25#include <gnutls/x509.h>
30#include <sys/socket.h>
38#define G_LOG_DOMAIN "libgvm util"
44 const gchar *, gnutls_session_t *,
45 gnutls_certificate_credentials_t *);
60 if (fcntl (client_connection->
socket, F_SETFL, O_NONBLOCK) == -1)
62 g_warning (
"%s: failed to set server socket flag: %s\n", __func__,
67 if (shutdown (client_connection->
socket, SHUT_RDWR) == -1)
69 if (errno == ENOTCONN)
71 g_warning (
"%s: failed to shutdown server socket: %s\n", __func__,
76 if (close (client_connection->
socket) == -1)
78 g_warning (
"%s: failed to close server socket: %s\n", __func__,
94 if (client_connection->
tls)
116 ret = gnutls_certificate_verify_peers2 (session, &status);
119 g_warning (
"%s: failed to verify peers: %s", __func__,
120 gnutls_strerror (ret));
124 if (status & GNUTLS_CERT_INVALID)
125 g_warning (
"%s: the certificate is not trusted", __func__);
127 if (status & GNUTLS_CERT_SIGNER_NOT_CA)
128 g_warning (
"%s: the certificate's issuer is not a CA", __func__);
130 if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
131 g_warning (
"%s: the certificate was signed using an insecure algorithm",
134 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
135 g_warning (
"%s: the certificate hasn't got a known issuer", __func__);
137 if (status & GNUTLS_CERT_REVOKED)
138 g_warning (
"%s: the certificate has been revoked", __func__);
140 if (status & GNUTLS_CERT_EXPIRED)
141 g_warning (
"%s: the certificate has expired", __func__);
143 if (status & GNUTLS_CERT_NOT_ACTIVATED)
144 g_warning (
"%s: the certificate is not yet activated", __func__);
167 if (!(f = fopen (file,
"r")) || fseek (f, 0, SEEK_END) != 0
168 || (filelen = ftell (f)) < 0 || fseek (f, 0, SEEK_SET) != 0
169 || !(ptr = g_malloc0 ((
size_t) filelen))
170 || fread (ptr, 1, (
size_t) filelen, f) < (
size_t) filelen)
177 loaded_file->data = ptr;
178 loaded_file->size = filelen;
263 const gnutls_datum_t *req_ca_rdn,
int nreqs,
264 const gnutls_pk_algorithm_t *sign_algos,
265 int sign_algos_length, gnutls_retr2_st *st)
269 static gnutls_x509_crt_t crt;
270 static gnutls_x509_privkey_t key;
276 (void) sign_algos_length;
279 gnutls_x509_crt_init (&crt);
280 ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM);
284 st->cert.x509 = &crt;
285 st->cert_type = GNUTLS_CRT_X509;
290 gnutls_x509_privkey_init (&key);
291 ret = gnutls_x509_privkey_import (key, &data, GNUTLS_X509_FMT_PEM);
296 st->key_type = GNUTLS_PRIVKEY_X509;
315 const char *ca_mem,
const char *pub_mem,
316 const char *priv_mem,
int verify)
320 struct addrinfo address_hints;
321 struct addrinfo *addresses, *address;
325 gnutls_certificate_credentials_t credentials;
328 if (port < 1 || port > 65535)
330 g_warning (
"Failed to create client TLS session. "
339 g_warning (
"Failed to create client TLS session. Invalid host %s", host);
349 g_warning (
"Failed to create client TLS session.");
353 if (ca_mem && pub_mem && priv_mem)
358 gnutls_certificate_set_retrieve_function (credentials,
364 port_string = g_strdup_printf (
"%i", port);
368 memset (&address_hints, 0,
sizeof (address_hints));
369 address_hints.ai_family = AF_UNSPEC;
370 address_hints.ai_socktype = SOCK_STREAM;
371 address_hints.ai_protocol = 0;
373 if (getaddrinfo (host, port_string, &address_hints, &addresses))
375 g_free (port_string);
376 g_warning (
"Failed to get server addresses for %s: %s", host,
377 gai_strerror (errno));
378 gnutls_deinit (*session);
379 gnutls_certificate_free_credentials (credentials);
382 g_free (port_string);
386 for (address = addresses; address; address = address->ai_next)
390 if (address->ai_family == AF_INET6)
391 server_socket = socket (PF_INET6, SOCK_STREAM, 0);
393 server_socket = socket (PF_INET, SOCK_STREAM, 0);
394 if (server_socket == -1)
396 g_warning (
"Failed to create server socket");
397 freeaddrinfo (addresses);
398 gnutls_deinit (*session);
399 gnutls_certificate_free_credentials (credentials);
405 if (connect (server_socket, address->ai_addr, address->ai_addrlen) == -1)
407 close (server_socket);
413 freeaddrinfo (addresses);
417 g_warning (
"Failed to connect to server");
418 gnutls_deinit (*session);
419 gnutls_certificate_free_credentials (credentials);
423 g_debug (
" Connected to server '%s' port %d.", host, port);
431 close (server_socket);
432 gnutls_deinit (*session);
433 gnutls_certificate_free_credentials (credentials);
435 close (server_socket);
440 close (server_socket);
444 return server_socket;
463 int port,
const char *ca_mem,
const char *pub_mem,
464 const char *priv_mem)
467 ca_mem && pub_mem && priv_mem);
525 unsigned int retries;
527 gnutls_transport_set_ptr (*session,
528 (gnutls_transport_ptr_t) GSIZE_TO_POINTER (socket));
533 int ret = gnutls_handshake (*session);
536 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
539 usleep (MIN ((retries - 10) * 10000, 5000000));
544 g_debug (
"Failed to shake hands with server '%s' port %d: %s", host,
545 port, gnutls_strerror (ret));
547 g_debug (
"Failed to shake hands with peer: %s", gnutls_strerror (ret));
548 if (shutdown (socket, SHUT_RDWR) == -1)
549 g_debug (
"Failed to shutdown server socket");
553 g_debug (
" Shook hands with server '%s' port %d.", host, port);
555 g_debug (
" Shook hands with peer.");
591 va_list ap,
int quiet)
596 left = vasprintf (&
string, fmt, ap);
606 g_debug (
" send %d from %.*s[...]", left, left < 30 ? left : 30,
608 count = gnutls_record_send (*session,
string, left);
611 if (count == GNUTLS_E_INTERRUPTED)
614 if (count == GNUTLS_E_REHANDSHAKE)
618 g_message (
" %s rehandshake", __func__);
621 g_warning (
"Failed to write to server: %s", gnutls_strerror (count));
629 g_debug (
"= server closed");
634 g_debug (
"=> %.*s", (
int) count,
string);
660 char *string_start, *string;
663 left = vasprintf (&
string, fmt, ap);
667 string_start = string;
673 g_debug (
" send %d from %.*s[...]", left, left < 30 ? left : 30,
675 count = write (socket,
string, left);
678 if (errno == EINTR || errno == EAGAIN)
680 g_warning (
"Failed to write to server: %s", strerror (errno));
685 g_debug (
"=> %.*s", (
int) count,
string);
694 g_free (string_start);
711 va_list ap,
int quiet)
809 va_start (ap, format);
829 va_start (ap, format);
849 va_start (ap, format);
870 va_start (ap, format);
893 va_start (ap, format);
894 msg = g_markup_vprintf_escaped (format, ap);
918 va_start (ap, format);
919 msg = g_markup_vprintf_escaped (format, ap);
945 va_start (ap, format);
946 msg = g_markup_vprintf_escaped (format, ap);
967 const char *format, ...)
973 va_start (ap, format);
974 msg = g_markup_vprintf_escaped (format, ap);
992 gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
995 if (gnutls_global_init ())
997 g_warning (
"Failed to initialize GNUTLS.");
1001 if (gnutls_certificate_allocate_credentials (server_credentials))
1003 g_warning (
"%s: failed to allocate server credentials\n", __func__);
1022 gnutls_session_t *server_session,
1023 gnutls_certificate_credentials_t *server_credentials)
1027 if (gnutls_init (server_session, end_type))
1029 g_warning (
"%s: failed to initialise server session\n", __func__);
1041 err = gnutls_priority_set_direct (*server_session,
1042 priority ? priority :
"NORMAL", NULL);
1045 g_warning (
"%s: failed to set tls priorities: %s\n", __func__,
1046 gnutls_strerror (err));
1047 gnutls_deinit (*server_session);
1051 if (gnutls_credentials_set (*server_session, GNUTLS_CRD_CERTIFICATE,
1052 *server_credentials))
1054 g_warning (
"%s: failed to set server credentials\n", __func__);
1055 gnutls_deinit (*server_session);
1059 if (end_type == GNUTLS_SERVER)
1060 gnutls_certificate_server_set_request (*server_session,
1061 GNUTLS_CERT_REQUEST);
1081 const gchar *ca_cert_file,
const gchar *cert_file,
1082 const gchar *key_file, gnutls_session_t *server_session,
1083 gnutls_certificate_credentials_t *server_credentials)
1088 if (cert_file && key_file)
1092 ret = gnutls_certificate_set_x509_key_file (
1093 *server_credentials, cert_file, key_file, GNUTLS_X509_FMT_PEM);
1096 g_warning (
"%s: failed to set credentials key file: %s\n", __func__,
1097 gnutls_strerror (ret));
1098 g_warning (
"%s: cert file: %s\n", __func__, cert_file);
1099 g_warning (
"%s: key file : %s\n", __func__, key_file);
1100 gnutls_certificate_free_credentials (*server_credentials);
1109 ret = gnutls_certificate_set_x509_trust_file (
1110 *server_credentials, ca_cert_file, GNUTLS_X509_FMT_PEM);
1113 g_warning (
"%s: failed to set credentials trust file: %s\n", __func__,
1114 gnutls_strerror (ret));
1115 g_warning (
"%s: trust file: %s\n", __func__, ca_cert_file);
1116 gnutls_certificate_free_credentials (*server_credentials);
1122 server_credentials))
1124 gnutls_certificate_free_credentials (*server_credentials);
1146 gchar *key_file, gnutls_session_t *server_session,
1147 gnutls_certificate_credentials_t *server_credentials)
1150 server_session, server_credentials);
1168 const char *pub_key,
const char *priv_key,
1169 gnutls_session_t *session,
1170 gnutls_certificate_credentials_t *credentials)
1175 if (pub_key && priv_key)
1178 gnutls_datum_t pub, priv;
1180 pub.data = (
void *) pub_key;
1181 pub.size = strlen (pub_key);
1182 priv.data = (
void *) priv_key;
1183 priv.size = strlen (priv_key);
1185 ret = gnutls_certificate_set_x509_key_mem (*credentials, &pub, &priv,
1186 GNUTLS_X509_FMT_PEM);
1189 g_warning (
"%s: %s\n", __func__, gnutls_strerror (ret));
1197 gnutls_datum_t data;
1199 data.data = (
void *) ca_cert;
1200 data.size = strlen (ca_cert);
1201 ret = gnutls_certificate_set_x509_trust_mem (*credentials, &data,
1202 GNUTLS_X509_FMT_PEM);
1205 g_warning (
"%s: %s\n", __func__, gnutls_strerror (ret));
1206 gnutls_certificate_free_credentials (*credentials);
1213 gnutls_certificate_free_credentials (*credentials);
1230 const char *dhparams_file)
1233 gnutls_datum_t data;
1235 if (!creds || !dhparams_file)
1242#ifndef __clang_analyzer__
1244 gnutls_dh_params_t params = g_malloc0 (
sizeof (gnutls_dh_params_t));
1245 ret = gnutls_dh_params_import_pkcs3 (params, &data, GNUTLS_X509_FMT_PEM);
1253 gnutls_certificate_set_dh_params (creds, params);
1273 gnutls_certificate_credentials_t server_credentials)
1277 if (fcntl (server_socket, F_SETFL, O_NONBLOCK) == -1)
1279 g_warning (
"%s: failed to set server socket flag: %s\n", __func__,
1286 int ret = gnutls_bye (server_session, GNUTLS_SHUT_WR);
1287 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)
1293 g_debug (
" Failed to gnutls_bye: %s\n",
1294 gnutls_strerror ((
int) ret));
1308 if (server_credentials)
1310 if (close (server_socket) == -1)
1312 g_warning (
"%s: failed to close server socket: %s\n", __func__,
1316 gnutls_deinit (server_session);
1317 gnutls_certificate_free_credentials (server_credentials);
1321 gnutls_deinit (server_session);
1322 close (server_socket);
1325 gnutls_global_deinit ();
int gvm_get_host_type(const gchar *str_stripped)
Determines the host type in a buffer.
Definition hosts.c:810
Protos and data structures for Hosts collections and single hosts objects.
host_type
Definition hosts.h:34
@ HOST_TYPE_NAME
Definition hosts.h:35
@ HOST_TYPE_IPV6
Definition hosts.h:40
@ HOST_TYPE_IPV4
Definition hosts.h:36
static int close_unix(gvm_connection_t *client_connection)
Close UNIX socket connection.
Definition serverutils.c:57
static int server_new_internal(unsigned int, const char *, const gchar *, const gchar *, const gchar *, gnutls_session_t *, gnutls_certificate_credentials_t *)
Make a session for connecting to a server.
Definition serverutils.c:1080
int set_gnutls_dhparams(gnutls_certificate_credentials_t creds, const char *dhparams_file)
Set a gnutls session's Diffie-Hellman parameters.
Definition serverutils.c:1229
static const char * get_cert_pub_mem()
Get public certificate from cert_pub_mem.
Definition serverutils.c:241
int gvm_server_new(unsigned int end_type, gchar *ca_cert_file, gchar *cert_file, gchar *key_file, gnutls_session_t *server_session, gnutls_certificate_credentials_t *server_credentials)
Make a session for connecting to a server.
Definition serverutils.c:1145
int gvm_connection_sendf(gvm_connection_t *connection, const char *format,...)
Format and send a string to the server.
Definition serverutils.c:824
int gvm_server_open_with_cert(gnutls_session_t *session, const char *host, int port, const char *ca_mem, const char *pub_mem, const char *priv_mem)
Connect to the server using a given host, port and cert.
Definition serverutils.c:462
int gvm_server_sendf_xml_quiet(gnutls_session_t *session, const char *format,...)
Format and send an XML string to the server.
Definition serverutils.c:939
static void set_cert_priv_mem(const char *data)
Save cert_priv_mem with private certificate.
Definition serverutils.c:217
int gvm_server_vsendf(gnutls_session_t *session, const char *fmt, va_list ap)
Send a string to the server.
Definition serverutils.c:728
static const char * get_cert_priv_mem()
Get private certificate from cert_priv_mem.
Definition serverutils.c:230
int gvm_server_close(int socket, gnutls_session_t session)
Close a server connection and its socket.
Definition serverutils.c:494
int gvm_server_open(gnutls_session_t *session, const char *host, int port)
Connect to the server using a given host and port.
Definition serverutils.c:480
static int gvm_connection_vsendf_internal(gvm_connection_t *connection, const char *fmt, va_list ap, int quiet)
Send a string to the connection.
Definition serverutils.c:710
static int client_cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t *sign_algos, int sign_algos_length, gnutls_retr2_st *st)
Callback function to be called in order to retrieve the certificate to be used in the handshake.
Definition serverutils.c:262
int gvm_connection_sendf_xml(gvm_connection_t *connection, const char *format,...)
Format and send an XML string to the server.
Definition serverutils.c:912
static char * cert_pub_mem
Definition serverutils.c:195
static int gvm_server_sendf_quiet(gnutls_session_t *session, const char *format,...)
Format and send a string to the server.
Definition serverutils.c:844
void gvm_connection_close(gvm_connection_t *connection)
Close a server connection and its socket.
Definition serverutils.c:505
static int server_attach_internal(int, gnutls_session_t *, const char *, int)
Attach a socket to a session, and shake hands with the peer.
Definition serverutils.c:522
static int server_new_gnutls_init(gnutls_certificate_credentials_t *server_credentials)
Initialize a server session.
Definition serverutils.c:989
int gvm_socket_vsendf(int socket, const char *fmt, va_list ap)
Send a string to the server.
Definition serverutils.c:743
int load_gnutls_file(const char *file, gnutls_datum_t *loaded_file)
Loads a file's data into gnutls_datum_t struct.
Definition serverutils.c:161
int gvm_server_new_mem(unsigned int end_type, const char *ca_cert, const char *pub_key, const char *priv_key, gnutls_session_t *session, gnutls_certificate_credentials_t *credentials)
Make a session for connecting to a server, with certificates stored in memory.
Definition serverutils.c:1167
static char * cert_priv_mem
Definition serverutils.c:196
void gvm_connection_free(gvm_connection_t *client_connection)
Free connection.
Definition serverutils.c:92
int gvm_server_sendf_xml(gnutls_session_t *session, const char *format,...)
Format and send an XML string to the server.
Definition serverutils.c:887
static int gvm_connection_sendf_quiet(gvm_connection_t *connection, const char *format,...)
Format and send a string to the server.
Definition serverutils.c:864
static int unix_vsendf_internal(int socket, const char *fmt, va_list ap, int quiet)
Send a string to the server.
Definition serverutils.c:658
static int server_new_gnutls_set(unsigned int end_type, const char *priority, gnutls_session_t *server_session, gnutls_certificate_credentials_t *server_credentials)
Set the server credentials.
Definition serverutils.c:1021
static int gvm_connection_vsendf(gvm_connection_t *connection, const char *fmt, va_list ap)
Send a string to the server.
Definition serverutils.c:758
void unload_gnutls_file(gnutls_datum_t *data)
Unloads a gnutls_datum_t struct's data.
Definition serverutils.c:189
static int gvm_connection_vsendf_quiet(gvm_connection_t *connection, const char *fmt, va_list ap)
Send a string to the server, refraining from logging besides warnings.
Definition serverutils.c:789
int gvm_server_verify(gnutls_session_t session)
Verify certificate.
Definition serverutils.c:111
static int gvm_server_vsendf_internal(gnutls_session_t *session, const char *fmt, va_list ap, int quiet)
Send a string to the server.
Definition serverutils.c:590
static int gvm_server_vsendf_quiet(gnutls_session_t *session, const char *fmt, va_list ap)
Send a string to the server, refraining from logging besides warnings.
Definition serverutils.c:774
int gvm_server_sendf(gnutls_session_t *session, const char *format,...)
Format and send a string to the server.
Definition serverutils.c:804
int gvm_server_free(int server_socket, gnutls_session_t server_session, gnutls_certificate_credentials_t server_credentials)
Cleanup a server session.
Definition serverutils.c:1272
int gvm_server_attach(int socket, gnutls_session_t *session)
Attach a socket to a session, and shake hands with the peer.
Definition serverutils.c:570
int gvm_server_open_verify(gnutls_session_t *session, const char *host, int port, const char *ca_mem, const char *pub_mem, const char *priv_mem, int verify)
Connect to the server using a given host, port and cert.
Definition serverutils.c:314
static void set_cert_pub_mem(const char *data)
Save cert_pub_mem with public certificate.
Definition serverutils.c:204
int gvm_connection_sendf_xml_quiet(gvm_connection_t *connection, const char *format,...)
Format and send an XML string to the server.
Definition serverutils.c:966
GnuTLS based functions for server communication - header file.
Connection.
Definition serverutils.h:30
int tls
Whether uses TCP-TLS (vs UNIX socket).
Definition serverutils.h:31
gnutls_certificate_credentials_t credentials
Credentials.
Definition serverutils.h:34
int socket
Socket.
Definition serverutils.h:32
gnutls_session_t session
Session.
Definition serverutils.h:33