daemon/connection_https.c b/src/daemon/connection_https.c
index d275bb19..d91e6b90 100644
--- a/src/daemon/connection_https.c
+++ b/src/daemon/connection_https.c
@@ -37,7 +37,7 @@
37#include "gnutls_int.h" 37#include "gnutls_int.h"
38#include "gnutls_record.h" 38#include "gnutls_record.h"
39 39
40/* TODO rm #include "gnutls_errors.h" */ 40/* TODO #include rm "gnutls_errors.h" */
41#include "gnutls_errors.h" 41#include "gnutls_errors.h"
42 42
43/* forward declarations used when setting secure connection callbacks */ 43/* forward declarations used when setting secure connection callbacks */
@@ -168,6 +168,9 @@ MHD_tls_connection_handle_idle (struct MHD_Connection *connection)
168 168
169 switch (connection->state) 169 switch (connection->state)
170 { 170 {
171 /* on newly created connections we might reach here before any reply has been received */
172 case MHD_TLS_CONNECTION_INIT:
173 return MHD_YES;
171 /* close connection if necessary */ 174 /* close connection if necessary */
172 case MHD_CONNECTION_CLOSED: 175 case MHD_CONNECTION_CLOSED:
173 MHD_tls_connection_close (connection); 176 MHD_tls_connection_close (connection);
diff --git a/src/daemon/daemon.c b/src/daemon/daemon.c
index 34a9bac6..84662dbd 100644
--- a/src/daemon/daemon.c
+++ b/src/daemon/daemon.c
@@ -32,6 +32,7 @@
32#if HTTPS_SUPPORT 32#if HTTPS_SUPPORT
33#include "gnutls_int.h" 33#include "gnutls_int.h"
34#include "gnutls_global.h" 34#include "gnutls_global.h"
35#include "auth_anon.h"
35#endif 36#endif
36 37
37/** 38/**
@@ -56,26 +57,14 @@
56 */ 57 */
57#define DEBUG_CONNECT MHD_NO 58#define DEBUG_CONNECT MHD_NO
58 59
59#if HTTPS_SUPPORT 60/* TODO unite with code in gnutls_priority.c */
60/* initialize security aspects of the HTTPS daemon */
61static int 61static int
62MHD_TLS_init (struct MHD_Daemon *daemon) 62MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
63{ 63{
64 int i;
65 priority_st st;
66 gnutls_datum_t key; 64 gnutls_datum_t key;
67 gnutls_datum_t cert; 65 gnutls_datum_t cert;
68 66
69 gnutls_global_set_log_function (MHD_tls_log_func); 67 /* certificate & key loaded from file */
70
71 /* setup server certificate */
72 gnutls_certificate_allocate_credentials (&daemon->x509_cret);
73
74 /* TODO remove if unused
75 gnutls_certificate_set_x509_trust_file(x509_cret, CAFILE,GNUTLS_X509_FMT_PEM);
76 gnutls_certificate_set_x509_crl_file(x509_cret, CRLFILE, GNUTLS_X509_FMT_PEM); */
77
78 /* sets a certificate private key pair */
79 if (daemon->https_cert_path && daemon->https_key_path) 68 if (daemon->https_cert_path && daemon->https_key_path)
80 { 69 {
81 /* test for private key & certificate file exsitance */ 70 /* test for private key & certificate file exsitance */
@@ -98,20 +87,21 @@ MHD_TLS_init (struct MHD_Daemon *daemon)
98 CLOSE (daemon->socket_fd); 87 CLOSE (daemon->socket_fd);
99 return -1; 88 return -1;
100 } 89 }
101 gnutls_certificate_set_x509_key_file (daemon->x509_cret, 90 return gnutls_certificate_set_x509_key_file (daemon->x509_cred,
102 daemon->https_cert_path, 91 daemon->https_cert_path,
103 daemon->https_key_path, 92 daemon->https_key_path,
104 GNUTLS_X509_FMT_PEM); 93 GNUTLS_X509_FMT_PEM);
105 } 94 }
95 /* certificate & key loaded from memory */
106 else if (daemon->https_mem_cert && daemon->https_mem_key) 96 else if (daemon->https_mem_cert && daemon->https_mem_key)
107 { 97 {
108 key.data = (char *) daemon->https_mem_key; 98 key.data = (unsigned char *) daemon->https_mem_key;
109 key.size = strlen (daemon->https_mem_key); 99 key.size = strlen (daemon->https_mem_key);
110 cert.data = (char *) daemon->https_mem_cert; 100 cert.data = (unsigned char *) daemon->https_mem_cert;
111 cert.size = strlen (daemon->https_mem_cert); 101 cert.size = strlen (daemon->https_mem_cert);
112 102
113 gnutls_certificate_set_x509_key_mem (daemon->x509_cret, &cert, &key, 103 return gnutls_certificate_set_x509_key_mem (daemon->x509_cred, &cert,
114 GNUTLS_X509_FMT_PEM); 104 &key, GNUTLS_X509_FMT_PEM);
115 } 105 }
116 else 106 else
117 { 107 {
@@ -120,29 +110,44 @@ MHD_TLS_init (struct MHD_Daemon *daemon)
120#endif 110#endif
121 return MHD_NO; 111 return MHD_NO;
122 } 112 }
113}
123 114
124 /* generate DH parameters if necessary */ 115/* initialize security aspects of the HTTPS daemon */
125 st = daemon->priority_cache->kx; 116int
126 for (i = 0; i < st.algorithms; i++) 117MHD_TLS_init (struct MHD_Daemon *daemon)
118{
119 int ret;
120
121 switch (daemon->cred_type)
127 { 122 {
128 /* initialize Diffie Hellman parameters if necessary */ 123 case MHD_GNUTLS_CRD_ANON:
129 /* TODO add other cipher suits */ 124 ret = gnutls_anon_allocate_server_credentials (&daemon->anon_cred);
130 if (st.priority[i] == MHD_GNUTLS_KX_DHE_RSA) 125 ret += gnutls_dh_params_init (&daemon->dh_params);
131 { 126 if (ret != 0) {
132 gnutls_dh_params_init (&daemon->dh_params); 127 return GNUTLS_E_MEMORY_ERROR;
133 gnutls_dh_params_generate2 (daemon->dh_params, 1024); 128 }
134 break; 129 gnutls_dh_params_generate2 (daemon->dh_params, 1024);
135 } 130 gnutls_anon_set_server_dh_params (daemon->anon_cred, daemon->dh_params);
131 break;
132 case MHD_GNUTLS_CRD_CERTIFICATE:
133 ret = gnutls_certificate_allocate_credentials (&daemon->x509_cred) ;
134 if (ret != 0) {
135 return GNUTLS_E_MEMORY_ERROR;
136 }
137 if ((ret = MHD_init_daemon_certificate (daemon)) != 0)
138 return ret;
139 default:
140#if HAVE_MESSAGES
141 MHD_DLOG (daemon,
142 "Error: no daemon credentials type found. f: %s, l: %d\n",
143 __FUNCTION__, __LINE__);
144#endif
145 break;
136 } 146 }
137 147
138 gnutls_certificate_set_dh_params (daemon->x509_cret, daemon->dh_params); 148 return MHD_NO;
139
140 /* TODO address error case return value */
141 return MHD_YES;
142} 149}
143 150
144/* TODO unite with code in gnutls_priority.c */
145/* this is used to set HTTPS related daemon priorities */
146inline static int 151inline static int
147_set_priority (priority_st * st, const int *list) 152_set_priority (priority_st * st, const int *list)
148{ 153{
@@ -152,7 +157,7 @@ _set_priority (priority_st * st, const int *list)
152 num++; 157 num++;
153 if (num > MAX_ALGOS) 158 if (num > MAX_ALGOS)
154 num = MAX_ALGOS; 159 num = MAX_ALGOS;
155 st->algorithms = num; 160 st->num_algorithms = num;
156 161
157 for (i = 0; i < num; i++) 162 for (i = 0; i < num; i++)
158 { 163 {
@@ -161,7 +166,6 @@ _set_priority (priority_st * st, const int *list)
161 166
162 return 0; 167 return 0;
163} 168}
164#endif /* HTTPS_SUPPORT */
165 169
166/** 170/**
167 * Obtain the select sets for this daemon. 171 * Obtain the select sets for this daemon.
@@ -300,12 +304,13 @@ gnutls_push_param_adapter (void *connection,
300} 304}
301#endif 305#endif
302 306
307
303/** 308/**
304 * Handle an individual TLS connection. 309 * Handle an individual TLS connection.
305 */ 310 */
306#if HTTPS_SUPPORT 311#if HTTPS_SUPPORT
307static void * 312static void *
308MHD_TLS_handle_connection (void *data) 313MHD_TLS_init_connection (void *data)
309{ 314{
310 struct MHD_Connection *con = data; 315 struct MHD_Connection *con = data;
311 316
@@ -320,16 +325,37 @@ MHD_TLS_handle_connection (void *data)
320 /* sets cipher priorities */ 325 /* sets cipher priorities */
321 gnutls_priority_set (con->tls_session, con->daemon->priority_cache); 326 gnutls_priority_set (con->tls_session, con->daemon->priority_cache);
322 327
323 /* set needed credentials for certificate authentication. */ 328 switch (con->daemon->cred_type)
324 gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_CERTIFICATE, 329 {
325 con->daemon->x509_cret); 330 /* set needed credentials for certificate authentication. */
331 case MHD_GNUTLS_CRD_CERTIFICATE:
332 gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_CERTIFICATE,
333 con->daemon->x509_cred);
334 break;
335 case MHD_GNUTLS_CRD_ANON:
336 /* set needed credentials for anonymous authentication. */
337 gnutls_credentials_set (con->tls_session, MHD_GNUTLS_CRD_ANON,
338 con->daemon->anon_cred);
339 gnutls_dh_set_prime_bits (con->tls_session, 1024);
340 break;
341 default:
342
343#if HAVE_MESSAGES
344 MHD_DLOG (con->daemon,
345 "Error: couldn't init HTTPS session. no appropriate KX algorithm found. f: %s, l: %d\n",
346 __FUNCTION__, __LINE__);
347#endif
348 break;
349 }
326 350
327 /* TODO avoid gnutls blocking recv / write calls 351 /* TODO avoid gnutls blocking recv / write calls
328 gnutls_transport_set_pull_function(tls_session, &recv); 352 gnutls_transport_set_pull_function(tls_session, &recv);
329 gnutls_transport_set_push_function(tls_session, &send); 353 gnutls_transport_set_push_function(tls_session, &send);
330 */ 354 */
331 355
332 gnutls_transport_set_ptr (con->tls_session, con->socket_fd); 356 gnutls_transport_set_ptr (con->tls_session,
357 (gnutls_transport_ptr_t) ((void *) con->
358 socket_fd));
333 359
334 return MHD_handle_connection (data); 360 return MHD_handle_connection (data);
335} 361}
@@ -489,7 +515,7 @@ MHD_accept_connection (struct MHD_Daemon *daemon)
489#if HTTPS_SUPPORT 515#if HTTPS_SUPPORT
490 if (daemon->options & MHD_USE_SSL) 516 if (daemon->options & MHD_USE_SSL)
491 res_thread_create = pthread_create (&connection->pid, NULL, 517 res_thread_create = pthread_create (&connection->pid, NULL,
492 &MHD_TLS_handle_connection, 518 &MHD_TLS_init_connection,
493 connection); 519 connection);
494 else 520 else
495#endif 521#endif
@@ -768,7 +794,7 @@ MHD_select_thread (void *cls)
768 */ 794 */
769struct MHD_Daemon * 795struct MHD_Daemon *
770MHD_start_daemon_va (unsigned int options, 796MHD_start_daemon_va (unsigned int options,
771 unsigned short port, 797 unsigned short port, char *ip,
772 MHD_AcceptPolicyCallback apc, 798 MHD_AcceptPolicyCallback apc,
773 void *apc_cls, 799 void *apc_cls,
774 MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap) 800 MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap)
@@ -875,6 +901,7 @@ MHD_start_daemon_va (unsigned int options,
875 pthread_mutex_unlock (&gnutls_init_mutex); 901 pthread_mutex_unlock (&gnutls_init_mutex);
876 /* set default priorities */ 902 /* set default priorities */
877 gnutls_priority_init (&retVal->priority_cache, "", NULL); 903 gnutls_priority_init (&retVal->priority_cache, "", NULL);
904 retVal->cred_type = MHD_GNUTLS_CRD_CERTIFICATE;
878 } 905 }
879#endif 906#endif
880 /* initializes the argument pointer variable */ 907 /* initializes the argument pointer variable */
@@ -906,7 +933,7 @@ MHD_start_daemon_va (unsigned int options,
906#if HTTPS_SUPPORT 933#if HTTPS_SUPPORT
907 case MHD_OPTION_PROTOCOL_VERSION: 934 case MHD_OPTION_PROTOCOL_VERSION:
908 _set_priority (&retVal->priority_cache->protocol, 935 _set_priority (&retVal->priority_cache->protocol,
909 va_arg (ap, const int *)); 936 va_arg (ap, const int *));
910 break; 937 break;
911 case MHD_OPTION_HTTPS_KEY_PATH: 938 case MHD_OPTION_HTTPS_KEY_PATH:
912 retVal->https_key_path = va_arg (ap, const char *); 939 retVal->https_key_path = va_arg (ap, const char *);
@@ -920,8 +947,11 @@ MHD_start_daemon_va (unsigned int options,
920 case MHD_OPTION_HTTPS_MEM_CERT: 947 case MHD_OPTION_HTTPS_MEM_CERT:
921 retVal->https_mem_cert = va_arg (ap, const char *); 948 retVal->https_mem_cert = va_arg (ap, const char *);
922 break; 949 break;
950 case MHD_OPTION_CRED_TYPE:
951 retVal->cred_type = va_arg (ap, const int);
952 break;
923 case MHD_OPTION_KX_PRIORITY: 953 case MHD_OPTION_KX_PRIORITY:
924 _set_priority (&retVal->priority_cache->cipher, 954 _set_priority (&retVal->priority_cache->kx,
925 va_arg (ap, const int *)); 955 va_arg (ap, const int *));
926 break; 956 break;
927 case MHD_OPTION_CIPHER_ALGORITHM: 957 case MHD_OPTION_CIPHER_ALGORITHM:
@@ -929,16 +959,17 @@ MHD_start_daemon_va (unsigned int options,
929 va_arg (ap, const int *)); 959 va_arg (ap, const int *));
930 break; 960 break;
931 case MHD_OPTION_MAC_ALGO: 961 case MHD_OPTION_MAC_ALGO:
932 _set_priority (&retVal->priority_cache->mac, 962 _set_priority (&retVal->priority_cache->mac,
933 va_arg (ap, const int *)); 963 va_arg (ap, const int *));
934 break; 964 break;
935#endif 965#endif
936 default: 966 default:
937#if HAVE_MESSAGES 967#if HAVE_MESSAGES
938 if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END) 968 if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END)
939 { 969 {
940 fprintf (stderr, 970 fprintf (stderr,
941 "Error: HTTPS option %d passed to non HTTPS daemon\n", opt); 971 "Error: HTTPS option %d passed to non HTTPS daemon\n",
972 opt);
942 } 973 }
943 else 974 else
944 { 975 {
@@ -952,7 +983,7 @@ MHD_start_daemon_va (unsigned int options,
952 983
953#if HTTPS_SUPPORT 984#if HTTPS_SUPPORT
954 /* initialize HTTPS daemon certificate aspects & send / recv functions */ 985 /* initialize HTTPS daemon certificate aspects & send / recv functions */
955 if (options & MHD_USE_SSL && MHD_NO == MHD_TLS_init (retVal)) 986 if (options & MHD_USE_SSL && MHD_TLS_init (retVal) != 0)
956 { 987 {
957#if HAVE_MESSAGES 988#if HAVE_MESSAGES
958 MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n"); 989 MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n");
@@ -985,18 +1016,244 @@ MHD_start_daemon (unsigned int options,
985 unsigned short port, 1016 unsigned short port,
986 MHD_AcceptPolicyCallback apc, 1017 MHD_AcceptPolicyCallback apc,
987 void *apc_cls, 1018 void *apc_cls,
988 MHD_AccessHandlerCallback dh, void *dh_cls, ...){ 1019 MHD_AccessHandlerCallback dh, void *dh_cls, ...)
989 1020{
990 int ret; 1021 const int on = 1;
991 va_list ap; 1022 struct MHD_Daemon *retVal;
992 va_start (ap, dh_cls); 1023
993 ret = MHD_start_daemon_va (options, 1024 /* listeningss sockets used by the daemon */
994 port, 1025 int socket_fd;
995 apc, 1026 va_list ap;
996 apc_cls, 1027
997 dh, dh_cls, ap); 1028 struct sockaddr_in servaddr4;
998 va_end (ap); 1029 struct sockaddr_in6 servaddr6;
999 return ret; 1030 const struct sockaddr *servaddr;
1031 socklen_t addrlen;
1032 enum MHD_OPTION opt;
1033
1034 if ((port == 0) || (dh == NULL))
1035 return NULL;
1036 if ((options & MHD_USE_IPv6) != 0)
1037 socket_fd = SOCKET (PF_INET6, SOCK_STREAM, 0);
1038 else
1039 socket_fd = SOCKET (PF_INET, SOCK_STREAM, 0);
1040 if (socket_fd < 0)
1041 {
1042#if HAVE_MESSAGES
1043 if ((options & MHD_USE_DEBUG) != 0)
1044 fprintf (stderr, "Call to socket failed: %s\n", STRERROR (errno));
1045#endif
1046 return NULL;
1047 }
1048 if ((SETSOCKOPT (socket_fd,
1049 SOL_SOCKET,
1050 SO_REUSEADDR,
1051 &on, sizeof (on)) < 0) && (options & MHD_USE_DEBUG) != 0)
1052 {
1053#if HAVE_MESSAGES
1054 fprintf (stderr, "setsockopt failed: %s\n", STRERROR (errno));
1055#endif
1056 }
1057 if ((options & MHD_USE_IPv6) != 0)
1058 {
1059 memset (&servaddr6, 0, sizeof (struct sockaddr_in6));
1060 servaddr6.sin6_family = AF_INET6;
1061 servaddr6.sin6_port = htons (port);
1062 servaddr = (struct sockaddr *) &servaddr6;
1063 addrlen = sizeof (struct sockaddr_in6);
1064 }
1065 else
1066 {
1067 memset (&servaddr4, 0, sizeof (struct sockaddr_in));
1068 servaddr4.sin_family = AF_INET;
1069 servaddr4.sin_port = htons (port);
1070 servaddr = (struct sockaddr *) &servaddr4;
1071 addrlen = sizeof (struct sockaddr_in);
1072 }
1073 if (BIND (socket_fd, servaddr, addrlen) < 0)
1074 {
1075#if HAVE_MESSAGES
1076 if ((options & MHD_USE_DEBUG) != 0)
1077 fprintf (stderr,
1078 "Failed to bind to port %u: %s\n", port, STRERROR (errno));
1079#endif
1080 CLOSE (socket_fd);
1081 return NULL;
1082 }
1083 if (LISTEN (socket_fd, 20) < 0)
1084 {
1085#if HAVE_MESSAGES
1086 if ((options & MHD_USE_DEBUG) != 0)
1087 fprintf (stderr,
1088 "Failed to listen for connections: %s\n", STRERROR (errno));
1089#endif
1090 CLOSE (socket_fd);
1091 return NULL;
1092 }
1093
1094 /* allocate the mhd daemon */
1095
1096 retVal = malloc (sizeof (struct MHD_Daemon));
1097
1098 if (retVal == NULL)
1099 {
1100 CLOSE (socket_fd);
1101 return NULL;
1102 }
1103
1104 memset (retVal, 0, sizeof (struct MHD_Daemon));
1105 retVal->options = options;
1106 retVal->port = port;
1107 retVal->apc = apc;
1108 retVal->apc_cls = apc_cls;
1109 retVal->socket_fd = socket_fd;
1110 retVal->default_handler = dh;
1111 retVal->default_handler_cls = dh_cls;
1112 retVal->max_connections = MHD_MAX_CONNECTIONS_DEFAULT;
1113 retVal->pool_size = MHD_POOL_SIZE_DEFAULT;
1114 retVal->connection_timeout = 0; /* no timeout */
1115#if HTTPS_SUPPORT
1116 if (options & MHD_USE_SSL)
1117 {
1118 /* lock gnutls_global mutex since it uses reference counting */
1119 pthread_mutex_lock (&gnutls_init_mutex);
1120 gnutls_global_init ();
1121 pthread_mutex_unlock (&gnutls_init_mutex);
1122 /* set default priorities */
1123 gnutls_priority_init (&retVal->priority_cache, "", NULL);
1124 retVal->cred_type = MHD_GNUTLS_CRD_CERTIFICATE;
1125 }
1126#endif
1127 /* initializes the argument pointer variable */
1128
1129 va_start (ap, dh_cls);
1130
1131 /*
1132 * loop through daemon options
1133 */
1134 while (MHD_OPTION_END != (opt = va_arg (ap, enum MHD_OPTION)))
1135 {
1136 switch (opt)
1137 {
1138 case MHD_OPTION_CONNECTION_MEMORY_LIMIT:
1139 retVal->pool_size = va_arg (ap, unsigned int);
1140 break;
1141 case MHD_OPTION_CONNECTION_LIMIT:
1142 retVal->max_connections = va_arg (ap, unsigned int);
1143 break;
1144 case MHD_OPTION_CONNECTION_TIMEOUT:
1145 retVal->connection_timeout = va_arg (ap, unsigned int);
1146 break;
1147 case MHD_OPTION_NOTIFY_COMPLETED:
1148 retVal->notify_completed =
1149 va_arg (ap, MHD_RequestCompletedCallback);
1150 retVal->notify_completed_cls = va_arg (ap, void *);
1151 break;
1152 case MHD_OPTION_PER_IP_CONNECTION_LIMIT:
1153 retVal->per_ip_connection_limit = va_arg (ap, unsigned int);
1154 break;
1155#if HTTPS_SUPPORT
1156 case MHD_OPTION_PROTOCOL_VERSION:
1157 _set_priority (&retVal->priority_cache->protocol,
1158 va_arg (ap, const int *));
1159 break;
1160 case MHD_OPTION_HTTPS_KEY_PATH:
1161 retVal->https_key_path = va_arg (ap, const char *);
1162 break;
1163 case MHD_OPTION_HTTPS_CERT_PATH:
1164 retVal->https_cert_path = va_arg (ap, const char *);
1165 break;
1166 case MHD_OPTION_HTTPS_MEM_KEY:
1167 retVal->https_mem_key = va_arg (ap, const char *);
1168 break;
1169 case MHD_OPTION_HTTPS_MEM_CERT:
1170 retVal->https_mem_cert = va_arg (ap, const char *);
1171 break;
1172 case MHD_OPTION_CRED_TYPE:
1173 retVal->cred_type = va_arg (ap, const int);
1174 break;
1175 case MHD_OPTION_KX_PRIORITY:
1176 _set_priority (&retVal->priority_cache->kx,
1177 va_arg (ap, const int *));
1178 break;
1179 case MHD_OPTION_CIPHER_ALGORITHM:
1180 _set_priority (&retVal->priority_cache->cipher,
1181 va_arg (ap, const int *));
1182 break;
1183 case MHD_OPTION_MAC_ALGO:
1184 _set_priority (&retVal->priority_cache->mac,
1185 va_arg (ap, const int *));
1186 break;
1187#endif
1188 default:
1189#if HAVE_MESSAGES
1190 if (opt > MHD_HTTPS_OPTION_START && opt < MHD_HTTPS_OPTION_END)
1191 {
1192 fprintf (stderr,
1193 "Error: HTTPS option %d passed to non HTTPS daemon\n",
1194 opt);
1195 }
1196 else
1197 {
1198 fprintf (stderr,
1199 "Invalid MHD_OPTION argument! (Did you terminate the list with MHD_OPTION_END?)\n");
1200 }
1201#endif
1202 abort ();
1203 }
1204 }
1205 va_end (ap);
1206
1207 /* initialize HTTPS daemon certificate aspects & send / recv functions */
1208 if (options & MHD_USE_SSL && MHD_TLS_init (retVal) != 0)
1209 {
1210#if HAVE_MESSAGES
1211 MHD_DLOG (retVal, "Failed to initialize HTTPS daemon\n");
1212#endif
1213 free (retVal);
1214 return NULL;
1215 }
1216
1217 if (((0 != (options & MHD_USE_THREAD_PER_CONNECTION)) || (0 != (options
1218 &
1219 MHD_USE_SELECT_INTERNALLY)))
1220 && (0 !=
1221 pthread_create (&retVal->pid, NULL, &MHD_select_thread, retVal)))
1222 {
1223#if HAVE_MESSAGES
1224 MHD_DLOG (retVal, "Failed to create listen thread: %s\n",
1225 STRERROR (errno));
1226#endif
1227 free (retVal);
1228 CLOSE (socket_fd);
1229 return NULL;
1230 }
1231
1232 return retVal;
1233}
1234
1235
1236/*
1237 * start the MHD_Daemon while binding to a specific ip address.
1238 *
1239 * TODO : address adding ip parameter to MHD_start_daemon
1240 */
1241struct MHD_Daemon *
1242MHD_start_daemon_ip (unsigned int options,
1243 unsigned short port, char *ip,
1244 MHD_AcceptPolicyCallback apc,
1245 void *apc_cls,
1246 MHD_AccessHandlerCallback dh, void *dh_cls, ...)
1247{
1248
1249 gnutls_global_set_log_level (5);
1250
1251 struct MHD_Daemon *ret;
1252 va_list ap;
1253 va_start (ap, dh_cls);
1254 ret = MHD_start_daemon_va (options, port, ip, apc, apc_cls, dh, dh_cls, ap);
1255 va_end (ap);
1256 return ret;
1000} 1257}
1001 1258
1002/** 1259/**
@@ -1066,7 +1323,10 @@ MHD_stop_daemon (struct MHD_Daemon *daemon)
1066 { 1323 {
1067 gnutls_priority_deinit (daemon->priority_cache); 1324 gnutls_priority_deinit (daemon->priority_cache);
1068 1325
1069 gnutls_certificate_free_credentials (daemon->x509_cret); 1326 if (daemon->x509_cred)
1327 gnutls_certificate_free_credentials (daemon->x509_cred);
1328 if (daemon->anon_cred)
1329 gnutls_anon_free_server_credentials (daemon->anon_cred);
1070 1330
1071 /* lock gnutls_global mutex since it uses reference counting */ 1331 /* lock gnutls_global mutex since it uses reference counting */
1072 pthread_mutex_lock (&gnutls_init_mutex); 1332 pthread_mutex_lock (&gnutls_init_mutex);
diff --git a/src/daemon/https/tls/Makefile.am b/src/daemon/https/tls/Makefile.am
index 40d49e08..3155e0bd 100644
--- a/src/daemon/https/tls/Makefile.am
+++ b/src/daemon/https/tls/Makefile.am
@@ -43,7 +43,6 @@ gnutls_compress.c \
43gnutls_compress_int.c \ 43gnutls_compress_int.c \
44gnutls_constate.c \ 44gnutls_constate.c \
45gnutls_datum.c \ 45gnutls_datum.c \
46gnutls_db.c \
47gnutls_dh.c \ 46gnutls_dh.c \
48gnutls_dh_primes.c \ 47gnutls_dh_primes.c \
49gnutls_errors.c \ 48gnutls_errors.c \
diff --git a/src/daemon/https/tls/auth_cert.h b/src/daemon/https/tls/auth_cert.h
index 86e0230f..e49a6089 100644
--- a/src/daemon/https/tls/auth_cert.h
+++ b/src/daemon/https/tls/auth_cert.h
@@ -34,6 +34,7 @@
34/* This structure may be complex, but it's the only way to 34/* This structure may be complex, but it's the only way to
35 * support a server that has multiple certificates 35 * support a server that has multiple certificates
36 */ 36 */
37
37typedef struct gnutls_certificate_credentials_st 38typedef struct gnutls_certificate_credentials_st
38{ 39{
39 gnutls_dh_params_t dh_params; 40 gnutls_dh_params_t dh_params;
@@ -45,7 +46,7 @@ typedef struct gnutls_certificate_credentials_st
45 46
46 gnutls_cert **cert_list; 47 gnutls_cert **cert_list;
47 /* contains a list of a list of certificates. 48 /* contains a list of a list of certificates.
48 * eg (X509): [0] certificate1, certificate11, certificate111 49 * eg (X509): [0] certificate1, certificate11, certificate111
49 * (if more than one, one certificate certifies the one before) 50 * (if more than one, one certificate certifies the one before)
50 * [1] certificate2, certificate22, ... 51 * [1] certificate2, certificate22, ...
51 */ 52 */
@@ -75,14 +76,14 @@ typedef struct gnutls_certificate_credentials_st
75 /* X509 specific stuff */ 76 /* X509 specific stuff */
76 77
77 gnutls_x509_crt_t *x509_ca_list; 78 gnutls_x509_crt_t *x509_ca_list;
78 unsigned x509_ncas; /* number of CAs in the ca_list 79 unsigned x509_ncas; /* number of CAs in the ca_list
79 */ 80 */
80 81
81 gnutls_x509_crl_t *x509_crl_list; 82 gnutls_x509_crl_t *x509_crl_list;
82 unsigned x509_ncrls; /* number of CRLs in the crl_list 83 unsigned x509_ncrls; /* number of CRLs in the crl_list
83 */ 84 */
84 85
85 unsigned int verify_flags; /* flags to be used at 86 unsigned int verify_flags; /* flags to be used at
86 * certificate verification. 87 * certificate verification.
87 */ 88 */
88 unsigned int verify_depth; 89 unsigned int verify_depth;
diff --git a/src/daemon/https/tls/ext_cert_type.c b/src/daemon/https/tls/ext_cert_type.c
index 6f1c17bc..a1bec6a1 100644
--- a/src/daemon/https/tls/ext_cert_type.c
+++ b/src/daemon/https/tls/ext_cert_type.c
@@ -150,10 +150,10 @@ _gnutls_cert_type_send_params (gnutls_session_t session, opaque * data,
150 if (session->security_parameters.entity == GNUTLS_CLIENT) 150 if (session->security_parameters.entity == GNUTLS_CLIENT)
151 { 151 {
152 152
153 if (session->internals.priorities.cert_type.algorithms > 0) 153 if (session->internals.priorities.cert_type.num_algorithms > 0)
154 { 154 {
155 155
156 len = session->internals.priorities.cert_type.algorithms; 156 len = session->internals.priorities.cert_type.num_algorithms;
157 157
158 if (len == 1 && 158 if (len == 1 &&
159 session->internals.priorities.cert_type.priority[0] == 159 session->internals.priorities.cert_type.priority[0] ==
diff --git a/src/daemon/https/tls/gnutls_alert.c b/src/daemon/https/tls/gnutls_alert.c
index dfa35f85..29422dab 100644
--- a/src/daemon/https/tls/gnutls_alert.c
+++ b/src/daemon/https/tls/gnutls_alert.c
@@ -148,7 +148,7 @@ gnutls_alert_send (gnutls_session_t session, gnutls_alert_level_t level,
148 * alert should be sent to the peer indicating that no renegotiation will 148 * alert should be sent to the peer indicating that no renegotiation will
149 * be performed. 149 * be performed.
150 * 150 *
151 * If there is no mapping to a valid alert the alert to indicate internal error 151 * If there is no mapping to a valid alert the alert to indicate internal error
152 * is returned. 152 * is returned.
153 * 153 *
154 **/ 154 **/
@@ -163,7 +163,7 @@ gnutls_error_to_alert (int err, int *level)
163 /* GNUTLS_A_DECRYPTION_FAILED is not sent, because 163 /* GNUTLS_A_DECRYPTION_FAILED is not sent, because
164 * it is not defined in SSL3. Note that we must 164 * it is not defined in SSL3. Note that we must
165 * not distinguish Decryption failures from mac 165 * not distinguish Decryption failures from mac
166 * check failures, due to the possibility of some 166 * check failures, due to the possibility of some
167 * attacks. 167 * attacks.
168 */ 168 */
169 ret = GNUTLS_A_BAD_RECORD_MAC; 169 ret = GNUTLS_A_BAD_RECORD_MAC;
diff --git a/src/daemon/https/tls/gnutls_algorithms.c b/src/daemon/https/tls/gnutls_algorithms.c
index 56435345..1809afda 100644
--- a/src/daemon/https/tls/gnutls_algorithms.c
+++ b/src/daemon/https/tls/gnutls_algorithms.c
@@ -767,7 +767,7 @@ _gnutls_mac_priority (gnutls_session_t session,
767 gnutls_mac_algorithm_t algorithm) 767 gnutls_mac_algorithm_t algorithm)
768{ /* actually returns the priority */ 768{ /* actually returns the priority */
769 unsigned int i; 769 unsigned int i;
770 for (i = 0; i < session->internals.priorities.mac.algorithms; i++) 770 for (i = 0; i < session->internals.priorities.mac.num_algorithms; i++)
771 { 771 {
772 if (session->internals.priorities.mac.priority[i] == algorithm) 772 if (session->internals.priorities.mac.priority[i] == algorithm)
773 return i; 773 return i;
@@ -893,7 +893,7 @@ _gnutls_compression_priority (gnutls_session_t session,
893 gnutls_compression_method_t algorithm) 893 gnutls_compression_method_t algorithm)
894{ /* actually returns the priority */ 894{ /* actually returns the priority */
895 unsigned int i; 895 unsigned int i;
896 for (i = 0; i < session->internals.priorities.compression.algorithms; i++) 896 for (i = 0; i < session->internals.priorities.compression.num_algorithms; i++)
897 { 897 {
898 if (session->internals.priorities.compression.priority[i] == algorithm) 898 if (session->internals.priorities.compression.priority[i] == algorithm)
899 return i; 899 return i;
@@ -1040,7 +1040,7 @@ _gnutls_cipher_priority (gnutls_session_t session,
1040 gnutls_cipher_algorithm_t algorithm) 1040 gnutls_cipher_algorithm_t algorithm)
1041{ 1041{
1042 unsigned int i; 1042 unsigned int i;
1043 for (i = 0; i < session->internals.priorities.cipher.algorithms; i++) 1043 for (i = 0; i < session->internals.priorities.cipher.num_algorithms; i++)
1044 { 1044 {
1045 if (session->internals.priorities.cipher.priority[i] == algorithm) 1045 if (session->internals.priorities.cipher.priority[i] == algorithm)
1046 return i; 1046 return i;
@@ -1176,7 +1176,7 @@ _gnutls_kx_priority (gnutls_session_t session,
1176 gnutls_kx_algorithm_t algorithm) 1176 gnutls_kx_algorithm_t algorithm)
1177{ 1177{
1178 unsigned int i; 1178 unsigned int i;
1179 for (i = 0; i < session->internals.priorities.kx.algorithms; i++) 1179 for (i = 0; i < session->internals.priorities.kx.num_algorithms; i++)
1180 { 1180 {
1181 if (session->internals.priorities.kx.priority[i] == algorithm) 1181 if (session->internals.priorities.kx.priority[i] == algorithm)
1182 return i; 1182 return i;
@@ -1276,7 +1276,7 @@ _gnutls_version_priority (gnutls_session_t session, gnutls_protocol_t version)
1276 return -1; 1276 return -1;
1277 } 1277 }
1278 1278
1279 for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) 1279 for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++)
1280 { 1280 {
1281 if (session->internals.priorities.protocol.priority[i] == version) 1281 if (session->internals.priorities.protocol.priority[i] == version)
1282 return i; 1282 return i;
@@ -1294,7 +1294,7 @@ _gnutls_version_lowest (gnutls_session_t session)
1294 return MHD_GNUTLS_VERSION_UNKNOWN; 1294 return MHD_GNUTLS_VERSION_UNKNOWN;
1295 } 1295 }
1296 else 1296 else
1297 for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) 1297 for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++)
1298 { 1298 {
1299 if (session->internals.priorities.protocol.priority[i] < min) 1299 if (session->internals.priorities.protocol.priority[i] < min)
1300 min = session->internals.priorities.protocol.priority[i]; 1300 min = session->internals.priorities.protocol.priority[i];
@@ -1316,7 +1316,7 @@ _gnutls_version_max (gnutls_session_t session)
1316 return MHD_GNUTLS_VERSION_UNKNOWN; 1316 return MHD_GNUTLS_VERSION_UNKNOWN;
1317 } 1317 }
1318 else 1318 else
1319 for (i = 0; i < session->internals.priorities.protocol.algorithms; i++) 1319 for (i = 0; i < session->internals.priorities.protocol.num_algorithms; i++)
1320 { 1320 {
1321 if (session->internals.priorities.protocol.priority[i] > max) 1321 if (session->internals.priorities.protocol.priority[i] > max)
1322 max = session->internals.priorities.protocol.priority[i]; 1322 max = session->internals.priorities.protocol.priority[i];
@@ -1886,7 +1886,7 @@ _gnutls_supported_ciphersuites (gnutls_session_t session,
1886 1886
1887/* returns the TLS numbers of the compression methods we support 1887/* returns the TLS numbers of the compression methods we support
1888 */ 1888 */
1889#define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.algorithms 1889#define SUPPORTED_COMPRESSION_METHODS session->internals.priorities.compression.num_algorithms
1890int 1890int
1891_gnutls_supported_compression_methods (gnutls_session_t session, 1891_gnutls_supported_compression_methods (gnutls_session_t session,
1892 uint8_t ** comp) 1892 uint8_t ** comp)
diff --git a/src/daemon/https/tls/gnutls_anon_cred.c b/src/daemon/https/tls/gnutls_anon_cred.c
index 919315ef..fd0917f8 100644
--- a/src/daemon/https/tls/gnutls_anon_cred.c
+++ b/src/daemon/https/tls/gnutls_anon_cred.c
@@ -62,8 +62,9 @@ int
62gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t * 62gnutls_anon_allocate_server_credentials (gnutls_anon_server_credentials_t *
63 sc) 63 sc)
64{ 64{
65
66 *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st)); 65 *sc = gnutls_calloc (1, sizeof (anon_server_credentials_st));
66 if (*sc == NULL)
67 return GNUTLS_E_MEMORY_ERROR;
67 68
68 return 0; 69 return 0;
69} 70}
diff --git a/src/daemon/https/tls/gnutls_db.c b/src/daemon/https/tls/gnutls_db.c
deleted file mode 100644
index 806961c1..00000000
--- a/src/daemon/https/tls/gnutls_db.c
+++ /dev/null
@@ -1,386 +0,0 @@
1/*
2 * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25/* This file contains functions that manipulate a database backend
26 * for resumed sessions.
27 */
28
29#include "gnutls_int.h"
30#include "gnutls_errors.h"
31// #include "gnutls_session.h"
32#include <gnutls_db.h>
33#include "debug.h"
34#include <gnutls_session_pack.h>
35#include <gnutls_datum.h>
36
37/**
38 * gnutls_db_set_retrieve_function - Sets the function that will be used to get data
39 * @session: is a #gnutls_session_t structure.
40 * @retr_func: is the function.
41 *
42 * Sets the function that will be used to retrieve data from the resumed
43 * sessions database. This function must return a gnutls_datum_t containing the
44 * data on success, or a gnutls_datum_t containing null and 0 on failure.
45 *
46 * The datum's data must be allocated using the function
47 * gnutls_malloc().
48 *
49 * The first argument to retr_func() will be null unless gnutls_db_set_ptr()
50 * has been called.
51 *
52 **/
53void
54gnutls_db_set_retrieve_function (gnutls_session_t session,
55 gnutls_db_retr_func retr_func)
56{
57 session->internals.db_retrieve_func = retr_func;
58}
59
60/**
61 * gnutls_db_set_remove_function - Sets the function that will be used to remove data
62 * @session: is a #gnutls_session_t structure.
63 * @rem_func: is the function.
64 *
65 * Sets the function that will be used to remove data from the resumed
66 * sessions database. This function must return 0 on success.
67 *
68 * The first argument to rem_func() will be null unless gnutls_db_set_ptr()
69 * has been called.
70 *
71 **/
72void
73gnutls_db_set_remove_function (gnutls_session_t session,
74 gnutls_db_remove_func rem_func)
75{
76 session->internals.db_remove_func = rem_func;
77}
78
79/**
80 * gnutls_db_set_store_function - Sets the function that will be used to put data
81 * @session: is a #gnutls_session_t structure.
82 * @store_func: is the function
83 *
84 * Sets the function that will be used to store data from the resumed
85 * sessions database. This function must remove 0 on success.
86 *
87 * The first argument to store_func() will be null unless gnutls_db_set_ptr()
88 * has been called.
89 *
90 **/
91void
92gnutls_db_set_store_function (gnutls_session_t session,
93 gnutls_db_store_func store_func)
94{
95 session->internals.db_store_func = store_func;
96}
97
98/**
99 * gnutls_db_set_ptr - Sets a pointer to be sent to db functions
100 * @session: is a #gnutls_session_t structure.
101 * @ptr: is the pointer
102 *
103 * Sets the pointer that will be provided to db store, retrieve and delete functions, as
104 * the first argument.
105 *
106 **/
107void
108gnutls_db_set_ptr (gnutls_session_t session, void *ptr)
109{
110 session->internals.db_ptr = ptr;
111}
112
113/**
114 * gnutls_db_get_ptr - Returns the pointer which is sent to db functions
115 * @session: is a #gnutls_session_t structure.
116 *
117 * Returns the pointer that will be sent to db store, retrieve and delete functions, as
118 * the first argument.
119 *
120 **/
121void *
122gnutls_db_get_ptr (gnutls_session_t session)
123{
124 return session->internals.db_ptr;
125}
126
127/**
128 * gnutls_db_set_cache_expiration - Sets the expiration time for resumed sessions.
129 * @session: is a #gnutls_session_t structure.
130 * @seconds: is the number of seconds.
131 *
132 * Sets the expiration time for resumed sessions. The default is 3600 (one hour)
133 * at the time writing this.
134 **/
135void
136gnutls_db_set_cache_expiration (gnutls_session_t session, int seconds)
137{
138 session->internals.expire_time = seconds;
139}
140
141/**
142 * gnutls_db_check_entry - checks if the given db entry has expired
143 * @session: is a #gnutls_session_t structure.
144 * @session_entry: is the session data (not key)
145 *
146 * This function returns GNUTLS_E_EXPIRED, if the database entry
147 * has expired or 0 otherwise. This function is to be used when
148 * you want to clear unnesessary session which occupy space in your
149 * backend.
150 *
151 **/
152int
153gnutls_db_check_entry (gnutls_session_t session, gnutls_datum_t session_entry)
154{
155 time_t timestamp;
156
157 timestamp = time (0);
158
159 if (session_entry.data != NULL)
160 if (timestamp -
161 ((security_parameters_st *) (session_entry.data))->timestamp <=
162 session->internals.expire_time
163 || ((security_parameters_st *) (session_entry.data))->
164 timestamp > timestamp
165 || ((security_parameters_st *) (session_entry.data))->timestamp == 0)
166 return GNUTLS_E_EXPIRED;
167
168 return 0;
169}
170
171/* The format of storing data is:
172 * (forget it). Check gnutls_session_pack.c
173 */
174int
175_gnutls_server_register_current_session (gnutls_session_t session)
176{
177 gnutls_datum_t key;
178 gnutls_datum_t content;
179 int ret = 0;
180
181 key.data = session->security_parameters.session_id;
182 key.size = session->security_parameters.session_id_size;
183
184 if (session->internals.resumable == RESUME_FALSE)
185 {
186 gnutls_assert ();
187 return GNUTLS_E_INVALID_SESSION;
188 }
189
190 if (session->security_parameters.session_id == NULL
191 || session->security_parameters.session_id_size == 0)
192 {
193 gnutls_assert ();
194 return GNUTLS_E_INVALID_SESSION;
195 }
196
197/* copy data */
198 ret = _gnutls_session_pack (session, &content);
199 if (ret < 0)
200 {
201 gnutls_assert ();
202 return ret;
203 }
204
205 ret = _gnutls_store_session (session, key, content);
206 _gnutls_free_datum (&content);
207
208 return ret;
209}
210
211/* Checks if both db_store and db_retrieve functions have
212 * been set up.
213 */
214static int
215_gnutls_db_func_is_ok (gnutls_session_t session)
216{
217 if (session->internals.db_store_func != NULL &&
218 session->internals.db_retrieve_func != NULL &&
219 session->internals.db_remove_func != NULL)
220 return 0;
221 else
222 return GNUTLS_E_DB_ERROR;
223}
224
225
226int
227_gnutls_server_restore_session (gnutls_session_t session,
228 uint8_t * session_id, int session_id_size)
229{
230 gnutls_datum_t data;
231 gnutls_datum_t key;
232 int ret;
233
234 key.data = session_id;
235 key.size = session_id_size;
236
237 if (_gnutls_db_func_is_ok (session) != 0)
238 {
239 gnutls_assert ();
240 return GNUTLS_E_INVALID_SESSION;
241 }
242
243 data = _gnutls_retrieve_session (session, key);
244
245 if (data.data == NULL)
246 {
247 gnutls_assert ();
248 return GNUTLS_E_INVALID_SESSION;
249 }
250
251 /* expiration check is performed inside */
252 ret = gnutls_session_set_data (session, data.data, data.size);
253 if (ret < 0)
254 {
255 gnutls_assert ();
256 return ret;
257 }
258
259 gnutls_free (data.data);
260
261 return 0;
262}
263
264int
265_gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id,
266 int session_id_size)
267{
268 gnutls_datum_t key;
269
270 key.data = session_id;
271 key.size = session_id_size;
272
273 return _gnutls_remove_session (session, key);
274}
275
276
277/* Stores session data to the db backend.
278 */
279int
280_gnutls_store_session (gnutls_session_t session,
281 gnutls_datum_t session_id, gnutls_datum_t session_data)
282{
283 int ret = 0;
284
285 if (session->internals.resumable == RESUME_FALSE)
286 {
287 gnutls_assert ();
288 return GNUTLS_E_INVALID_SESSION;
289 }
290
291 if (_gnutls_db_func_is_ok (session) != 0)
292 {
293 return GNUTLS_E_DB_ERROR;
294 }
295
296 if (session_id.data == NULL || session_id.size == 0)
297 {
298 gnutls_assert ();
299 return GNUTLS_E_INVALID_SESSION;
300 }
301
302 if (session_data.data == NULL || session_data.size == 0)
303 {
304 gnutls_assert ();
305 return GNUTLS_E_INVALID_SESSION;
306 }
307 /* if we can't read why bother writing? */
308
309 if (session->internals.db_store_func != NULL)
310 ret =
311 session->internals.db_store_func (session->internals.db_ptr,
312 session_id, session_data);
313
314 return (ret == 0 ? ret : GNUTLS_E_DB_ERROR);
315
316}
317
318/* Retrieves session data from the db backend.
319 */
320gnutls_datum_t
321_gnutls_retrieve_session (gnutls_session_t session, gnutls_datum_t session_id)
322{
323 gnutls_datum_t ret = { NULL, 0 };
324
325 if (session_id.data == NULL || session_id.size == 0)
326 {
327 gnutls_assert ();
328 return ret;
329 }
330
331 if (session->internals.db_retrieve_func != NULL)
332 ret =
333 session->internals.db_retrieve_func (session->internals.db_ptr,
334 session_id);
335
336 return ret;
337
338}
339
340/* Removes session data from the db backend.
341 */
342int
343_gnutls_remove_session (gnutls_session_t session, gnutls_datum_t session_id)
344{
345 int ret = 0;
346
347 if (_gnutls_db_func_is_ok (session) != 0)
348 {
349 return GNUTLS_E_DB_ERROR;
350 }
351
352 if (session_id.data == NULL || session_id.size == 0)
353 return GNUTLS_E_INVALID_SESSION;
354
355 /* if we can't read why bother writing? */
356 if (session->internals.db_remove_func != NULL)
357 ret =
358 session->internals.db_remove_func (session->internals.db_ptr,
359 session_id);
360
361 return (ret == 0 ? ret : GNUTLS_E_DB_ERROR);
362
363}
364
365/**
366 * gnutls_db_remove_session - This function will remove the current session data from the database
367 * @session: is a #gnutls_session_t structure.
368 *
369 * This function will remove the current session data from the session
370 * database. This will prevent future handshakes reusing these session
371 * data. This function should be called if a session was terminated
372 * abnormally, and before gnutls_deinit() is called.
373 *
374 * Normally gnutls_deinit() will remove abnormally terminated sessions.
375 *
376 **/
377void
378gnutls_db_remove_session (gnutls_session_t session)
379{
380 /* if the session has failed abnormally it has
381 * to be removed from the db
382 */
383 _gnutls_db_remove_session (session,
384 session->security_parameters.session_id,
385 session->security_parameters.session_id_size);
386}
diff --git a/src/daemon/https/tls/gnutls_db.h b/src/daemon/https/tls/gnutls_db.h
deleted file mode 100644
index 9adece4e..00000000
--- a/src/daemon/https/tls/gnutls_db.h
+++ /dev/null
@@ -1,37 +0,0 @@
1/*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25int _gnutls_server_register_current_session (gnutls_session_t session);
26int _gnutls_server_restore_session (gnutls_session_t session,
27 uint8_t * session_id,
28 int session_id_size);
29int _gnutls_db_remove_session (gnutls_session_t session, uint8_t * session_id,
30 int session_id_size);
31int _gnutls_store_session (gnutls_session_t session,
32 gnutls_datum_t session_id,
33 gnutls_datum_t session_data);
34gnutls_datum_t _gnutls_retrieve_session (gnutls_session_t session,
35 gnutls_datum_t session_id);
36int _gnutls_remove_session (gnutls_session_t session,
37 gnutls_datum_t session_id);
diff --git a/src/daemon/https/tls/gnutls_handshake.c b/src/daemon/https/tls/gnutls_handshake.c
index b304bdcb..5f56822e 100644
--- a/src/daemon/https/tls/gnutls_handshake.c
+++ b/src/daemon/https/tls/gnutls_handshake.c
@@ -37,7 +37,6 @@
37#include "gnutls_handshake.h" 37#include "gnutls_handshake.h"
38#include "gnutls_num.h" 38#include "gnutls_num.h"
39#include "gnutls_hash_int.h" 39#include "gnutls_hash_int.h"
40#include "gnutls_db.h"
41#include "gnutls_extensions.h" 40#include "gnutls_extensions.h"
42#include "gnutls_supplemental.h" 41#include "gnutls_supplemental.h"
43#include "gnutls_auth_int.h" 42#include "gnutls_auth_int.h"
@@ -338,7 +337,7 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
338 int datalen) 337 int datalen)
339{ 338{
340 uint8_t session_id_len; 339 uint8_t session_id_len;
341 int pos = 0, ret; 340 int pos = 0, ret = 0;
342 uint16_t suite_size, comp_size; 341 uint16_t suite_size, comp_size;
343 gnutls_protocol_t adv_version; 342 gnutls_protocol_t adv_version;
344 int neg_version; 343 int neg_version;
@@ -383,10 +382,10 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
383 } 382 }
384 DECR_LEN (len, session_id_len); 383 DECR_LEN (len, session_id_len);
385 384
386 ret = _gnutls_server_restore_session (session, &data[pos], session_id_len);
387 pos += session_id_len; 385 pos += session_id_len;
388 386
389 if (ret == 0) 387 /* TODO rm if support for resumed sessions won't be supported */
388 if (0)
390 { /* resumed! */ 389 { /* resumed! */
391 resume_copy_required_values (session); 390 resume_copy_required_values (session);
392 session->internals.resumed = RESUME_TRUE; 391 session->internals.resumed = RESUME_TRUE;
@@ -2647,12 +2646,6 @@ _gnutls_handshake_common (gnutls_session_t session)
2647 IMED_RET ("recv handshake final 2", ret); 2646 IMED_RET ("recv handshake final 2", ret);
2648 } 2647 }
2649 2648
2650 if (session->security_parameters.entity == GNUTLS_SERVER)
2651 {
2652 /* in order to support session resuming */
2653 _gnutls_server_register_current_session (session);
2654 }
2655
2656 /* clear handshake buffer */ 2649 /* clear handshake buffer */
2657 _gnutls_handshake_hash_buffers_clear (session); 2650 _gnutls_handshake_hash_buffers_clear (session);
2658 return ret; 2651 return ret;
diff --git a/src/daemon/https/tls/gnutls_int.h b/src/daemon/https/tls/gnutls_int.h
index 5d30ac58..7791b554 100644
--- a/src/daemon/https/tls/gnutls_int.h
+++ b/src/daemon/https/tls/gnutls_int.h
@@ -380,7 +380,7 @@ typedef struct
380typedef struct 380typedef struct
381 { 381 {
382 unsigned int priority[MAX_ALGOS]; 382 unsigned int priority[MAX_ALGOS];
383 unsigned int algorithms; 383 unsigned int num_algorithms;
384 } priority_st; 384 } priority_st;
385 385
386/* For the external api */ 386/* For the external api */
@@ -391,6 +391,8 @@ struct gnutls_priority_st
391 priority_st kx; 391 priority_st kx;
392 priority_st compression; 392 priority_st compression;
393 priority_st protocol; 393 priority_st protocol;
394
395 /* certificate type : x509, OpenPGP, etc. */
394 priority_st cert_type; 396 priority_st cert_type;
395 397
396 /* to disable record padding */ 398 /* to disable record padding */
diff --git a/src/daemon/https/tls/gnutls_priority.c b/src/daemon/https/tls/gnutls_priority.c
index 0dfb27e3..cea6446b 100644
--- a/src/daemon/https/tls/gnutls_priority.c
+++ b/src/daemon/https/tls/gnutls_priority.c
@@ -56,7 +56,7 @@ gnutls_cipher_set_priority (gnutls_session_t session, const int *list)
56 num++; 56 num++;
57 if (num > MAX_ALGOS) 57 if (num > MAX_ALGOS)
58 num = MAX_ALGOS; 58 num = MAX_ALGOS;
59 session->internals.priorities.cipher.algorithms = num; 59 session->internals.priorities.cipher.num_algorithms = num;
60 60
61 for (i = 0; i < num; i++) 61 for (i = 0; i < num; i++)
62 { 62 {
@@ -75,7 +75,7 @@ _set_priority (priority_st * st, const int *list)
75 num++; 75 num++;
76 if (num > MAX_ALGOS) 76 if (num > MAX_ALGOS)
77 num = MAX_ALGOS; 77 num = MAX_ALGOS;
78 st->algorithms = num; 78 st->num_algorithms = num;
79 79
80 for (i = 0; i < num; i++) 80 for (i = 0; i < num; i++)
81 { 81 {
diff --git a/src/daemon/https/tls/gnutls_record.c b/src/daemon/https/tls/gnutls_record.c
index e52cf922..68c83330 100644
--- a/src/daemon/https/tls/gnutls_record.c
+++ b/src/daemon/https/tls/gnutls_record.c
@@ -35,7 +35,6 @@
35#include "gnutls_hash_int.h" 35#include "gnutls_hash_int.h"
36#include "gnutls_cipher_int.h" 36#include "gnutls_cipher_int.h"
37#include "gnutls_algorithms.h" 37#include "gnutls_algorithms.h"
38#include "gnutls_db.h"
39#include "gnutls_auth_int.h" 38#include "gnutls_auth_int.h"
40#include "gnutls_num.h" 39#include "gnutls_num.h"
41#include "gnutls_record.h" 40#include "gnutls_record.h"
@@ -289,7 +288,7 @@ session_is_valid (gnutls_session_t session)
289 return 0; 288 return 0;
290} 289}
291 290
292/* Copies the record version into the headers. The 291/* Copies the record version into the headers. The
293 * version must have 2 bytes at least. 292 * version must have 2 bytes at least.
294 */ 293 */
295inline static void 294inline static void
@@ -316,7 +315,7 @@ copy_record_version (gnutls_session_t session,
316/* This function behaves exactly like write(). The only difference is 315/* This function behaves exactly like write(). The only difference is
317 * that it accepts, the gnutls_session_t and the content_type_t of data to 316 * that it accepts, the gnutls_session_t and the content_type_t of data to
318 * send (if called by the user the Content is specific) 317 * send (if called by the user the Content is specific)
319 * It is intended to transfer data, under the current session. 318 * It is intended to transfer data, under the current session.
320 * 319 *
321 * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE. 320 * Oct 30 2001: Removed capability to send data more than MAX_RECORD_SIZE.
322 * This makes the function much easier to read, and more error resistant 321 * This makes the function much easier to read, and more error resistant
@@ -376,7 +375,7 @@ _gnutls_send_int (gnutls_session_t session,
376 else 375 else
377 data2send_size = sizeofdata; 376 data2send_size = sizeofdata;
378 377
379 /* Only encrypt if we don't have data to send 378 /* Only encrypt if we don't have data to send
380 * from the previous run. - probably interrupted. 379 * from the previous run. - probably interrupted.
381 */ 380 */
382 if (session->internals.record_send_buffer.length > 0) 381 if (session->internals.record_send_buffer.length > 0)
@@ -469,7 +468,7 @@ _gnutls_send_int (gnutls_session_t session,
469 return retval; 468 return retval;
470} 469}
471 470
472/* This function is to be called if the handshake was successfully 471/* This function is to be called if the handshake was successfully
473 * completed. This sends a Change Cipher Spec packet to the peer. 472 * completed. This sends a Change Cipher Spec packet to the peer.
474 */ 473 */
475ssize_t 474ssize_t
@@ -556,8 +555,8 @@ record_check_headers (gnutls_session_t session,
556 uint16_t * length, uint16_t * header_size) 555 uint16_t * length, uint16_t * header_size)
557{ 556{
558 557
559 /* Read the first two bytes to determine if this is a 558 /* Read the first two bytes to determine if this is a
560 * version 2 message 559 * version 2 message
561 */ 560 */
562 561
563 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE 562 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE
@@ -565,7 +564,7 @@ record_check_headers (gnutls_session_t session,
565 { 564 {
566 565
567 /* if msb set and expecting handshake message 566 /* if msb set and expecting handshake message
568 * it should be SSL 2 hello 567 * it should be SSL 2 hello
569 */ 568 */
570 version[0] = 3; /* assume SSL 3.0 */ 569 version[0] = 3; /* assume SSL 3.0 */
571 version[1] = 0; 570 version[1] = 0;
@@ -593,7 +592,7 @@ record_check_headers (gnutls_session_t session,
593 version[0] = headers[1]; 592 version[0] = headers[1];
594 version[1] = headers[2]; 593 version[1] = headers[2];
595 594
596 /* No DECR_LEN, since headers has enough size. 595 /* No DECR_LEN, since headers has enough size.
597 */ 596 */
598 *length = _gnutls_read_uint16 (&headers[3]); 597 *length = _gnutls_read_uint16 (&headers[3]);
599 } 598 }
@@ -676,7 +675,7 @@ record_check_type (gnutls_session_t session,
676 */ 675 */
677 if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL) 676 if (data[1] == GNUTLS_A_CLOSE_NOTIFY && data[0] != GNUTLS_AL_FATAL)
678 { 677 {
679 /* If we have been expecting for an alert do 678 /* If we have been expecting for an alert do
680 */ 679 */
681 session->internals.read_eof = 1; 680 session->internals.read_eof = 1;
682 return GNUTLS_E_INT_RET_0; /* EOF */ 681 return GNUTLS_E_INT_RET_0; /* EOF */
@@ -911,7 +910,7 @@ begin:
911 } 910 }
912 911
913 /* Here we check if the Type of the received packet is 912 /* Here we check if the Type of the received packet is
914 * ok. 913 * ok.
915 */ 914 */
916 if ((ret = check_recv_type (recv_type)) < 0) 915 if ((ret = check_recv_type (recv_type)) < 0)
917 { 916 {
@@ -952,7 +951,7 @@ begin:
952 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; 951 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
953 } 952 }
954 953
955 /* check if we have that data into buffer. 954 /* check if we have that data into buffer.
956 */ 955 */
957 if ((ret = _gnutls_io_read_buffered (session, &recv_data, 956 if ((ret = _gnutls_io_read_buffered (session, &recv_data,
958 header_size + length, recv_type)) 957 header_size + length, recv_type))
@@ -1017,7 +1016,7 @@ begin:
1017 read_sequence_number), 1016 read_sequence_number),
1018 _gnutls_packet2str (recv_type), recv_type, decrypted_length); 1017 _gnutls_packet2str (recv_type), recv_type, decrypted_length);
1019 1018
1020 /* increase sequence number 1019 /* increase sequence number
1021 */ 1020 */
1022 if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0) 1021 if (_gnutls_uint64pp (&session->connection_state.read_sequence_number) != 0)
1023 { 1022 {
@@ -1037,7 +1036,7 @@ begin:
1037 return ret; 1036 return ret;
1038 } 1037 }
1039 1038
1040 /* Get Application data from buffer 1039 /* Get Application data from buffer
1041 */ 1040 */
1042 if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type 1041 if ((recv_type == type) && (type == GNUTLS_APPLICATION_DATA || type
1043 == GNUTLS_HANDSHAKE 1042 == GNUTLS_HANDSHAKE
@@ -1051,7 +1050,7 @@ begin:
1051 return ret; 1050 return ret;
1052 } 1051 }
1053 1052
1054 /* if the buffer just got empty 1053 /* if the buffer just got empty
1055 */ 1054 */
1056 if (_gnutls_record_buffer_get_size (type, session) == 0) 1055 if (_gnutls_record_buffer_get_size (type, session) == 0)
1057 { 1056 {
@@ -1066,11 +1065,11 @@ begin:
1066 { 1065 {
1067 gnutls_assert (); 1066 gnutls_assert ();
1068 return GNUTLS_E_UNEXPECTED_PACKET; 1067 return GNUTLS_E_UNEXPECTED_PACKET;
1069 /* we didn't get what we wanted to 1068 /* we didn't get what we wanted to
1070 */ 1069 */
1071 } 1070 }
1072 1071
1073 /* (originally for) TLS 1.0 CBC protection. 1072 /* (originally for) TLS 1.0 CBC protection.
1074 * Actually this code is called if we just received 1073 * Actually this code is called if we just received
1075 * an empty packet. An empty TLS packet is usually 1074 * an empty packet. An empty TLS packet is usually
1076 * sent to protect some vulnerabilities in the CBC mode. 1075 * sent to protect some vulnerabilities in the CBC mode.
diff --git a/src/daemon/https/tls/gnutls_session.c b/src/daemon/https/tls/gnutls_session.c
index 541cc699..fb9b5e80 100644
--- a/src/daemon/https/tls/gnutls_session.c
+++ b/src/daemon/https/tls/gnutls_session.c
@@ -24,7 +24,7 @@
24#include "gnutls_int.h" 24#include "gnutls_int.h"
25#include "gnutls_errors.h" 25#include "gnutls_errors.h"
26#include "debug.h" 26#include "debug.h"
27#include <gnutls_session_pack.h> 27#include "gnutls_session_pack.h"
28#include <gnutls_datum.h> 28#include <gnutls_datum.h>
29 29
30/** 30/**
@@ -123,10 +123,10 @@ gnutls_session_get_data2 (gnutls_session_t session, gnutls_datum_t * data)
123 * 123 *
124 * Returns the current session id. This can be used if you want to check if 124 * Returns the current session id. This can be used if you want to check if
125 * the next session you tried to resume was actually resumed. 125 * the next session you tried to resume was actually resumed.
126 * This is because resumed sessions have the same sessionID with the 126 * This is because resumed sessions have the same sessionID with the
127 * original session. 127 * original session.
128 * 128 *
129 * Session id is some data set by the server, that identify the current session. 129 * Session id is some data set by the server, that identify the current session.
130 * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes. 130 * In TLS 1.0 and SSL 3.0 session id is always less than 32 bytes.
131 * 131 *
132 * Returns zero on success. 132 * Returns zero on success.
diff --git a/src/daemon/https/tls/gnutls_session_pack.c b/src/daemon/https/tls/gnutls_session_pack.c
index ed4945b6..3e549c4c 100644
--- a/src/daemon/https/tls/gnutls_session_pack.c
+++ b/src/daemon/https/tls/gnutls_session_pack.c
@@ -54,6 +54,169 @@ static int unpack_security_parameters (gnutls_session_t session,
54static int pack_security_parameters (gnutls_session_t session, 54static int pack_security_parameters (gnutls_session_t session,
55 gnutls_datum_t * packed_session); 55 gnutls_datum_t * packed_session);
56 56
57/* Packs the ANON session authentication data. */
58#ifdef ENABLE_ANON
59
60/* Format:
61 * 1 byte the credentials type
62 * 4 bytes the size of the whole structure
63 * 2 bytes the size of secret key in bits
64 * 4 bytes the size of the prime
65 * x bytes the prime
66 * 4 bytes the size of the generator
67 * x bytes the generator
68 * 4 bytes the size of the public key
69 * x bytes the public key
70 */
71static int
72pack_anon_auth_info (gnutls_session_t session, gnutls_datum_t * packed_session)
73{
74 anon_auth_info_t info = _gnutls_get_auth_info (session);
75 int pos = 0;
76 size_t pack_size;
77
78 if (info)
79 pack_size = 2 + 4 * 3 + info->dh.prime.size +
80 info->dh.generator.size + info->dh.public_key.size;
81 else
82 pack_size = 0;
83
84 packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t);
85
86 /* calculate the size and allocate the data.
87 */
88 packed_session->data =
89 gnutls_malloc (packed_session->size + MAX_SEC_PARAMS);
90
91 if (packed_session->data == NULL)
92 {
93 gnutls_assert ();
94 return GNUTLS_E_MEMORY_ERROR;
95 }
96
97 packed_session->data[0] = MHD_GNUTLS_CRD_ANON;
98 _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]);
99 pos += 4 + PACK_HEADER_SIZE;
100
101 if (pack_size > 0)
102 {
103 _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]);
104 pos += 2;
105
106 _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime);
107 pos += 4 + info->dh.prime.size;
108 _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator);
109 pos += 4 + info->dh.generator.size;
110 _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key);
111 pos += 4 + info->dh.public_key.size;
112
113 }
114
115 return 0;
116}
117
118/* Format:
119 * 1 byte the credentials type
120 * 4 bytes the size of the whole structure
121 * 2 bytes the size of secret key in bits
122 * 4 bytes the size of the prime
123 * x bytes the prime
124 * 4 bytes the size of the generator
125 * x bytes the generator
126 * 4 bytes the size of the public key
127 * x bytes the public key
128 */
129static int
130unpack_anon_auth_info (gnutls_session_t session,
131 const gnutls_datum_t * packed_session)
132{
133 size_t pack_size;
134 int pos = 0, size, ret;
135 anon_auth_info_t info;
136
137 if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON)
138 {
139 gnutls_assert ();
140 return GNUTLS_E_INVALID_REQUEST;
141 }
142
143 pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]);
144 pos += PACK_HEADER_SIZE + 4;
145
146
147 if (pack_size == 0)
148 return 0; /* nothing to be done */
149
150 /* a simple check for integrity */
151 if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size)
152 {
153 gnutls_assert ();
154 return GNUTLS_E_INVALID_REQUEST;
155 }
156
157 /* client and serer have the same auth_info here
158 */
159 ret =
160 _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON,
161 sizeof (anon_auth_info_st), 1);
162 if (ret < 0)
163 {
164 gnutls_assert ();
165 return ret;
166 }
167
168 info = _gnutls_get_auth_info (session);
169 if (info == NULL)
170 {
171 gnutls_assert ();
172 return GNUTLS_E_INTERNAL_ERROR;
173 }
174
175 info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]);
176 pos += 2;
177
178 size = _gnutls_read_uint32 (&packed_session->data[pos]);
179 pos += 4;
180 ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size);
181 if (ret < 0)
182 {
183 gnutls_assert ();
184 goto error;
185 }
186 pos += size;
187
188 size = _gnutls_read_uint32 (&packed_session->data[pos]);
189 pos += 4;
190 ret =
191 _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size);
192 if (ret < 0)
193 {
194 gnutls_assert ();
195 goto error;
196 }
197 pos += size;
198
199 size = _gnutls_read_uint32 (&packed_session->data[pos]);
200 pos += 4;
201 ret =
202 _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos],
203 size);
204 if (ret < 0)
205 {
206 gnutls_assert ();
207 goto error;
208 }
209 pos += size;
210
211 return 0;
212
213error:
214 _gnutls_free_datum (&info->dh.prime);
215 _gnutls_free_datum (&info->dh.generator);
216 _gnutls_free_datum (&info->dh.public_key);
217 return ret;
218}
219#endif /* ANON */
57 220
58/* Since auth_info structures contain malloced data, this function 221/* Since auth_info structures contain malloced data, this function
59 * is required in order to pack these structures in a vector in 222 * is required in order to pack these structures in a vector in
@@ -121,7 +284,7 @@ _gnutls_session_pack (gnutls_session_t session,
121 284
122 } 285 }
123 286
124 /* Auth_info structures copied. Now copy security_parameters_st. 287 /* Auth_info structures copied. Now copy security_parameters_st.
125 * packed_session must have allocated space for the security parameters. 288 * packed_session must have allocated space for the security parameters.
126 */ 289 */
127 ret = pack_security_parameters (session, packed_session); 290 ret = pack_security_parameters (session, packed_session);
@@ -201,7 +364,7 @@ _gnutls_session_unpack (gnutls_session_t session,
201 364
202 } 365 }
203 366
204 /* Auth_info structures copied. Now copy security_parameters_st. 367 /* Auth_info structures copied. Now copy security_parameters_st.
205 * packed_session must have allocated space for the security parameters. 368 * packed_session must have allocated space for the security parameters.
206 */ 369 */
207 ret = unpack_security_parameters (session, packed_session); 370 ret = unpack_security_parameters (session, packed_session);
@@ -477,7 +640,7 @@ error:
477/* Packs the SRP session authentication data. 640/* Packs the SRP session authentication data.
478 */ 641 */
479 642
480/* Format: 643/* Format:
481 * 1 byte the credentials type 644 * 1 byte the credentials type
482 * 4 bytes the size of the SRP username (x) 645 * 4 bytes the size of the SRP username (x)
483 * x bytes the SRP username 646 * x bytes the SRP username
@@ -569,167 +732,12 @@ unpack_srp_auth_info (gnutls_session_t session,
569#endif 732#endif
570 733
571 734
572#ifdef ENABLE_ANON
573/* Packs the ANON session authentication data.
574 */
575
576/* Format:
577 * 1 byte the credentials type
578 * 4 bytes the size of the whole structure
579 * 2 bytes the size of secret key in bits
580 * 4 bytes the size of the prime
581 * x bytes the prime
582 * 4 bytes the size of the generator
583 * x bytes the generator
584 * 4 bytes the size of the public key
585 * x bytes the public key
586 */
587static int
588pack_anon_auth_info (gnutls_session_t session,
589 gnutls_datum_t * packed_session)
590{
591 anon_auth_info_t info = _gnutls_get_auth_info (session);
592 int pos = 0;
593 size_t pack_size;
594
595 if (info)
596 pack_size = 2 + 4 * 3 + info->dh.prime.size +
597 info->dh.generator.size + info->dh.public_key.size;
598 else
599 pack_size = 0;
600
601 packed_session->size = PACK_HEADER_SIZE + pack_size + sizeof (uint32_t);
602
603 /* calculate the size and allocate the data.
604 */
605 packed_session->data =
606 gnutls_malloc (packed_session->size + MAX_SEC_PARAMS);
607
608 if (packed_session->data == NULL)
609 {
610 gnutls_assert ();
611 return GNUTLS_E_MEMORY_ERROR;
612 }
613
614 packed_session->data[0] = MHD_GNUTLS_CRD_ANON;
615 _gnutls_write_uint32 (pack_size, &packed_session->data[PACK_HEADER_SIZE]);
616 pos += 4 + PACK_HEADER_SIZE;
617
618 if (pack_size > 0)
619 {
620 _gnutls_write_uint16 (info->dh.secret_bits, &packed_session->data[pos]);
621 pos += 2;
622
623 _gnutls_write_datum32 (&packed_session->data[pos], info->dh.prime);
624 pos += 4 + info->dh.prime.size;
625 _gnutls_write_datum32 (&packed_session->data[pos], info->dh.generator);
626 pos += 4 + info->dh.generator.size;
627 _gnutls_write_datum32 (&packed_session->data[pos], info->dh.public_key);
628 pos += 4 + info->dh.public_key.size;
629
630 }
631
632 return 0;
633}
634
635
636static int
637unpack_anon_auth_info (gnutls_session_t session,
638 const gnutls_datum_t * packed_session)
639{
640 size_t pack_size;
641 int pos = 0, size, ret;
642 anon_auth_info_t info;
643
644 if (packed_session->data[0] != MHD_GNUTLS_CRD_ANON)
645 {
646 gnutls_assert ();
647 return GNUTLS_E_INVALID_REQUEST;
648 }
649
650 pack_size = _gnutls_read_uint32 (&packed_session->data[PACK_HEADER_SIZE]);
651 pos += PACK_HEADER_SIZE + 4;
652
653
654 if (pack_size == 0)
655 return 0; /* nothing to be done */
656
657 /* a simple check for integrity */
658 if (pack_size + PACK_HEADER_SIZE + 4 > packed_session->size)
659 {
660 gnutls_assert ();
661 return GNUTLS_E_INVALID_REQUEST;
662 }
663
664 /* client and serer have the same auth_info here
665 */
666 ret =
667 _gnutls_auth_info_set (session, MHD_GNUTLS_CRD_ANON,
668 sizeof (anon_auth_info_st), 1);
669 if (ret < 0)
670 {
671 gnutls_assert ();
672 return ret;
673 }
674
675 info = _gnutls_get_auth_info (session);
676 if (info == NULL)
677 {
678 gnutls_assert ();
679 return GNUTLS_E_INTERNAL_ERROR;
680 }
681
682 info->dh.secret_bits = _gnutls_read_uint16 (&packed_session->data[pos]);
683 pos += 2;
684
685 size = _gnutls_read_uint32 (&packed_session->data[pos]);
686 pos += 4;
687 ret = _gnutls_set_datum (&info->dh.prime, &packed_session->data[pos], size);
688 if (ret < 0)
689 {
690 gnutls_assert ();
691 goto error;
692 }
693 pos += size;
694
695 size = _gnutls_read_uint32 (&packed_session->data[pos]);
696 pos += 4;
697 ret =
698 _gnutls_set_datum (&info->dh.generator, &packed_session->data[pos], size);
699 if (ret < 0)
700 {
701 gnutls_assert ();
702 goto error;
703 }
704 pos += size;
705
706 size = _gnutls_read_uint32 (&packed_session->data[pos]);
707 pos += 4;
708 ret =
709 _gnutls_set_datum (&info->dh.public_key, &packed_session->data[pos],
710 size);
711 if (ret < 0)
712 {
713 gnutls_assert ();
714 goto error;
715 }
716 pos += size;
717
718 return 0;
719
720error:
721 _gnutls_free_datum (&info->dh.prime);
722 _gnutls_free_datum (&info->dh.generator);
723 _gnutls_free_datum (&info->dh.public_key);
724 return ret;
725}
726#endif /* ANON */
727 735
728#ifdef ENABLE_PSK 736#ifdef ENABLE_PSK
729/* Packs the PSK session authentication data. 737/* Packs the PSK session authentication data.
730 */ 738 */
731 739
732/* Format: 740/* Format:
733 * 1 byte the credentials type 741 * 1 byte the credentials type
734 * 4 bytes the size of the whole structure 742 * 4 bytes the size of the whole structure
735 * 4 bytes the size of the PSK username (x) 743 * 4 bytes the size of the PSK username (x)
@@ -909,7 +917,7 @@ error:
909/* Packs the security parameters. 917/* Packs the security parameters.
910 */ 918 */
911 919
912/* Format: 920/* Format:
913 * 4 bytes the total security data size 921 * 4 bytes the total security data size
914 * 1 byte the entity type (client/server) 922 * 1 byte the entity type (client/server)
915 * 1 byte the key exchange algorithm used 923 * 1 byte the key exchange algorithm used
@@ -947,7 +955,7 @@ error:
947 * 955 *
948 * 2 bytes the number of server name extensions (up to MAX_SERVER_NAME_EXTENSIONS) 956 * 2 bytes the number of server name extensions (up to MAX_SERVER_NAME_EXTENSIONS)
949 * 1 byte the first name type 957 * 1 byte the first name type
950 * 2 bytes the size of the first name 958 * 2 bytes the size of the first name
951 * x bytes the first name (MAX_SERVER_NAME_SIZE) 959 * x bytes the first name (MAX_SERVER_NAME_SIZE)
952 * and so on... 960 * and so on...
953 * 961 *
diff --git a/src/daemon/https/tls/gnutls_state.c b/src/daemon/https/tls/gnutls_state.c
index 3fde3db4..3931b393 100644
--- a/src/daemon/https/tls/gnutls_state.c
+++ b/src/daemon/https/tls/gnutls_state.c
@@ -32,7 +32,6 @@
32#include <gnutls_auth_int.h> 32#include <gnutls_auth_int.h>
33#include <gnutls_num.h> 33#include <gnutls_num.h>
34#include <gnutls_datum.h> 34#include <gnutls_datum.h>
35#include <gnutls_db.h>
36#include <gnutls_record.h> 35#include <gnutls_record.h>
37#include <gnutls_handshake.h> 36#include <gnutls_handshake.h>
38#include <gnutls_dh.h> 37#include <gnutls_dh.h>
@@ -154,11 +153,11 @@ _gnutls_session_cert_type_supported (gnutls_session_t session,
154 } 153 }
155 } 154 }
156 155
157 if (session->internals.priorities.cert_type.algorithms == 0 && cert_type 156 if (session->internals.priorities.cert_type.num_algorithms == 0 && cert_type
158 == DEFAULT_CERT_TYPE) 157 == DEFAULT_CERT_TYPE)
159 return 0; 158 return 0;
160 159
161 for (i = 0; i < session->internals.priorities.cert_type.algorithms; i++) 160 for (i = 0; i < session->internals.priorities.cert_type.num_algorithms; i++)
162 { 161 {
163 if (session->internals.priorities.cert_type.priority[i] == cert_type) 162 if (session->internals.priorities.cert_type.priority[i] == cert_type)
164 { 163 {
diff --git a/src/daemon/https/tls/gnutls_x509.c b/src/daemon/https/tls/gnutls_x509.c
index 7c84fa0a..a9b6829d 100644
--- a/src/daemon/https/tls/gnutls_x509.c
+++ b/src/daemon/https/tls/gnutls_x509.c
@@ -93,9 +93,9 @@ check_bits (gnutls_x509_crt_t crt, unsigned int max_bits)
93 * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status 93 * _gnutls_x509_cert_verify_peers - This function returns the peer's certificate status
94 * @session: is a gnutls session 94 * @session: is a gnutls session
95 * 95 *
96 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.). 96 * This function will try to verify the peer's certificate and return its status (TRUSTED, REVOKED etc.).
97 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements. 97 * The return value (status) should be one of the gnutls_certificate_status_t enumerated elements.
98 * However you must also check the peer's name in order to check if the verified certificate belongs to the 98 * However you must also check the peer's name in order to check if the verified certificate belongs to the
99 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. 99 * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent.
100 * 100 *
101 -*/ 101 -*/
@@ -178,7 +178,7 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
178 178
179 } 179 }
180 180
181 /* Verify certificate 181 /* Verify certificate
182 */ 182 */
183 ret = 183 ret =
184 gnutls_x509_crt_list_verify (peer_certificate_list, 184 gnutls_x509_crt_list_verify (peer_certificate_list,
@@ -522,7 +522,7 @@ parse_pem_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
522 } 522 }
523 _gnutls_free_datum (&tmp); /* free ptr2 */ 523 _gnutls_free_datum (&tmp); /* free ptr2 */
524 524
525 /* now we move ptr after the pem header 525 /* now we move ptr after the pem header
526 */ 526 */
527 ptr++; 527 ptr++;
528 /* find the next certificate (if any) 528 /* find the next certificate (if any)
@@ -794,18 +794,18 @@ read_key_file (gnutls_certificate_credentials_t res,
794 * @key: is the private key, or %NULL 794 * @key: is the private key, or %NULL
795 * @type: is PEM or DER 795 * @type: is PEM or DER
796 * 796 *
797 * This function sets a certificate/private key pair in the 797 * This function sets a certificate/private key pair in the
798 * gnutls_certificate_credentials_t structure. This function may be called 798 * gnutls_certificate_credentials_t structure. This function may be called
799 * more than once (in case multiple keys/certificates exist for the 799 * more than once (in case multiple keys/certificates exist for the
800 * server). 800 * server).
801 * 801 *
802 * Currently are supported: RSA PKCS-1 encoded private keys, 802 * Currently are supported: RSA PKCS-1 encoded private keys,
803 * DSA private keys. 803 * DSA private keys.
804 * 804 *
805 * DSA private keys are encoded the OpenSSL way, which is an ASN.1 805 * DSA private keys are encoded the OpenSSL way, which is an ASN.1
806 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv. 806 * DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
807 * 807 *
808 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates 808 * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
809 * is supported. This means that certificates intended for signing cannot 809 * is supported. This means that certificates intended for signing cannot
810 * be used for ciphersuites that require encryption. 810 * be used for ciphersuites that require encryption.
811 * 811 *
@@ -825,7 +825,7 @@ gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t
825{ 825{
826 int ret; 826 int ret;
827 827
828 /* this should be first 828 /* this should be first
829 */ 829 */
830 if ((ret = read_key_mem (res, key ? key->data : NULL, 830 if ((ret = read_key_mem (res, key ? key->data : NULL,
831 key ? key->size : 0, type)) < 0) 831 key ? key->size : 0, type)) < 0)
@@ -867,7 +867,7 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
867{ 867{
868 int ret, i; 868 int ret, i;
869 869
870 /* this should be first 870 /* this should be first
871 */ 871 */
872 872
873 res->pkey = 873 res->pkey =
@@ -956,7 +956,7 @@ gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t
956{ 956{
957 int ret; 957 int ret;
958 958
959 /* this should be first 959 /* this should be first
960 */ 960 */
961 if ((ret = read_key_file (res, KEYFILE, type)) < 0) 961 if ((ret = read_key_file (res, KEYFILE, type)) < 0)
962 return ret; 962 return ret;
@@ -983,7 +983,7 @@ generate_rdn_seq (gnutls_certificate_credentials_t res)
983 unsigned size, i; 983 unsigned size, i;
984 opaque *pdata; 984 opaque *pdata;
985 985
986 /* Generate the RDN sequence 986 /* Generate the RDN sequence
987 * This will be sent to clients when a certificate 987 * This will be sent to clients when a certificate
988 * request message is sent. 988 * request message is sent.
989 */ 989 */
@@ -1036,11 +1036,8 @@ generate_rdn_seq (gnutls_certificate_credentials_t res)
1036 return 0; 1036 return 0;
1037} 1037}
1038 1038
1039 1039/* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1040 1040 * certificate (uses the KeyUsage field).
1041
1042/* Returns 0 if it's ok to use the gnutls_kx_algorithm_t with this
1043 * certificate (uses the KeyUsage field).
1044 */ 1041 */
1045int 1042int
1046_gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg) 1043_gnutls_check_key_usage (const gnutls_cert * cert, gnutls_kx_algorithm_t alg)
@@ -1158,7 +1155,7 @@ parse_pem_ca_mem (gnutls_x509_crt_t ** cert_list, unsigned *ncerts,
1158 return ret; 1155 return ret;
1159 } 1156 }
1160 1157
1161 /* now we move ptr after the pem header 1158 /* now we move ptr after the pem header
1162 */ 1159 */
1163 ptr++; 1160 ptr++;
1164 size--; 1161 size--;
@@ -1452,7 +1449,7 @@ parse_pem_crl_mem (gnutls_x509_crl_t ** crl_list, unsigned *ncrls,
1452 return ret; 1449 return ret;
1453 } 1450 }
1454 1451
1455 /* now we move ptr after the pem header 1452 /* now we move ptr after the pem header
1456 */ 1453 */
1457 ptr++; 1454 ptr++;
1458 /* find the next certificate (if any) 1455 /* find the next certificate (if any)
diff --git a/src/daemon/https/x509/pkcs12.h b/src/daemon/https/x509/pkcs12.h
index 41878ff2..3c75dff5 100644
--- a/src/daemon/https/x509/pkcs12.h
+++ b/src/daemon/https/x509/pkcs12.h
@@ -23,7 +23,6 @@
23 */ 23 */
24 24
25/* TODO clean */ 25/* TODO clean */
26
27#ifndef GNUTLS_PKCS12_H 26#ifndef GNUTLS_PKCS12_H
28#define GNUTLS_PKCS12_H 27#define GNUTLS_PKCS12_H
29 28
diff --git a/src/daemon/internal.h b/src/daemon/internal.h
index 612b18da..796e5ad1 100644
--- a/src/daemon/internal.h
+++ b/src/daemon/internal.h
@@ -627,8 +627,13 @@ struct MHD_Daemon
627 unsigned short port; 627 unsigned short port;
628 628
629#if HTTPS_SUPPORT 629#if HTTPS_SUPPORT
630 /* server credintials */ 630 gnutls_credentials_type_t cred_type;
631 gnutls_certificate_credentials_t x509_cret; 631
632 /* server x509 credintials */
633 gnutls_certificate_credentials_t x509_cred;
634
635 /* credentials used for anonymous authentication */
636 gnutls_anon_server_credentials_t anon_cred;
632 637
633 /* cipher priority cache */ 638 /* cipher priority cache */
634 gnutls_priority_t priority_cache; 639 gnutls_priority_t priority_cache;
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index a934c16e..8a1fe022 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -64,8 +64,6 @@
64 * depend on your platform; for possible suggestions consult 64 * depend on your platform; for possible suggestions consult
65 * "platform.h" in the MHD distribution). 65 * "platform.h" in the MHD distribution).
66 * 66 *
67 * TODO:
68 * - Add option codes for SSL support
69 */ 67 */
70 68
71#ifndef MHD_MICROHTTPD_H 69#ifndef MHD_MICROHTTPD_H
@@ -380,6 +378,13 @@ enum MHD_OPTION
380 MHD_OPTION_HTTPS_MEM_CERT, 378 MHD_OPTION_HTTPS_MEM_CERT,
381 379
382 /* 380 /*
381 * daemon credentials type. either certificate or anonymous,
382 * this option should be followed by one of the values listed in
383 * gnutls_credentials_type_t.
384 */
385 MHD_OPTION_CRED_TYPE,
386
387 /*
383 * SSL/TLS protocol version 388 * SSL/TLS protocol version
384 * 389 *
385 * Memory pointer to a zero terminated int array representing the 390 * Memory pointer to a zero terminated int array representing the
@@ -714,11 +719,17 @@ typedef int
714 */ 719 */
715struct MHD_Daemon * 720struct MHD_Daemon *
716MHD_start_daemon_va (unsigned int options, 721MHD_start_daemon_va (unsigned int options,
717 unsigned short port, 722 unsigned short port, char * ip,
718 MHD_AcceptPolicyCallback apc, 723 MHD_AcceptPolicyCallback apc,
719 void *apc_cls, 724 void *apc_cls,
720 MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap); 725 MHD_AccessHandlerCallback dh, void *dh_cls, va_list ap);
721 726
727struct MHD_Daemon *
728MHD_start_daemon_ip (unsigned int options,
729 unsigned short port, char *ip,
730 MHD_AcceptPolicyCallback apc,
731 void *apc_cls,
732 MHD_AccessHandlerCallback dh, void *dh_cls, ...);
722 733
723/* 734/*
724 * Variadic version of MHD_start_daemon_va. This function will delegate calls 735 * Variadic version of MHD_start_daemon_va. This function will delegate calls
@@ -1025,6 +1036,7 @@ typedef enum
1025 MHD_GNUTLS_KX_SRP_DSS 1036 MHD_GNUTLS_KX_SRP_DSS
1026} gnutls_kx_algorithm_t; 1037} gnutls_kx_algorithm_t;
1027 1038
1039/* server credentials type */
1028typedef enum 1040typedef enum
1029{ 1041{
1030 MHD_GNUTLS_CRD_CERTIFICATE = 1, 1042 MHD_GNUTLS_CRD_CERTIFICATE = 1,
@@ -1034,6 +1046,7 @@ typedef enum
1034 MHD_GNUTLS_CRD_IA 1046 MHD_GNUTLS_CRD_IA
1035} gnutls_credentials_type_t; 1047} gnutls_credentials_type_t;
1036 1048
1049/* mac algorithm */
1037typedef enum 1050typedef enum
1038{ 1051{
1039 MHD_GNUTLS_MAC_UNKNOWN = 0, 1052 MHD_GNUTLS_MAC_UNKNOWN = 0,
@@ -1056,7 +1069,7 @@ typedef enum
1056 MHD_GNUTLS_DIG_SHA256 = MHD_GNUTLS_MAC_SHA256 1069 MHD_GNUTLS_DIG_SHA256 = MHD_GNUTLS_MAC_SHA256
1057} gnutls_digest_algorithm_t; 1070} gnutls_digest_algorithm_t;
1058 1071
1059 1072/* compression method */
1060typedef enum 1073typedef enum
1061{ 1074{
1062 MHD_GNUTLS_COMP_UNKNOWN = 0, 1075 MHD_GNUTLS_COMP_UNKNOWN = 0,
@@ -1067,6 +1080,7 @@ typedef enum
1067 */ 1080 */
1068} gnutls_compression_method_t; 1081} gnutls_compression_method_t;
1069 1082
1083/* protocol type */
1070typedef enum 1084typedef enum
1071{ 1085{
1072 MHD_GNUTLS_SSL3 = 1, 1086 MHD_GNUTLS_SSL3 = 1,
@@ -1076,6 +1090,7 @@ typedef enum
1076 MHD_GNUTLS_VERSION_UNKNOWN = 0xff 1090 MHD_GNUTLS_VERSION_UNKNOWN = 0xff
1077} gnutls_protocol_t; 1091} gnutls_protocol_t;
1078 1092
1093/* certificate_type */
1079typedef enum 1094typedef enum
1080{ 1095{
1081 MHD_GNUTLS_CRT_UNKNOWN = 0, 1096 MHD_GNUTLS_CRT_UNKNOWN = 0,
diff --git a/src/testcurl/https/tls_alert_test.c b/src/testcurl/https/tls_alert_test.c
index 67b489b7..4c8b482d 100644
--- a/src/testcurl/https/tls_alert_test.c
+++ b/src/testcurl/https/tls_alert_test.c
@@ -62,7 +62,7 @@ setup (gnutls_session_t * session,
62 gnutls_datum_t * cert, gnutls_certificate_credentials_t * xcred) 62 gnutls_datum_t * cert, gnutls_certificate_credentials_t * xcred)
63{ 63{
64 int ret; 64 int ret;
65 const char **err_pos; 65 const char ** err_pos;
66 66
67 gnutls_certificate_allocate_credentials (xcred); 67 gnutls_certificate_allocate_credentials (xcred);
68 68
diff --git a/src/testcurl/https/tls_authentication_test.c b/src/testcurl/https/tls_authentication_test.c
index a12ce93f..58d95cf1 100644
--- a/src/testcurl/https/tls_authentication_test.c
+++ b/src/testcurl/https/tls_authentication_test.c
@@ -39,10 +39,12 @@
39 39
40extern int curl_check_version (const char *req_version, ...); 40extern int curl_check_version (const char *req_version, ...);
41 41
42const int DEBUG_GNUTLS_LOG_LEVEL = 6;
42const char *ca_cert_file_name = "ca_cert_pem"; 43const char *ca_cert_file_name = "ca_cert_pem";
43const char *test_file_name = "https_test_file"; 44const char *test_file_name = "https_test_file";
44const char test_file_data[] = "Hello World\n"; 45const char test_file_data[] = "Hello World\n";
45 46
47
46struct CBC 48struct CBC
47{ 49{
48 char *buf; 50 char *buf;
@@ -173,8 +175,8 @@ test_daemon_get (FILE * test_fd, char *cipher_suite, int proto_version)
173#endif 175#endif
174 curl_easy_setopt (c, CURLOPT_URL, url); 176 curl_easy_setopt (c, CURLOPT_URL, url);
175 curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); 177 curl_easy_setopt (c, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
176 curl_easy_setopt (c, CURLOPT_TIMEOUT, 3L); 178 curl_easy_setopt (c, CURLOPT_TIMEOUT, 10L);
177 curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 3L); 179 curl_easy_setopt (c, CURLOPT_CONNECTTIMEOUT, 10L);
178 curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, &copyBuffer); 180 curl_easy_setopt (c, CURLOPT_WRITEFUNCTION, &copyBuffer);
179 curl_easy_setopt (c, CURLOPT_FILE, &cbc); 181 curl_easy_setopt (c, CURLOPT_FILE, &cbc);
180 182
@@ -224,14 +226,13 @@ test_secure_get (FILE * test_fd, char *cipher_suite, int proto_version)
224{ 226{
225 int ret; 227 int ret;
226 struct MHD_Daemon *d; 228 struct MHD_Daemon *d;
227 int kx[] = { MHD_GNUTLS_KX_DHE_RSA, 0 };
228 229
229 d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | 230 d = MHD_start_daemon(MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL |
230 MHD_USE_DEBUG, 42433, 231 MHD_USE_DEBUG, 42433,
231 NULL, NULL, &http_ahc, NULL, 232 NULL, NULL, &http_ahc, NULL,
232 MHD_OPTION_HTTPS_MEM_KEY, srv_signed_key_pem, 233 MHD_OPTION_HTTPS_MEM_KEY, srv_signed_key_pem,
233 MHD_OPTION_HTTPS_MEM_CERT, srv_signed_cert_pem, 234 MHD_OPTION_HTTPS_MEM_CERT, srv_signed_cert_pem,
234 MHD_OPTION_KX_PRIORITY, kx, MHD_OPTION_END); 235 MHD_OPTION_END);
235 236
236 if (d == NULL) 237 if (d == NULL)
237 { 238 {
@@ -308,7 +309,7 @@ main (int argc, char *const *argv)
308 FILE *test_fd; 309 FILE *test_fd;
309 unsigned int errorCount = 0; 310 unsigned int errorCount = 0;
310 311
311 /* gnutls_global_set_log_level (11); */ 312 gnutls_global_set_log_level (DEBUG_GNUTLS_LOG_LEVEL);
312 313
313 if (curl_check_version (MHD_REQ_CURL_VERSION)) 314 if (curl_check_version (MHD_REQ_CURL_VERSION))
314 { 315 {
@@ -330,7 +331,7 @@ main (int argc, char *const *argv)
330 } 331 }
331 332
332 errorCount += 333 errorCount +=
333 test_secure_get (test_fd, "AES256-SHA", CURL_SSLVERSION_SSLv3); 334 test_secure_get (test_fd, "AES256-SHA", CURL_SSLVERSION_TLSv1);
334 335
335 if (errorCount != 0) 336 if (errorCount != 0)
336 fprintf (stderr, "Failed test: %s.\n", argv[0]); 337 fprintf (stderr, "Failed test: %s.\n", argv[0]);
diff --git a/src/testcurl/https/tls_daemon_options_test.c b/src/testcurl/https/tls_daemon_options_test.c
index 95accebb..59205199 100644
--- a/src/testcurl/https/tls_daemon_options_test.c
+++ b/src/testcurl/https/tls_daemon_options_test.c
@@ -32,6 +32,7 @@
32#include "gnutls.h" 32#include "gnutls.h"
33#include <curl/curl.h> 33#include <curl/curl.h>
34 34
35#define DEBUG_CURL_VERBOSE 0
35#define PAGE_NOT_FOUND "<html><head><title>File not found</title></head><body>File not found</body></html>" 36#define PAGE_NOT_FOUND "<html><head><title>File not found</title></head><body>File not found</body></html>"
36 37
37#define MHD_E_MEM "Error: memory error\n" 38#define MHD_E_MEM "Error: memory error\n"
@@ -42,6 +43,7 @@
42 43
43#include "tls_test_keys.h" 44#include "tls_test_keys.h"
44 45
46const int DEBUG_GNUTLS_LOG_LEVEL = 0;
45const char *test_file_name = "https_test_file"; 47const char *test_file_name = "https_test_file";
46const char test_file_data[] = "Hello World\n"; 48const char test_file_data[] = "Hello World\n";
47 49
@@ -123,7 +125,7 @@ http_ahc (void *cls, struct MHD_Connection *connection,
123 * @param test_fd: file to attempt transfering 125 * @param test_fd: file to attempt transfering
124 */ 126 */
125static int 127static int
126test_https_transfer (FILE * test_fd, char * cipher_suite, int proto_version) 128test_https_transfer (FILE * test_fd, char *cipher_suite, int proto_version)
127{ 129{
128 CURL *c; 130 CURL *c;
129 CURLcode errornum; 131 CURLcode errornum;
@@ -172,7 +174,7 @@ test_https_transfer (FILE * test_fd, char * cipher_suite, int proto_version)
172 doc_path, test_file_name); 174 doc_path, test_file_name);
173 175
174 c = curl_easy_init (); 176 c = curl_easy_init ();
175#ifdef DEBUG 177#if DEBUG_CURL_VERBOSE
176 curl_easy_setopt (c, CURLOPT_VERBOSE, 1); 178 curl_easy_setopt (c, CURLOPT_VERBOSE, 1);
177#endif 179#endif
178 curl_easy_setopt (c, CURLOPT_URL, url); 180 curl_easy_setopt (c, CURLOPT_URL, url);
@@ -249,14 +251,11 @@ setupTestFile ()
249} 251}
250 252
251static int 253static int
252setup (struct MHD_Daemon **d, enum MHD_OPTION option, void * value ) 254setup (struct MHD_Daemon **d, va_list arg_list)
253{ 255{
254 *d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | 256 *d = MHD_start_daemon_va (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL |
255 MHD_USE_DEBUG, 42433, 257 MHD_USE_DEBUG, 42433, "127.0.0.1",
256 NULL, NULL, &http_ahc, NULL, 258 NULL, NULL, &http_ahc, NULL, arg_list);
257 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
258 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
259 option, value, MHD_OPTION_END);
260 259
261 if (*d == NULL) 260 if (*d == NULL)
262 { 261 {
@@ -273,19 +272,37 @@ teardown (struct MHD_Daemon *d)
273 MHD_stop_daemon (d); 272 MHD_stop_daemon (d);
274} 273}
275 274
275/* TODO test_wrap: change sig to (setup_func, test, va_list test_arg) & move to test_util.c */
276int 276int
277test_wrap (int 277test_wrap (char *test_name, int
278 (*test) (FILE * test_fd, char *cipher_suite, int proto_version), 278 (*test) (FILE * test_fd, char *cipher_suite, int proto_version),
279 FILE * test_fd, char *cipher_suite, int proto_version, 279 FILE * test_fd, char *cipher_suite, int proto_version, ...)
280 enum MHD_OPTION option, void * value)
281{ 280{
282 int ret; 281 int ret;
282 va_list arg_list;
283 struct MHD_Daemon *d; 283 struct MHD_Daemon *d;
284 284
285 if (setup (&d, option, value) != 0) 285 va_start (arg_list, proto_version);
286 return -1; 286 if (setup (&d, arg_list) != 0)
287 {
288 va_end (arg_list);
289 return -1;
290 }
291
292 fprintf (stdout, "running test: %s ", test_name);
287 ret = test (test_fd, cipher_suite, proto_version); 293 ret = test (test_fd, cipher_suite, proto_version);
294
295 if (ret == 0)
296 {
297 fprintf (stdout, "[pass]\n");
298 }
299 else
300 {
301 fprintf (stdout, "[fail]\n");
302 }
303
288 teardown (d); 304 teardown (d);
305 va_end (arg_list);
289 return ret; 306 return ret;
290} 307}
291 308
@@ -336,6 +353,9 @@ test_file_certificates (FILE * test_fd, char *cipher_suite, int proto_version)
336 return ret; 353 return ret;
337} 354}
338 355
356/*
357 * test server refuses to negotiate connections with unsupported protocol versions
358 */
339int 359int
340test_protocol_version (FILE * test_fd, char *cipher_suite, 360test_protocol_version (FILE * test_fd, char *cipher_suite,
341 int curl_proto_version) 361 int curl_proto_version)
@@ -344,7 +364,7 @@ test_protocol_version (FILE * test_fd, char *cipher_suite,
344 CURLcode errornum; 364 CURLcode errornum;
345 365
346 c = curl_easy_init (); 366 c = curl_easy_init ();
347#ifdef DEBUG 367#if DEBUG_CURL_VERBOSE
348 curl_easy_setopt (c, CURLOPT_VERBOSE, 1); 368 curl_easy_setopt (c, CURLOPT_VERBOSE, 1);
349#endif 369#endif
350 curl_easy_setopt (c, CURLOPT_URL, "https://localhost:42433/"); 370 curl_easy_setopt (c, CURLOPT_URL, "https://localhost:42433/");
@@ -384,7 +404,7 @@ main (int argc, char *const *argv)
384 FILE *test_fd; 404 FILE *test_fd;
385 unsigned int errorCount = 0; 405 unsigned int errorCount = 0;
386 406
387 gnutls_global_set_log_level(11); 407 gnutls_global_set_log_level (DEBUG_GNUTLS_LOG_LEVEL);
388 408
389 if (curl_check_version (MHD_REQ_CURL_VERSION)) 409 if (curl_check_version (MHD_REQ_CURL_VERSION))
390 { 410 {
@@ -403,54 +423,61 @@ main (int argc, char *const *argv)
403 return -1; 423 return -1;
404 } 424 }
405 425
406 int mac[] = {MHD_GNUTLS_MAC_SHA1, 0}; 426 int mac[] = { MHD_GNUTLS_MAC_SHA1, 0 };
407 int p [] = {MHD_GNUTLS_SSL3, 0}; 427 int p[] = { MHD_GNUTLS_SSL3, 0 };
408 int cipher[] = { MHD_GNUTLS_CIPHER_3DES_CBC, 0 }; 428 int cipher[] = { MHD_GNUTLS_CIPHER_3DES_CBC, 0 };
409 int kx[] = { MHD_GNUTLS_KX_DHE_RSA, 0 }; 429 int kx[] = { MHD_GNUTLS_KX_ANON_DH, 0 };
410
411
412// errorCount +=
413// test_wrap (&test_https_transfer, test_fd, "AES256-SHA",
414// CURL_SSLVERSION_TLSv1, MHD_OPTION_END, 0);
415// errorCount +=
416// test_wrap (&test_file_certificates, test_fd, "AES256-SHA",
417// CURL_SSLVERSION_TLSv1, MHD_OPTION_END, 0);
418//
419// errorCount +=
420// test_wrap (&test_protocol_version, test_fd, "AES256-SHA",
421// CURL_SSLVERSION_TLSv1, MHD_OPTION_PROTOCOL_VERSION, p);
422//
423// errorCount +=
424// test_wrap (&test_https_transfer, test_fd, "DES-CBC3-SHA",
425// CURL_SSLVERSION_TLSv1, MHD_OPTION_CIPHER_ALGORITHM, cipher);
426 430
427 errorCount += 431 errorCount +=
428 test_wrap (&test_https_transfer, test_fd, "AES256-SHA", 432 test_wrap ("https_transfer", &test_https_transfer, test_fd, "AES256-SHA",
429 CURL_SSLVERSION_TLSv1, MHD_OPTION_MAC_ALGO, mac); 433 CURL_SSLVERSION_TLSv1,
430 434 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
431 // errorCount += 435 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
432 // test_wrap (&test_https_transfer, test_fd, "EDH-RSA-DES-CBC3-SHA", 436 MHD_OPTION_END);
433 // CURL_SSLVERSION_TLSv1, MHD_OPTION_KX_PRIORITY, kx); 437 errorCount +=
438 test_wrap ("file certificates", &test_file_certificates, test_fd,
439 "AES256-SHA", CURL_SSLVERSION_TLSv1, MHD_OPTION_HTTPS_MEM_KEY,
440 srv_key_pem, MHD_OPTION_HTTPS_MEM_CERT,
441 srv_self_signed_cert_pem, MHD_OPTION_END);
442 errorCount +=
443 test_wrap ("protocol_version", &test_protocol_version, test_fd,
444 "AES256-SHA", CURL_SSLVERSION_TLSv1, MHD_OPTION_HTTPS_MEM_KEY,
445 srv_key_pem, MHD_OPTION_HTTPS_MEM_CERT,
446 srv_self_signed_cert_pem, MHD_OPTION_PROTOCOL_VERSION, p,
447 MHD_OPTION_END);
448 errorCount +=
449 test_wrap ("cipher DES-CBC3-SHA", &test_https_transfer, test_fd,
450 "DES-CBC3-SHA", CURL_SSLVERSION_TLSv1,
451 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
452 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
453 MHD_OPTION_CIPHER_ALGORITHM, cipher, MHD_OPTION_END);
454 errorCount +=
455 test_wrap ("mac SH1", &test_https_transfer, test_fd, "AES256-SHA",
456 CURL_SSLVERSION_TLSv1, MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
457 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
458 MHD_OPTION_MAC_ALGO, mac, MHD_OPTION_END);
459 errorCount +=
460 test_wrap ("kx ANON_DH", &test_https_transfer, test_fd,
461 "ADH-DES-CBC3-SHA", CURL_SSLVERSION_TLSv1,
462 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
463 MHD_OPTION_HTTPS_MEM_CERT, srv_self_signed_cert_pem,
464 MHD_OPTION_CRED_TYPE, MHD_GNUTLS_CRD_ANON,
465 MHD_OPTION_CIPHER_ALGORITHM, cipher, MHD_OPTION_KX_PRIORITY,
466 kx, MHD_OPTION_END);
434 467
435 /*gnutls_mac_algorithm_t mac[] = { 468 /*gnutls_mac_algorithm_t mac[] = {
436 {MHD_GNUTLS_MAC_MD5, 0}, 0}; 469 {MHD_GNUTLS_MAC_MD5, 0}, 0};
437 gnutls_mac_algorithm_t * cur_mac; 470 gnutls_mac_algorithm_t * cur_mac;
438
439 for ( cur_mac = &mac[0]; (*cur_mac) != 0; cur_mac++ ){
440 option[0] = MHD_GNUTLS_MAC_SHA1;
441 errorCount +=
442 test_wrap (&test_https_transfer, test_fd, "AES256-SHA",
443 CURL_SSLVERSION_TLSv1, MHD_OPTION_MAC_ALGO, option);
444 }*/
445
446 471
472 for ( cur_mac = &mac[0]; (*cur_mac) != 0; cur_mac++ ){
473 option[0] = MHD_GNUTLS_MAC_SHA1;
474 errorCount +=
475 test_wrap (&test_https_transfer, test_fd, "AES256-SHA",
476 CURL_SSLVERSION_TLSv1, MHD_OPTION_MAC_ALGO, option);
477 } */
447 478
448 if (errorCount != 0) 479 if (errorCount != 0)
449 fprintf (stderr, "Failed test: %s.\n", argv[0]); 480 fprintf (stderr, "Failed test: %s.\n", argv[0]);
450 else
451 {
452 fprintf (stderr, "ok\n");
453 }
454 481
455 curl_global_cleanup (); 482 curl_global_cleanup ();
456 fclose (test_fd); 483 fclose (test_fd);
diff --git a/src/testcurl/https/tls_session_time_out_test.c b/src/testcurl/https/tls_session_time_out_test.c
index 846bdd10..745c8d53 100644
--- a/src/testcurl/https/tls_session_time_out_test.c
+++ b/src/testcurl/https/tls_session_time_out_test.c
@@ -101,7 +101,6 @@ static int
101test_tls_session_time_out (gnutls_session_t session) 101test_tls_session_time_out (gnutls_session_t session)
102{ 102{
103 int sd, ret; 103 int sd, ret;
104 char *url = "https://localhost:42433/";
105 struct sockaddr_in sa; 104 struct sockaddr_in sa;
106 105
107 sd = socket (AF_INET, SOCK_STREAM, 0); 106 sd = socket (AF_INET, SOCK_STREAM, 0);
@@ -153,8 +152,8 @@ main (int argc, char *const *argv)
153 gnutls_global_init (); 152 gnutls_global_init ();
154 gnutls_global_set_log_level (11); 153 gnutls_global_set_log_level (11);
155 154
156 d = MHD_start_daemon (MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL | 155 d = MHD_start_daemon_ip(MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL |
157 MHD_USE_DEBUG, 42433, 156 MHD_USE_DEBUG, 42433, "127.0.0.1",
158 NULL, NULL, &http_ahc, NULL, 157 NULL, NULL, &http_ahc, NULL,
159 MHD_OPTION_CONNECTION_TIMEOUT, TIME_OUT, 158 MHD_OPTION_CONNECTION_TIMEOUT, TIME_OUT,
160 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem, 159 MHD_OPTION_HTTPS_MEM_KEY, srv_key_pem,
diff --git a/src/testcurl/https/tls_test_keys.h b/src/testcurl/https/tls_test_keys.h
index aca0639c..871f99b1 100644
--- a/src/testcurl/https/tls_test_keys.h
+++ b/src/testcurl/https/tls_test_keys.h
@@ -24,105 +24,106 @@
24 24
25/* Certificate Authority key */ 25/* Certificate Authority key */
26const char ca_key_pem[] = 26const char ca_key_pem[] =
27 "-----BEGIN RSA PRIVATE KEY-----\n" 27 "-----BEGIN RSA PRIVATE KEY-----\n"
28 "MIIEpAIBAAKCAQEA3vzPUd2yRjeHy9Yi22uX1vGnUPmB5zS+77/B9LubTqnNJ9eB\n" 28 "MIIEowIBAAKCAQEAthkEJMVt/l06gPJQCfdMKJdYXdQZGSBkOroWGZfs0oYBcSU3\n"
29 "jiMegQJsJWFQT/CW8FurYiSMXIuTBirZX7NO6/rlcqifdfKLotSUuXLu5DBvMLCv\n" 29 "JeszCWwDgzw5Ac4o2no9/P7FLVm6+zaIO9gexVi2p1fDhT1+6Lir7O6waS94vLdu\n"
30 "nQ73wCIdCJoVyJbRN0ExHsyGwCDCxaHuY8FlkIsfYo17SNmJNaMSUqdoAZoelmbq\n" 30 "jxdJPGfakZTktRAA3MBbC1XuMYPYXZ6nUrRkmHLeG6Oj+L0U3iVq0ZjLYjekCmqV\n"
31 "r9oVciRCQGgrmwEJdPj7EAofWSudV77y85j5rV/t51eNy5liS2qXnoFEmeqTuBo1\n" 31 "FXRaDmoLWkmxplKz6UyzUXmNlyU4EzLpek2NjTtEUxh0Te+wD4RivBhCPGr7PRlY\n"
32 "1cSmRbv5dkCHbx+youLyZG39KxB0MZ124Na3qbUY41BPNj1XBljyAoHyY0J1iDqS\n" 32 "JhjkTk1u75HP41yQC6MnnfY3IALWwuabBQsreR0W0h17lB3YHdHKjP5xJfEeJPtb\n"
33 "0Zo+njEW6vRbmSMkrA1kH45+alN50X11mSgfoQIDAQABAoIBAAmLu+4Ushpdi5Sd\n" 33 "625+lHQpH4nfzGcna/RFok6xRpjZu7mB3t7XGwIDAQABAoIBABhD2x5/RHn5uFsI\n"
34 "P1cidjDFXfDaao5I2LTroghpnNyfaiT+zbj1jctu7K1luuX+Lh7+ZKIGH6RhVP8g\n" 34 "bwv07SwXhsnyAmoru89rjphYe1FOVBDcsa2W2tUtlIY/VyVbcGw0j+APnvy9EUJ6\n"
35 "R9eYBeyWHDsWJwPqCQJkrHR7LCkEfgkRAkaUZsSgzTqCWqUAeFa/xaQcdDcOu/nR\n" 35 "cMrwsKEBgk1oT4CIwkmGmjpXUCCkF8Wl99CPfM3U1PZDTfqmqEbCRx+KktP8Sq+m\n"
36 "DKMUexYmz4ZU+VJxPhWHzGuxhxM85uJOPK3rCaYCJoo1vMpF7MeFFvVljhSdyht5\n" 36 "/YryyNjbracnNilmIMq9V6+YWbm7kJHRLVQWHqh/ljji+kCx5y9VII7HYz4217Er\n"
37 "KD0w6qP0Y+vDe4cD/4W3wq82qXCFPA5oImjSJveEIJumPIjOyLFF+9p9V6hzg8Em\n" 37 "I5HrnPJodmYrH5Tj8Hj9NY7Ok/IeqD186fPuYH/qf9zWcyg7aa0rTPt/E4XjeOjU\n"
38 "48cpXcV3SsbaqTr6mSQl6b15zVwWq4CCt4mkeu6vK9PGzdnBiUmWaSXfprDwHaB3\n" 38 "kxb68+Ybozm0EY1ypa1Yxf3B4hkyrlQ5lfzDSBKqvQkGA92yNDPYiZX71nDHDj9H\n"
39 "t1N0GRECgYEA5gP0gmZQDDJTlaGK9Z6pWiwpMBUoYcnqvCn8MQ5uPQn+KZir19AJ\n" 39 "wf8tWlECgYEAxN8bnMXzmGLbNJUQFuEFBCDFE/tAMhBWcN6eyupIwyXXNA8/xGnJ\n"
40 "PkVLfWT9Dcaf3+2d0kBBgGYFWL+wK8DgrqALiLJfM6gP3Ts7G6Bis4GFdWY9aUnT\n" 40 "rYO4U08YrgvQ6d71xLXAJnsypeJ3FsyIXDar21o5DwVj1ON0nW6xuXsfQWYGEsXm\n"
41 "6ZhRYdzetVArhTZBRKh8ERQNPy4TmzWDtjVUAfezUcvXqOjl9H5Q01ECgYEA+C2b\n" 41 "fDVf4LVO+P58uAnM3+lKXWMwsw7/ja9VECrOvfTlf7CwwIPfmRzxZEMCgYEA7Mn+\n"
42 "i05t/RYcU0eFVYK8Yfl3jZJiopMdYwXCSCO21Ag2i0fjKC89rCmLlliffSSuDtNk\n" 42 "PBO352EXzXbGTuLY9iFXo3GL4EXB2nbkXBdTxEbPl+ICjg/1MPtRN9l03y8l06/G\n"
43 "xFsaSjns8Vyl7sjMcAOfsGokiUIcFnK/LyVoc3ie2NCiLVzw6zKK8lJ4bhn4afnv\n" 43 "MpbxkpPnSXdjXQ1fgXfG9FuKS89BNUfoEfG/3015w49ZAcBYRmvCSGTspu/hshdQ\n"
44 "N9RKXP76emb8MaZroKlKkhMR8f2BvzXbv2NyU1ECgYEAtJeAXu1zhc/xnjaiQqxa\n" 44 "iom2AFy2aRXfvsoUlePRccs1/7RKclK7ahfdwEkCgYBXQOLGCt25rialGWO2ICjO\n"
45 "rMilYfIKrZR571hLgDyjQttYqVIMAbp9t11yorYqlKlRFuCaG9yFUQlIw2BlMkUS\n" 45 "+Y8fGf4Lsj39bE1IdammBAFrK08ByDkAVB6/nZC8orQG0zBt7HerFnMOHl7VlfTh\n"
46 "YyiXRbE+W/Fk2z7I7qzjMarMnNsz9jmX3vzPULW4ScTzFnj9j6l1F3eV2vgTPrYq\n" 46 "mcF1SHl9dNAYLG8kz0ipgi4KGCOc8mUCq81AlFrZ9EBmeMF6g7TXyvxsf7s3mnvC\n"
47 "fmGqXo0bRmp0HVMWUPrn/LECgYEA3qHTQkHGS16VZGPpiY8xPVbUV8z07NC6cQVO\n" 47 "3JYgjoegnjjYOhpBjBhYbQKBgQCpwJmBakVyG/obcyXx0dDmirqwUquLaZbyzj8i\n"
48 "hvZ64XTIsWN4tKjEU3glf2bbFCFef3BFmhv71pBmLRMmy7GYK/gkPdbKFdOXbM/d\n" 48 "AhssX/NdGErqm2gU6GauWjfd9IfyvVWiWPHwOhYaZfuW7wpj34GDFskLVhaSYu1t\n"
49 "EAcnz0ZqgSeQBM+2U9dQbBdtb5+eiDsszNGFMC2QN1PBcyzOqh6UBbxTwdjfls9S\n" 49 "R9lc9cbwOqj9h24Bdik/CxNZDinIKcy0tMsEcXLX3TWdKnQdjMhPAvbATPj+Am+X\n"
50 "5Trp6TECgYAzCZmmJuBW6WDK5ttOF/do6r0aurHr2mOr8oYxmBkhI3wphyUMNuaH\n" 50 "PGrd+QKBgF5U2i0d2Mgw/JmlVCY79uD9eERivF5HLOYv3XUr9N1/bgIqKSQnrKJC\n"
51 "rUk+R8LAmC1U4MbvvqoZH27xe+xd25mn6whitgZBH3DIetN7myDJep8wEG6aW4R5\n" 51 "pXC+ZHP9yTmcznwFkbMbJ9cTwMVU1n+hguvyjIJHmmeGrpBuaiT4HwPgV6IZY3N2\n"
52 "S82zk+LQJ7LTa1nPVPMS10qUXSH9cjShhszfeRIQM+lWbPoaEuo3yQ==\n" 52 "a05cOyYYE3I7h9fQs1MfZRK44rRiXycwb+HA4lwuFWTI7h5qdc/U\n"
53 "-----END RSA PRIVATE KEY-----\n"; 53 "-----END RSA PRIVATE KEY-----\n";
54 54
55/* Certificate Authority cert */ 55/* Certificate Authority cert */
56const char ca_cert_pem[] = 56const char ca_cert_pem[] =
57 "-----BEGIN CERTIFICATE-----\n" 57 "-----BEGIN CERTIFICATE-----\n"
58 "MIIC6DCCAdKgAwIBAgIESHv2uDALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n" 58 "MIIC6DCCAdKgAwIBAgIESJ2sXDALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n"
59 "dF9jYV9jZXJ0MB4XDTA4MDcxNTAxMDA0MFoXDTA5MDcxNTAxMDA0MFowFzEVMBMG\n" 59 "dF9jYV9jZXJ0MB4XDTA4MDgwOTE0NDAyOFoXDTA5MDgwOTE0NDAyOFowFzEVMBMG\n"
60 "A1UEAxMMdGVzdF9jYV9jZXJ0MIIBHzALBgkqhkiG9w0BAQEDggEOADCCAQkCggEA\n" 60 "A1UEAxMMdGVzdF9jYV9jZXJ0MIIBHzALBgkqhkiG9w0BAQEDggEOADCCAQkCggEA\n"
61 "3vzPUd2yRjeHy9Yi22uX1vGnUPmB5zS+77/B9LubTqnNJ9eBjiMegQJsJWFQT/CW\n" 61 "thkEJMVt/l06gPJQCfdMKJdYXdQZGSBkOroWGZfs0oYBcSU3JeszCWwDgzw5Ac4o\n"
62 "8FurYiSMXIuTBirZX7NO6/rlcqifdfKLotSUuXLu5DBvMLCvnQ73wCIdCJoVyJbR\n" 62 "2no9/P7FLVm6+zaIO9gexVi2p1fDhT1+6Lir7O6waS94vLdujxdJPGfakZTktRAA\n"
63 "N0ExHsyGwCDCxaHuY8FlkIsfYo17SNmJNaMSUqdoAZoelmbqr9oVciRCQGgrmwEJ\n" 63 "3MBbC1XuMYPYXZ6nUrRkmHLeG6Oj+L0U3iVq0ZjLYjekCmqVFXRaDmoLWkmxplKz\n"
64 "dPj7EAofWSudV77y85j5rV/t51eNy5liS2qXnoFEmeqTuBo11cSmRbv5dkCHbx+y\n" 64 "6UyzUXmNlyU4EzLpek2NjTtEUxh0Te+wD4RivBhCPGr7PRlYJhjkTk1u75HP41yQ\n"
65 "ouLyZG39KxB0MZ124Na3qbUY41BPNj1XBljyAoHyY0J1iDqS0Zo+njEW6vRbmSMk\n" 65 "C6MnnfY3IALWwuabBQsreR0W0h17lB3YHdHKjP5xJfEeJPtb625+lHQpH4nfzGcn\n"
66 "rA1kH45+alN50X11mSgfoQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud\n" 66 "a/RFok6xRpjZu7mB3t7XGwIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud\n"
67 "DwEB/wQFAwMHBAAwHQYDVR0OBBYEFB3x03+3Qa2SDwRF6RkNcjg9zRHJMAsGCSqG\n" 67 "DwEB/wQFAwMHBAAwHQYDVR0OBBYEFGTWojUUrKbS/Uid9S3hPxmgKeaxMAsGCSqG\n"
68 "SIb3DQEBBQOCAQEAjPoKMve8aqtL8fFXfSkYwLJUwuTG4E4mX804O5dsdvOEWR2/\n" 68 "SIb3DQEBBQOCAQEAWP1f/sfNsvA/oz7OJSBCsQxAnjrKMIXgbVnop+4bEWPxk4e9\n"
69 "UQm5IDiAZ3fnHE8zh0C1Kg+dWnCv0i1Q5CYZJ5sSY3tKikG5UBPVJGV1tT0vDfmJ\n" 69 "TETSk5MMXt2BfaCtaLZw19Zbqlh4ZFuVw+QC1GTa0xlagHiRgXU2DOvPT5+y+XUR\n"
70 "X7b52y35eN8qe5DsdyDAcF2GNRBU8opkLkyXb8U095AQiCHzTPpiesZd5phJlMPm\n" 70 "TSy0Pqou7spgEkLcFxlXYlx3tpDu+Awmx9DBGHMCysVynnEzeBYW4woCfBG2UiVA\n"
71 "AJaB4VtHAykDMeKd7HJAeelRi/1dP8xsYNc1z67cSrkt2f+B0WAyuAUBBr1NdYmS\n" 71 "iHVz6jBc4bBkylKVkA42GiroExuPc+W9qtHGuVX045R7gz78KK0CMIObdySbogBe\n"
72 "duegptXCh8OeGEL/v6mbIWoszDbOjk/0zwsgW8BD/eXaZgPPEUtmHizYPIRPdeW1\n" 72 "gYZUbyVvPVHINEc929PoV12dHP7wrKnqPbiwb+h1SHui8bVinE+1JY3mRB1VGVTa\n"
73 "MSCwccjl/XjDkIoN8kKss4Ftt+Wyajjjxeh6YA==\n" "-----END CERTIFICATE-----\n"; 73 "rgvlVGs2S+Zq48XMs4aeLgHkGWFAIXbpX34HSw==\n"
74 "-----END CERTIFICATE-----\n";
74 75
75/* test server CA signed certificates */ 76/* test server CA signed certificates */
76const char srv_signed_cert_pem[] = 77const char srv_signed_cert_pem[] =
77 "-----BEGIN CERTIFICATE-----\n" 78 "-----BEGIN CERTIFICATE-----\n"
78 "MIIDHzCCAgmgAwIBAgIESHv6kTALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n" 79 "MIIDBDCCAe6gAwIBAgIESJ2sXzALBgkqhkiG9w0BAQUwFzEVMBMGA1UEAxMMdGVz\n"
79 "dF9jYV9jZXJ0MB4XDTA4MDcxNTAxMTcwNVoXDTA5MDcxNTAxMTcwNVowGzEZMBcG\n" 80 "dF9jYV9jZXJ0MB4XDTA4MDgwOTE0NDAzMloXDTA5MDgwOTE0NDAzNVowADCCAR8w\n"
80 "A1UEAxMQdGVzdF9zZXJ2ZXJfY2VydDCCAR8wCwYJKoZIhvcNAQEBA4IBDgAwggEJ\n" 81 "CwYJKoZIhvcNAQEBA4IBDgAwggEJAoIBAOb6G6WJrrNC48NSh5i4eT7J1BCqlMB4\n"
81 "AoIBAJIY2+Wn+TRHIJ92tpNvCIE6FOsGclRxOFJwK0T6k3SK68LwQ9PkQTTB/DJu\n" 82 "e0No+td/PQf+sPywbQToYGiPfOFfMyge1G6SyRpXavKbPwuw1BN183WoYzID5mtz\n"
82 "+hU2u6w6lt1+Q8PHTDMLtnkEeXnxPn1uQZnnMEBcHAGY1U99iJh0At68AyoG7nkb\n" 83 "shAOl/JRhdusScFijS3pITiNK4G5NLToCP4KZhqguqHUzEdanifSb/D4x54Rq/Tc\n"
83 "AzgzxxjMom+dEhGEFHOg9JKmJp138RzIWcMN2l4pKIryiBUh5AWt/7uqtA+9fQMq\n" 84 "A7oHGp0wjdWC/AMtGWv6v55xMe00ALZ1zDxCOi8nri9W7mLy+hyduETCq+1Y7uHl\n"
84 "nOeO8OU5FM3eKevl3VSZ6usptbePbUDNs5uEmG+PTR0bc2rYgGeC4+wExWcJ+CAq\n" 85 "mqbAk8D7ruu0JtNU2N8WuJJcAtxgZhCCfIHTgAUWqepeRBM8cy8uu0tywgxcJiyt\n"
85 "voNVPno//MoMeJjWgXqF4wTBFdfsewngkflwRDPuZuLsxVrKnIx6jsBKIMuhVuxT\n" 86 "Uu1wXQHnnpWrr/9r6IfhjFpc9pr5giHBeM4KdlU49UsYgaS1tAZsDJcCAwEAAaN2\n"
86 "66vnEmuR34TUIzLlVPcJ5wmby2UCAwEAAaN2MHQwDAYDVR0TAQH/BAIwADATBgNV\n" 87 "MHQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8E\n"
87 "HSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDByAAMB0GA1UdDgQWBBSHX75y\n" 88 "BQMDB6AAMB0GA1UdDgQWBBSxP229okDqlKyMCyg0cnzbf+eb4DAfBgNVHSMEGDAW\n"
88 "gpEjstognUu4If50qWXQaDAfBgNVHSMEGDAWgBQd8dN/t0Gtkg8ERekZDXI4Pc0R\n" 89 "gBRk1qI1FKym0v1InfUt4T8ZoCnmsTALBgkqhkiG9w0BAQUDggEBAEabY4FLsFQr\n"
89 "yTALBgkqhkiG9w0BAQUDggEBAF56YMCdp0C88ZF9yaXJZ4PMuTpW83Mhg5Ar0a9H\n" 90 "PACNe3p5tU3hWvvQ9S1pRlfnc/z1o+k9NDWTHlNjXfVTl6/6cIKHA+r8SvRks27+\n"
90 "DasF58p8eeRLhsTJPi+NpFSMTujEabGS3+8l6Iu5F5stFgvbvnjLHdYu2Pjakos8\n" 91 "lScfxFkiCi22YC7uPbn8fW1nWcsqEkK4e0TDekSUi1o6SDx6cU07kMpx3iKvpLs3\n"
91 "NjZCCkuEmIO4PLd6h5ToOZf3ZXNHmFjRTtKHQKNrYizlHlgnEDcUbU4gB5KOg3jU\n" 92 "5QiCFjivMjrY8pEFJIke/ucI8QuLVZLLUSdTHb9Ck128PtPKA4y2uZA/MmYS/OtR\n"
92 "rv/Mtar+5LRK7KvByswp26nRH1ijGV23sy9StK7tV/cJPe/UkxyUfSQwUmQzzWe6\n" 93 "/UZN67pJ+BqcQBE5vNolWQTM+NxfMzb48IV9q32HRT4HErvUjLIWV0nwwedUSdDG\n"
93 "QGAQtppUjGabWXjuLuOUyiG5LReYC5ri7XZuVekCAfUHbOdPYTHPczvpKBnUyKIv\n" 94 "63tr9jp0GF6b5Eum0MTVV/zbBxfyRFg+Q8xRn70zJlB/W7byaFq/95Rpfqjdnta2\n"
94 "BRKOarmNfNc3w5G7Ast3jNOE2JfiJ8+x9+rMWI01PlWVYvQ=\n" 95 "aO/omlvGHrI=\n"
95 "-----END CERTIFICATE-----\n"; 96 "-----END CERTIFICATE-----\n";
96 97
97/* test server key */ 98/* test server key */
98const char srv_signed_key_pem[] = 99const char srv_signed_key_pem[] =
99 "-----BEGIN RSA PRIVATE KEY-----\n" 100 "-----BEGIN RSA PRIVATE KEY-----\n"
100 "MIIEpAIBAAKCAQEAkhjb5af5NEcgn3a2k28IgToU6wZyVHE4UnArRPqTdIrrwvBD\n" 101 "MIIEowIBAAKCAQEA5vobpYmus0Ljw1KHmLh5PsnUEKqUwHh7Q2j61389B/6w/LBt\n"
101 "0+RBNMH8Mm76FTa7rDqW3X5Dw8dMMwu2eQR5efE+fW5BmecwQFwcAZjVT32ImHQC\n" 102 "BOhgaI984V8zKB7UbpLJGldq8ps/C7DUE3XzdahjMgPma3OyEA6X8lGF26xJwWKN\n"
102 "3rwDKgbueRsDODPHGMyib50SEYQUc6D0kqYmnXfxHMhZww3aXikoivKIFSHkBa3/\n" 103 "LekhOI0rgbk0tOgI/gpmGqC6odTMR1qeJ9Jv8PjHnhGr9NwDugcanTCN1YL8Ay0Z\n"
103 "u6q0D719Ayqc547w5TkUzd4p6+XdVJnq6ym1t49tQM2zm4SYb49NHRtzatiAZ4Lj\n" 104 "a/q/nnEx7TQAtnXMPEI6LyeuL1buYvL6HJ24RMKr7Vju4eWapsCTwPuu67Qm01TY\n"
104 "7ATFZwn4ICq+g1U+ej/8ygx4mNaBeoXjBMEV1+x7CeCR+XBEM+5m4uzFWsqcjHqO\n" 105 "3xa4klwC3GBmEIJ8gdOABRap6l5EEzxzLy67S3LCDFwmLK1S7XBdAeeelauv/2vo\n"
105 "wEogy6FW7FPrq+cSa5HfhNQjMuVU9wnnCZvLZQIDAQABAoIBABISPh0FrocfZzMi\n" 106 "h+GMWlz2mvmCIcF4zgp2VTj1SxiBpLW0BmwMlwIDAQABAoIBACJGvGKQ74V3qDAc\n"
106 "YYoSGWi2sQCzTvAQAyn7UvbY0eWAC5KU2qb6nHA0sIfif0+hcgxnQOML68DrRYso\n" 107 "p7WwroF0Vw2QGtoDJxumUQ84uRheIeqlzc/cIi5yGLCjPYa3KIQuMTzA+0R8aFs2\n"
107 "3zzP52DEjPjB6x5o4OiNHC+8YmJPQlatPu+jLPcFXXkgdMD+cpmoMk2BDcuZ3VfC\n" 108 "RwqKRvJPZkUOUhvhA+whFkhl86zZQOq7UsMc5Qqs3Gd4UguEoYz9gxBxiLCqURRH\n"
108 "KI59O9iNjgcD50p/y6uLBsdNIbUPSMe8ONWT7f5DN/DqEL+3tVZaRAOL+C8iKYf4\n" 109 "rM+xCV6jtI/PBIsmOUFae4cXJP0pljUXyYmwwb/WrsvnJXf9Gz8/VLZGBMchMH7R\n"
109 "EPI5z6gOyL0aEpulbMKc0YoZZ2kDmu5IyMLgkF3DJV440Y/6IGan88ZSjk6i/d7f\n" 110 "MwD7xdwc/ht2XfZ0TuDntpJDtj0JrW9i/Cxt8PnNhQjgLsAe+oUUZt7Bo+vXBxhu\n"
110 "ciKVtzIIbr5ubbuGe3htphTpRP0aA5WuVTzHrKk83/u3hG1RFv1q/cRD28tVUIII\n" 111 "JPKj6BHcj768l+gDn5zzaXKq0eF7mMXc7fgAp0u8lJkC0LxLq/WmIfqw4Z4mEjkX\n"
111 "0pcwLmECgYEAwMdaR5Y2NqBk/fOvU/oCDAQ6w8jmIa4zMxskvq9Pr753jhT13j+T\n" 112 "DremIoUCgYEA53vX9Hd8V85hCfeaTDf3B5q6g9kIliR+Y2tX2aSqN06df9J/KOdL\n"
112 "eQ1A590PF4PPvGFTqJ2vl3kj6JT5dzu7mGKoJLFsnttpw+0NYUgp0waPPZx010pp\n" 113 "G/lEQn4rsOOtOwyTU2luPmcr0XgbXA1T1kj56+UZrxtRducsdsVbVixzD2KswtJO\n"
113 "QGeyQ/cPsZEZkCehh9c5CsfO1YpjKLV/wdpBQ2xAnkV5dfFmzlzLOTECgYEAwgJf\n" 114 "wUH6XAJNdpI++64TuZadnKAaKiqim7CPzQYrBXYKKRFGSDd50urkTRMCgYEA/3CG\n"
114 "gxlR9Jgv7Qg/6Prs+SarqT4xDsJKKbD7wH2jveGFXVnkYTPVstwLCAus4LaLFKZ9\n" 115 "NMaG3qtzQceQUw7BBAhey387MR+1FUQHQ7xoq2jc3yAx4H2NEyGa6wL5CtFKn5In\n"
115 "1POQDUgO24E1GzuL7mqSuvymdl5gZICfpkHstOAfpqep96pUv4aI9BY/g5l4Lvep\n" 116 "BP6f30sk2ilXRv5pbIIiS8Xzngxy3m17GH33YrSc3ff/u+LWgR/EOVpa9F+sMAjp\n"
116 "9c52tgQGwz0qgBUJBi6AvzxqRkBsxrXjX2m7KHUCgYEAtjx94ohkTXWIouy2xFrl\n" 117 "ohDgI8iH8GtahrRA0BxQKfNIo2zUTqNwFP88xu0CgYADOY1zoWqBCqX9bo6euzTc\n"
117 "jnh9GNGUgyhK7Dfvn3bYjJkwKZc06dkNzvQxdD5r4t3PBhS3YgFWmYmB4X7a6NUF\n" 118 "zUIF7jMZbF66Yddyd8HLTXQSQMt2tWotdJaH2pwfNbzHEtDGm7RmeCd7HpI7ARCG\n"
118 "vMMekjlLJkziib1Q1bLDHuLni+WYKmEEaEbepRMrub8h/D0KnQBewwspQoJkxHn3\n" 119 "7rNUnvdxog7LekL7UJqKI8pij3xapnVkadfkCkAsA7OO7AjoT/nYIb7bkYZ8ZsRK\n"
119 "AMkSwurVlwi0DkOa3N+pmTECgYBXyCUZN1qqtjVxJXttWiPg88tWD2q5B9XwmUC/\n" 120 "FejphZB0rAHvpZ4z2wPdMwKBgQCfkr70RzVH81lcNXwutt/TUhtOCxyCMqmgMFBN\n"
120 "rtlor+LdAzBffsmhXQiswkOdhVrWpCJpOS8jo0f9r6+su7ury5LKgkh7ZGZu8vfJ\n" 121 "e2zz791TMjyWXjh8RBkQSVok7NwuVVI055AeIUZTV1IjkplvZNhh97aZ/HLiCwjE\n"
121 "jSiiCoqnqFMyWWJxKllLP8nLLKSBc9P2AU4bOyUoL8PMIjhsEJx2asqXMM1G98OC\n" 122 "IyUhL21zqRLEYA/auGqP3adGVGIv29GAIgSztfleMuJplj+LArT9j/LHzRvQSH+j\n"
122 "R1/EhQKBgQCmSkabsj8u5iEScicyJU87/sVkRIRE0GhjU8uuvcTe+dRiHuj2CENx\n" 123 "TlO8fQKBgE5og4pTfPrD0A7W/Li1HDGf8Ylb+DZlxoyMriW82Z/zCBvYvn1UvQRi\n"
123 "hh967E0nUCiJzx3is0/nYByDles9W4BLEA8JSuM5r6E7UifHR4XwIi2tQcNhCWIu\n" 124 "b8f3IQFXuXdf3Bx4C91kQJPovxDp14FOHJxO7F32fGMnJaU2kyp4sf4WAJZZOLnd\n"
124 "vGbfvxwqcm7Uj3XHb1GbYK5nnaRNailoJ7iyqHWxB1Q3iFIiMipcfg==\n" 125 "l64hMUsgYPI8qfsanAudD4gTAsLEP+ueWqkcb3SJNLSoQAtcGzYs\n"
125 "-----END RSA PRIVATE KEY-----\n"; 126 "-----END RSA PRIVATE KEY-----\n";
126 127
127/* test server self signed certificates */ 128/* test server self signed certificates */
128const char srv_self_signed_cert_pem[] = 129const char srv_self_signed_cert_pem[] =
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-17 05:42:56 +0000