[Pkg-wmaker-commits] [wmbiff] 34/84: basic gnutls 0.4.3 support (that is, it compiles.)
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Thu Aug 20 03:01:52 UTC 2015
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to tag wmbiff_0_4_10
in repository wmbiff.
commit 7f1bb4562b120e6361b22db8fe6ac6b063d7ed3c
Author: bluehal <bluehal>
Date: Mon Jun 24 01:18:36 2002 +0000
basic gnutls 0.4.3 support (that is, it compiles.)
---
wmbiff/gnutls-common.c | 256 +++++++++++++++++++++++++++++++++++++++++++++++++
wmbiff/gnutls-common.h | 6 ++
wmbiff/tlsComm.c | 115 ++++------------------
3 files changed, 279 insertions(+), 98 deletions(-)
diff --git a/wmbiff/gnutls-common.c b/wmbiff/gnutls-common.c
new file mode 100644
index 0000000..d37287c
--- /dev/null
+++ b/wmbiff/gnutls-common.c
@@ -0,0 +1,256 @@
+/* taken from gnutls 0.4.3's distribution, tiny edit
+ for including the system gnutls. */
+#define EXTRA_BROKEN
+#include <stdio.h>
+#include <gnutls.h>
+#ifndef EXTRA_BROKEN
+#include <gnutls-extra.h>
+#endif
+#include <time.h>
+
+#define PRINTX(x,y) if (y[0]!=0) printf(" # %s %s\n", x, y)
+#define PRINT_DN(X) PRINTX( "CN:", X.common_name); \
+ PRINTX( "OU:", X.organizational_unit_name); \
+ PRINTX( "O:", X.organization); \
+ PRINTX( "L:", X.locality_name); \
+ PRINTX( "S:", X.state_or_province_name); \
+ PRINTX( "C:", X.country); \
+ PRINTX( "E:", X.email)
+#define PRINT_PGP_NAME(X) PRINTX( "NAME:", X.name); \
+ PRINTX( "EMAIL:", X.email)
+
+static const char* my_ctime( time_t* tv) {
+static char buf[256];
+struct tm* tp;
+
+tp = localtime(tv);
+strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y\n", tp);
+
+return buf;
+
+}
+
+void print_x509_info(GNUTLS_STATE state)
+{
+
+ gnutls_x509_dn dn;
+ const gnutls_datum *cert_list;
+ int cert_list_size = 0;
+ char digest[20];
+ char serial[40];
+ size_t digest_size = sizeof(digest);
+ int i;
+ int serial_size = sizeof(serial);
+ char printable[120];
+ char *print;
+ int bits, algo;
+ time_t expiret = gnutls_certificate_expiration_time_peers(state);
+ time_t activet = gnutls_certificate_activation_time_peers(state);
+
+ cert_list = gnutls_certificate_get_peers(state, &cert_list_size);
+
+ if (cert_list_size <= 0)
+ return;
+
+
+ printf(" - Certificate info:\n");
+
+ printf(" # Certificate is valid since: %s", my_ctime( &activet));
+ printf(" # Certificate expires: %s", my_ctime( &expiret));
+
+ /* Print the fingerprint of the certificate
+ */
+ if (gnutls_x509_fingerprint
+ (GNUTLS_DIG_MD5, &cert_list[0], digest, &digest_size) >= 0) {
+ print = printable;
+ for (i = 0; i < digest_size; i++) {
+ sprintf(print, "%.2x ", (unsigned char) digest[i]);
+ print += 3;
+ }
+ printf(" # Certificate fingerprint: %s\n", printable);
+ }
+
+ /* Print the serial number of the certificate.
+ */
+
+ if (gnutls_x509_extract_certificate_serial
+ (&cert_list[0], serial, &serial_size) >= 0) {
+ print = printable;
+ for (i = 0; i < serial_size; i++) {
+ sprintf(print, "%.2x ", (unsigned char) serial[i]);
+ print += 3;
+ }
+ printf(" # Certificate serial number: %s\n", printable);
+ }
+
+ /* Print the version of the X.509
+ * certificate.
+ */
+ printf(" # Certificate version: #%d\n",
+ gnutls_x509_extract_certificate_version(&cert_list[0]));
+
+ algo = gnutls_x509_extract_certificate_pk_algorithm( &cert_list[0], &bits);
+ printf(" # Certificate public key algorithm: ");
+
+ if (algo==GNUTLS_PK_RSA) {
+ printf("RSA\n");
+ printf(" # Modulus: %d bits\n", bits);
+ } else if (algo==GNUTLS_PK_DSA) {
+ printf("DSA\n");
+ printf(" # Exponent: %d bits\n", bits);
+ } else {
+ printf("UNKNOWN\n");
+ }
+
+ gnutls_x509_extract_certificate_dn(&cert_list[0], &dn);
+ PRINT_DN(dn);
+
+ gnutls_x509_extract_certificate_issuer_dn(&cert_list[0], &dn);
+ printf(" # Certificate Issuer's info:\n");
+ PRINT_DN(dn);
+
+}
+
+
+void print_cert_vrfy(GNUTLS_STATE state)
+{
+
+ int status;
+ status = gnutls_certificate_verify_peers(state);
+ printf("\n");
+
+ if (status == GNUTLS_E_NO_CERTIFICATE_FOUND) {
+ printf("- Peer did not send any certificate.\n");
+ return;
+ }
+ if (status < 0) {
+ printf("- Could not verify certificate (err %d)\n", status);
+ return;
+ }
+
+ if (status & GNUTLS_CERT_INVALID)
+ printf("- Peer's certificate is invalid\n");
+ if (status & GNUTLS_CERT_NOT_TRUSTED)
+ printf("- Peer's certificate is NOT trusted\n");
+ else
+ printf("- Peer's certificate is trusted\n");
+ if (status & GNUTLS_CERT_CORRUPTED)
+ printf("- Peer's certificate is corrupted\n");
+
+}
+
+int print_info(GNUTLS_STATE state)
+{
+ const char *tmp;
+ GNUTLS_CredType cred;
+ GNUTLS_KXAlgorithm kx;
+
+
+ /* print the key exchange's algorithm name
+ */
+ kx = gnutls_kx_get(state);
+
+ cred = gnutls_auth_get_type(state);
+ switch (cred) {
+ case GNUTLS_CRD_ANON:
+ printf("- Anonymous DH using prime of %d bits, secret key "
+ "of %d bits, and peer's public key is %d bits.\n",
+ gnutls_dh_get_prime_bits(state), gnutls_dh_get_secret_bits(state),
+ gnutls_dh_get_peers_public_bits(state));
+ break;
+ case GNUTLS_CRD_SRP:
+#ifndef EXTRA_BROKEN
+ /* This should be only called in server
+ * side.
+ */
+ if (gnutls_srp_server_get_username(state) != NULL)
+ printf("- SRP authentication. Connected as '%s'\n",
+ gnutls_srp_server_get_username(state));
+#endif
+ break;
+ case GNUTLS_CRD_CERTIFICATE:
+ switch (gnutls_cert_type_get(state)) {
+ case GNUTLS_CRT_X509:
+ printf
+ ("- Peer requested X.509 certificate authentication.\n");
+
+ print_x509_info(state);
+
+ break;
+ case GNUTLS_CRT_OPENPGP:{
+ printf
+ ("- Peer requested OpenPGP certificate authentication.\n");
+
+ /* print_openpgp_info(state); */
+
+ break;
+ }
+ }
+
+ print_cert_vrfy(state);
+
+ /* Check if we have been using ephemeral Diffie Hellman.
+ */
+ if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) {
+ printf("- Ephemeral DH using prime of %d bits, secret key "
+ "of %d bits, and peer's public key is %d bits.\n",
+ gnutls_dh_get_prime_bits(state), gnutls_dh_get_secret_bits(state),
+ gnutls_dh_get_peers_public_bits(state));
+ }
+ }
+
+ tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state));
+ printf("- Version: %s\n", tmp);
+
+ tmp = gnutls_kx_get_name(kx);
+ printf("- Key Exchange: %s\n", tmp);
+
+ tmp = gnutls_cipher_get_name(gnutls_cipher_get(state));
+ printf("- Cipher: %s\n", tmp);
+
+ tmp = gnutls_mac_get_name(gnutls_mac_get(state));
+ printf("- MAC: %s\n", tmp);
+
+ tmp = gnutls_compression_get_name(gnutls_compression_get(state));
+ printf("- Compression: %s\n", tmp);
+
+ return 0;
+}
+
+void print_list(void)
+{
+ /* FIXME: This is hard coded. Make it print all the supported
+ * algorithms.
+ */
+ printf("\n");
+ printf("Certificate types:");
+ printf(" X.509");
+ printf(", OPENPGP\n");
+
+ printf("Protocols:");
+ printf(" TLS1.0");
+ printf(", SSL3.0\n");
+
+ printf("Ciphers:");
+ printf(" RIJNDAEL_128_CBC");
+ printf(", TWOFISH_128_CBC");
+ printf(", 3DES_CBC");
+ printf(", ARCFOUR\n");
+
+ printf("MACs:");
+ printf(" MD5");
+ printf(", SHA-1\n");
+
+ printf("Key exchange algorithms:");
+ printf(" RSA");
+ printf(", DHE_DSS");
+ printf(", DHE_RSA");
+ printf(", SRP");
+ printf(", ANON_DH\n");
+
+ printf("Compression methods:");
+ printf(" ZLIB");
+ printf(", NULL\n");
+
+ return;
+}
diff --git a/wmbiff/gnutls-common.h b/wmbiff/gnutls-common.h
new file mode 100644
index 0000000..8541ecb
--- /dev/null
+++ b/wmbiff/gnutls-common.h
@@ -0,0 +1,6 @@
+/* taken from gnutls 0.4.3's distribution, tiny edit
+ for including the system gnutls. */
+#include <gnutls.h>
+
+int print_info( GNUTLS_STATE state);
+int print_list(void);
diff --git a/wmbiff/tlsComm.c b/wmbiff/tlsComm.c
index d902a53..f55ab53 100644
--- a/wmbiff/tlsComm.c
+++ b/wmbiff/tlsComm.c
@@ -50,7 +50,7 @@ struct connection_state {
char *name;
#ifdef HAVE_GNUTLS_H
GNUTLS_STATE state;
- X509PKI_CLIENT_CREDENTIALS xcred;
+ GNUTLS_CERTIFICATE_CLIENT_CREDENTIALS xcred;
#else
/*@null@ */ void *state;
/*@null@ */ void *xcred;
@@ -73,7 +73,7 @@ void tlscomm_close(struct connection_state *scs)
if (scs->state) {
#ifdef HAVE_GNUTLS_H
gnutls_bye(scs->state, GNUTLS_SHUT_RDWR);
- gnutls_x509pki_free_sc(scs->xcred);
+ gnutls_certificate_free_sc(scs->xcred);
gnutls_deinit(scs->state);
scs->xcred = NULL;
#endif
@@ -260,103 +260,17 @@ void tlscomm_printf(struct connection_state *scs, const char *format, ...)
/* most of this file only makes sense if using TLS. */
#ifdef HAVE_GNUTLS_H
-
-/* taken from the GNUTLS documentation, version 0.3.0 and
- 0.2.10; this may need to be updated from gnutls's cli.c
- (now common.h) if the gnutls interface changes, but that
- is only necessary if you want debug_comm. */
-#define PRINTX(x,y) if (y[0]!=0) printf(" - %s %s\n", x, y)
-#define PRINT_DN(X) PRINTX( "CN:", X.common_name); \
- PRINTX( "OU:", X.organizational_unit_name); \
- PRINTX( "O:", X.organization); \
- PRINTX( "L:", X.locality_name); \
- PRINTX( "S:", X.state_or_province_name); \
- PRINTX( "C:", X.country); \
- PRINTX( "E:", X.email)
-static int print_info(GNUTLS_STATE state)
-{
- const char *tmp;
- CredType cred;
- gnutls_DN dn;
- const gnutls_datum *cert_list;
- CertificateStatus status;
- int cert_list_size = 0;
-
- tmp = gnutls_kx_get_name(gnutls_kx_get_algo(state));
- printf("- Key Exchange: %s\n", tmp);
-
- cred = gnutls_auth_get_type(state);
- switch (cred) {
- case GNUTLS_ANON:
- printf("- Anonymous DH using prime of %d bits\n",
- gnutls_anon_client_get_dh_bits(state));
- break;
- case GNUTLS_X509PKI:
- cert_list =
- gnutls_x509pki_client_get_peer_certificate_list(state,
- &cert_list_size);
- status = gnutls_x509pki_client_get_peer_certificate_status(state);
-
- switch (status) {
- case GNUTLS_CERT_NOT_TRUSTED:
- printf("- Peer's X509 Certificate was NOT verified\n");
- break;
- case GNUTLS_CERT_EXPIRED:
- printf
- ("- Peer's X509 Certificate was verified but is expired\n");
- break;
- case GNUTLS_CERT_TRUSTED:
- printf("- Peer's X509 Certificate was verified\n");
- break;
- case GNUTLS_CERT_NONE:
- printf("- Peer did not send any X509 Certificate.\n");
- break;
- case GNUTLS_CERT_INVALID:
- printf("- Peer's X509 Certificate was invalid\n");
- break;
- }
-
- if (cert_list_size > 0) {
- printf(" - Certificate info:\n");
- printf(" - Certificate version: #%d\n",
- gnutls_x509pki_extract_certificate_version(&cert_list
- [0]));
-
- gnutls_x509pki_extract_certificate_dn(&cert_list[0], &dn);
- PRINT_DN(dn);
-
- gnutls_x509pki_extract_certificate_issuer_dn(&cert_list[0],
- &dn);
- printf(" - Certificate Issuer's info:\n");
- PRINT_DN(dn);
- }
- default:
- printf(" - Other.\n");
- }
-
- tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state));
- printf("- Version: %s\n", tmp);
-
- tmp = gnutls_compression_get_name(gnutls_compression_get_algo(state));
- printf("- Compression: %s\n", tmp);
-
- tmp = gnutls_cipher_get_name(gnutls_cipher_get_algo(state));
- printf("- Cipher: %s\n", tmp);
-
- tmp = gnutls_mac_get_name(gnutls_mac_get_algo(state));
- printf("- MAC: %s\n", tmp);
-
- return 0;
-}
+#include "gnutls-common.h"
/* a start of a hack at verifying certificates. does not
provide any security at all. I'm waiting for either
gnutls to make this as easy as it should be, or someone
to port Andrew McDonald's gnutls-for-mutt patch.
*/
+#ifdef FAILS_TO_COMPILE
int tls_check_certificate(struct connection_state *scs)
{
- CertificateStatus certstat;
+ CertificateStatus certstat; */
const gnutls_datum *cert_list;
int cert_list_size = 0;
@@ -393,6 +307,7 @@ int tls_check_certificate(struct connection_state *scs)
TDM(DEBUG_INFO, "certificate check ok.\n");
return (0);
}
+#endif
struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
{
@@ -415,7 +330,9 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
const int ciphers[] =
{ GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR, 0 };
const int compress[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
- const int key_exch[] = { GNUTLS_KX_X509PKI_RSA, 0 };
+ const int key_exch[] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS,
+ GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP,
+ GNUTLS_KX_ANON_DH, 0 };
const int mac[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
assert(gnutls_protocol_set_priority(scs->state, protocols) == 0);
assert(gnutls_cipher_set_priority(scs->state, ciphers) == 0);
@@ -423,7 +340,7 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
assert(gnutls_kx_set_priority(scs->state, key_exch) == 0);
assert(gnutls_mac_set_priority(scs->state, mac) == 0);
/* no client private key */
- if (gnutls_x509pki_allocate_sc(&scs->xcred, 1) < 0) {
+ if (gnutls_certificate_allocate_sc(&scs->xcred) < 0) {
DMA(DEBUG_ERROR, "gnutls memory error\n");
exit(1);
}
@@ -436,9 +353,9 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
certificate_filename);
exit(1);
}
- zok = gnutls_x509pki_set_client_trust_file(scs->xcred,
+ zok = gnutls_certificate_set_x509_trust_file(scs->xcred,
certificate_filename,
- "");
+ GNUTLS_X509_FMT_PEM);
if (zok != 0) {
DMA(DEBUG_ERROR,
"GNUTLS did not like your certificate file %s.\n",
@@ -448,13 +365,15 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
}
}
- gnutls_cred_set(scs->state, GNUTLS_X509PKI, scs->xcred);
+ gnutls_cred_set(scs->state, GNUTLS_CRD_CERTIFICATE, scs->xcred);
gnutls_transport_set_ptr(scs->state, sd);
do {
zok = gnutls_handshake(scs->state);
} while (zok == GNUTLS_E_INTERRUPTED || zok == GNUTLS_E_AGAIN);
+#ifdef FAILS_TO_COMPILE
tls_check_certificate(scs);
+#endif
}
if (zok < 0) {
@@ -484,7 +403,7 @@ struct connection_state *initialize_gnutls(int sd, char *name, Pop3 pc)
verbose error crap */
void handle_gnutls_read_error(int readbytes, struct connection_state *scs)
{
- if (gnutls_is_fatal_error(readbytes) == 1) {
+ if (gnutls_error_is_fatal(readbytes) == 1) {
TDM(DEBUG_ERROR,
"%s: Received corrupted data(%d) - server has terminated the connection abnormally\n",
scs->name, readbytes);
@@ -492,7 +411,7 @@ void handle_gnutls_read_error(int readbytes, struct connection_state *scs)
if (readbytes == GNUTLS_E_WARNING_ALERT_RECEIVED
|| readbytes == GNUTLS_E_FATAL_ALERT_RECEIVED)
TDM(DEBUG_ERROR, "* Received alert [%d]\n",
- gnutls_alert_get_last(scs->state));
+ gnutls_alert_get(scs->state));
if (readbytes == GNUTLS_E_REHANDSHAKE)
TDM(DEBUG_ERROR, "* Received HelloRequest message\n");
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmbiff.git
More information about the Pkg-wmaker-commits
mailing list