dockapps/wmbiff/wmbiff/gnutls-common.c
2013-04-08 18:03:34 +01:00

690 lines
17 KiB
C

#include <config.h>
# include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gnutls/gnutls.h>
#include <gnutls/extra.h>
#include <gnutls/x509.h>
#include <gnutls/openpgp.h>
#include <time.h>
#include <gnutls-common.h>
#define TEST_STRING
int xml = 0;
int print_cert;
static char buffer[5*1024];
#define PRINTX(x,y) if (y[0]!=0) printf(" # %s %s\n", x, y)
#define PRINT_PGP_NAME(X) PRINTX( "NAME:", name)
const char str_unknown[] = "(unknown)";
static const char *my_ctime(const time_t * tv)
{
static char buf[256];
struct tm *tp;
if ( ( (tp = localtime(tv)) == NULL ) ||
(!strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y\n", tp)) )
strcpy(buf, str_unknown);/* make sure buf text isn't garbage */
return buf;
}
void print_x509_info(gnutls_session session, const char* hostname)
{
gnutls_x509_crt crt;
const gnutls_datum *cert_list;
unsigned int cert_list_size = 0;
int ret;
char digest[20];
char serial[40];
char dn[256];
size_t dn_size;
size_t digest_size = sizeof(digest);
unsigned int i, j;
size_t serial_size = sizeof(serial);
char printable[256];
char *print;
unsigned int bits, algo;
time_t expiret, activet;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size == 0) {
fprintf(stderr, "No certificates found!\n");
return;
}
printf(" - Got a certificate list of %d certificates.\n\n",
cert_list_size);
for (j = 0; j < cert_list_size; j++) {
gnutls_x509_crt_init(&crt);
ret =
gnutls_x509_crt_import(crt, &cert_list[j],
GNUTLS_X509_FMT_DER);
if (ret < 0) {
const char* str = gnutls_strerror(ret);
if (str == NULL) str = str_unknown;
fprintf(stderr, "Decoding error: %s\n", str);
return;
}
printf(" - Certificate[%d] info:\n", j);
if (print_cert) {
size_t size;
size = sizeof(buffer);
ret = gnutls_x509_crt_export( crt, GNUTLS_X509_FMT_PEM, buffer, &size);
if (ret < 0) {
fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret));
return;
}
fputs( "\n", stdout);
fputs( buffer, stdout);
fputs( "\n", stdout);
}
if (j==0 && hostname != NULL) { /* Check the hostname of the first certificate
* if it matches the name of the host we
* connected to.
*/
if (gnutls_x509_crt_check_hostname( crt, hostname)==0) {
printf(" # The hostname in the certificate does NOT match '%s'.\n", hostname);
} else {
printf(" # The hostname in the certificate matches '%s'.\n", hostname);
}
}
if (xml) {
#ifdef ENABLE_PKI
gnutls_datum xml_data;
ret = gnutls_x509_crt_to_xml( crt, &xml_data, 0);
if (ret < 0) {
const char* str = gnutls_strerror(ret);
if (str == NULL) str = str_unknown;
fprintf(stderr, "XML encoding error: %s\n",
str);
return;
}
printf("%s", xml_data.data);
gnutls_free( xml_data.data);
#endif
} else {
expiret = gnutls_x509_crt_get_expiration_time(crt);
activet = gnutls_x509_crt_get_activation_time(crt);
printf(" # valid since: %s", my_ctime(&activet));
printf(" # expires at: %s", my_ctime(&expiret));
/* Print the serial number of the certificate.
*/
if (gnutls_x509_crt_get_serial(crt, serial, &serial_size)
>= 0) {
print = printable;
for (i = 0; i < serial_size; i++) {
sprintf(print, "%.2x ",
(unsigned char) serial[i]);
print += 3;
}
printf(" # serial number: %s\n", printable);
}
/* Print the fingerprint of the certificate
*/
digest_size = sizeof(digest);
if ((ret=gnutls_x509_crt_get_fingerprint(crt, GNUTLS_DIG_MD5, digest, &digest_size))
< 0) {
const char* str = gnutls_strerror(ret);
if (str == NULL) str = str_unknown;
fprintf(stderr, "Error in fingerprint calculation: %s\n", str);
} else {
print = printable;
for (i = 0; i < digest_size; i++) {
sprintf(print, "%.2x ",
(unsigned char) digest[i]);
print += 3;
}
printf(" # fingerprint: %s\n", printable);
}
/* Print the version of the X.509
* certificate.
*/
printf(" # version: #%d\n",
gnutls_x509_crt_get_version(crt));
algo = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
printf(" # public key algorithm: ");
if (algo == GNUTLS_PK_RSA) {
printf("RSA\n");
printf(" # Modulus: %d bits\n", bits);
} else if (algo == GNUTLS_PK_DSA) {
printf("DSA\n");
printf(" # Exponent: %d bits\n", bits);
} else {
printf("UNKNOWN\n");
}
dn_size = sizeof(dn);
ret = gnutls_x509_crt_get_dn(crt, dn, &dn_size);
if (ret >= 0)
printf(" # Subject's DN: %s\n", dn);
dn_size = sizeof(dn);
ret = gnutls_x509_crt_get_issuer_dn(crt, dn, &dn_size);
if (ret >= 0)
printf(" # Issuer's DN: %s\n", dn);
}
gnutls_x509_crt_deinit(crt);
printf("\n");
}
}
#ifdef HAVE_LIBOPENCDK
void print_openpgp_info(gnutls_session session, const char* hostname)
{
char digest[20];
size_t digest_size = sizeof(digest);
unsigned int i;
int ret;
char printable[120];
char *print;
char name[256];
size_t name_len = sizeof(name);
gnutls_openpgp_key crt;
const gnutls_datum *cert_list;
unsigned int cert_list_size = 0;
time_t expiret;
time_t activet;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size > 0) {
unsigned int algo, bits;
gnutls_openpgp_key_init(&crt);
ret =
gnutls_openpgp_key_import(crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0) {
const char* str = gnutls_strerror(ret);
if (str == NULL) str = str_unknown;
fprintf(stderr, "Decoding error: %s\n", str);
return;
}
if (print_cert) {
size_t size;
size = sizeof(buffer);
ret = gnutls_openpgp_key_export( crt, GNUTLS_OPENPGP_FMT_BASE64, buffer, &size);
if (ret < 0) {
fprintf(stderr, "Encoding error: %s\n", gnutls_strerror(ret));
return;
}
fputs( "\n", stdout);
fputs( buffer, stdout);
fputs( "\n", stdout);
}
if (hostname != NULL) { /* Check the hostname of the first certificate
* if it matches the name of the host we
* connected to.
*/
if (gnutls_openpgp_key_check_hostname( crt, hostname)==0) {
printf(" # The hostname in the key does NOT match '%s'.\n", hostname);
} else {
printf(" # The hostname in the key matches '%s'.\n", hostname);
}
}
if (xml) {
gnutls_datum xml_data;
ret = gnutls_openpgp_key_to_xml( crt, &xml_data, 0);
if (ret < 0) {
const char* str = gnutls_strerror(ret);
if (str == NULL) str = str_unknown;
fprintf(stderr, "XML encoding error: %s\n",
str);
return;
}
printf("%s", xml_data.data);
gnutls_free( xml_data.data);
return;
}
activet = gnutls_openpgp_key_get_creation_time( crt);
expiret = gnutls_openpgp_key_get_expiration_time( crt);
printf(" # Key was created at: %s", my_ctime(&activet));
printf(" # Key expires: ");
if (expiret != 0)
printf("%s", my_ctime(&expiret));
else
printf("Never\n");
if (gnutls_openpgp_key_get_fingerprint(crt, digest, &digest_size) >= 0)
{
print = printable;
for (i = 0; i < digest_size; i++) {
sprintf(print, "%.2x ",
(unsigned char) digest[i]);
print += 3;
}
printf(" # PGP Key version: %d\n",
gnutls_openpgp_key_get_version(crt));
algo =
gnutls_openpgp_key_get_pk_algorithm(crt, &bits);
printf(" # PGP Key public key algorithm: ");
if (algo == GNUTLS_PK_RSA) {
printf("RSA\n");
printf(" # Modulus: %d bits\n", bits);
} else if (algo == GNUTLS_PK_DSA) {
printf("DSA\n");
printf(" # Exponent: %d bits\n", bits);
} else {
printf("UNKNOWN\n");
}
printf(" # PGP Key fingerprint: %s\n", printable);
name_len = sizeof(name);
if (gnutls_openpgp_key_get_name(crt, 0, name, &name_len) < 0) {
fprintf(stderr,
"Could not extract name\n");
} else {
PRINT_PGP_NAME(name);
}
}
gnutls_openpgp_key_deinit( crt);
}
}
#endif
void print_cert_vrfy(gnutls_session session)
{
unsigned int status;
int ret;
ret = gnutls_certificate_verify_peers2(session, &status);
printf("\n");
if(ret < 0)
{
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
printf("- Peer did not send any certificate.\n");
else
printf("- Could not verify certificate (err: %s (%d))\n",
gnutls_strerror(ret), ret);
return;
}
if (gnutls_certificate_type_get(session)==GNUTLS_CRT_X509) {
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf("- Peer's certificate issuer is unknown\n");
if (status & GNUTLS_CERT_INVALID)
printf("- Peer's certificate is NOT trusted\n");
else
printf("- Peer's certificate is trusted\n");
} else {
if (status & GNUTLS_CERT_INVALID)
printf("- Peer's key is invalid\n");
else
printf("- Peer's key is valid\n");
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf("- Could not find a signer of the peer's key\n");
}
}
int print_info(gnutls_session session, const char* hostname)
{
const char *tmp;
gnutls_credentials_type cred;
gnutls_kx_algorithm kx;
/* print the key exchange's algorithm name
*/
kx = gnutls_kx_get(session);
cred = gnutls_auth_get_type(session);
switch (cred) {
#ifdef ENABLE_ANON
case GNUTLS_CRD_ANON:
printf("- Anonymous DH using prime of %d bits, secret key "
"of %d bits, and peer's public key is %d bits.\n",
gnutls_dh_get_prime_bits(session),
gnutls_dh_get_secret_bits(session),
gnutls_dh_get_peers_public_bits(session));
break;
#endif
#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
/* This should be only called in server
* side.
*/
if (gnutls_srp_server_get_username(session) != NULL)
printf("- SRP authentication. Connected as '%s'\n",
gnutls_srp_server_get_username(session));
break;
#endif
case GNUTLS_CRD_CERTIFICATE:
{
char dns[256];
size_t dns_size = sizeof(dns);
unsigned int type;
/* This fails in client side */
if (gnutls_server_name_get
(session, dns, &dns_size, &type, 0) == 0) {
printf("- Given server name[%d]: %s\n",
type, dns);
}
}
print_cert_info(session, hostname);
print_cert_vrfy(session);
/* Check if we have been using ephemeral Diffie Hellman.
*/
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) {
printf
("- Ephemeral DH using prime of %d bits, secret key "
"of %d bits, and peer's public key is %d bits.\n",
gnutls_dh_get_prime_bits(session),
gnutls_dh_get_secret_bits(session),
gnutls_dh_get_peers_public_bits(session));
}
default:
break;
}
tmp =
gnutls_protocol_get_name(gnutls_protocol_get_version(session));
if (tmp != NULL) printf("- Version: %s\n", tmp);
tmp = gnutls_kx_get_name(kx);
if (tmp != NULL) printf("- Key Exchange: %s\n", tmp);
tmp = gnutls_cipher_get_name(gnutls_cipher_get(session));
if (tmp != NULL) printf("- Cipher: %s\n", tmp);
tmp = gnutls_mac_get_name(gnutls_mac_get(session));
if (tmp != NULL) printf("- MAC: %s\n", tmp);
tmp = gnutls_compression_get_name(gnutls_compression_get(session));
if (tmp != NULL) printf("- Compression: %s\n", tmp);
fflush (stdout);
return 0;
}
void print_cert_info(gnutls_session session, const char* hostname)
{
printf("- Certificate type: ");
switch (gnutls_certificate_type_get(session)) {
case GNUTLS_CRT_X509:
printf("X.509\n");
print_x509_info(session, hostname);
break;
#ifdef HAVE_LIBOPENCDK
case GNUTLS_CRT_OPENPGP:
printf("OpenPGP\n");
print_openpgp_info(session, hostname);
break;
#endif
default:
break;
}
}
void print_list(void)
{
/* FIXME: This is hard coded. Make it print all the supported
* algorithms.
*/
printf("\n");
printf("Certificate types:");
printf(" X.509");
printf(", OPENPGP\n");
printf("Protocols:");
printf(" TLS1.0");
printf(", SSL3.0\n");
printf("Ciphers:");
printf(" AES-128-CBC");
printf(", 3DES-CBC");
printf(", ARCFOUR");
printf(", ARCFOUR-40\n");
printf("MACs:");
printf(" MD5");
printf(", RMD160");
printf(", SHA1\n");
printf("Key exchange algorithms:");
printf(" RSA");
printf(", RSA-EXPORT");
printf(", DHE-DSS");
printf(", DHE-RSA");
printf(", SRP");
printf(", SRP-RSA");
printf(", SRP-DSS");
printf(", ANON-DH\n");
printf("Compression methods:");
printf(" ZLIB");
printf(", LZO");
printf(", NULL\n");
}
void print_license(void)
{
fprintf(stdout,
"\nCopyright (C) 2001-2003 Nikos Mavroyanopoulos\n"
"This program is free software; you can redistribute it and/or modify \n"
"it under the terms of the GNU General Public License as published by \n"
"the Free Software Foundation; either version 2 of the License, or \n"
"(at your option) any later version. \n" "\n"
"This program is distributed in the hope that it will be useful, \n"
"but WITHOUT ANY WARRANTY; without even the implied warranty of \n"
"MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n"
"GNU General Public License for more details. \n" "\n"
"You should have received a copy of the GNU General Public License \n"
"along with this program; if not, write to the Free Software \n"
"Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\n\n");
}
void parse_protocols(char **protocols, int protocols_size,
int *protocol_priority)
{
int i, j;
if (protocols != NULL && protocols_size > 0) {
for (j = i = 0; i < protocols_size; i++) {
if (strncasecmp(protocols[i], "SSL", 3) == 0)
protocol_priority[j++] = GNUTLS_SSL3;
if (strncasecmp(protocols[i], "TLS", 3) == 0)
protocol_priority[j++] = GNUTLS_TLS1;
}
protocol_priority[j] = 0;
}
}
void parse_ciphers(char **ciphers, int nciphers, int *cipher_priority)
{
int j, i;
if (ciphers != NULL && nciphers > 0) {
for (j = i = 0; i < nciphers; i++) {
if (strncasecmp(ciphers[i], "AES", 3) == 0)
cipher_priority[j++] =
GNUTLS_CIPHER_AES_128_CBC;
if (strncasecmp(ciphers[i], "3DE", 3) == 0)
cipher_priority[j++] =
GNUTLS_CIPHER_3DES_CBC;
if (strcasecmp(ciphers[i], "ARCFOUR-40") == 0)
cipher_priority[j++] =
GNUTLS_CIPHER_ARCFOUR_40;
if (strcasecmp(ciphers[i], "ARCFOUR") == 0)
cipher_priority[j++] =
GNUTLS_CIPHER_ARCFOUR_128;
if (strncasecmp(ciphers[i], "NUL", 3) == 0)
cipher_priority[j++] = GNUTLS_CIPHER_NULL;
}
cipher_priority[j] = 0;
}
}
void parse_macs(char **macs, int nmacs, int *mac_priority)
{
int i, j;
if (macs != NULL && nmacs > 0) {
for (j = i = 0; i < nmacs; i++) {
if (strncasecmp(macs[i], "MD5", 3) == 0)
mac_priority[j++] = GNUTLS_MAC_MD5;
if (strncasecmp(macs[i], "RMD", 3) == 0)
mac_priority[j++] = GNUTLS_MAC_RMD160;
if (strncasecmp(macs[i], "SHA", 3) == 0)
mac_priority[j++] = GNUTLS_MAC_SHA;
}
mac_priority[j] = 0;
}
}
void parse_ctypes(char **ctype, int nctype, int *cert_type_priority)
{
int i, j;
if (ctype != NULL && nctype > 0) {
for (j = i = 0; i < nctype; i++) {
if (strncasecmp(ctype[i], "OPE", 3) == 0)
cert_type_priority[j++] =
GNUTLS_CRT_OPENPGP;
if (strncasecmp(ctype[i], "X", 1) == 0)
cert_type_priority[j++] = GNUTLS_CRT_X509;
}
cert_type_priority[j] = 0;
}
}
void parse_kx(char **kx, int nkx, int *kx_priority)
{
int i, j;
if (kx != NULL && nkx > 0) {
for (j = i = 0; i < nkx; i++) {
if (strcasecmp(kx[i], "SRP") == 0)
kx_priority[j++] = GNUTLS_KX_SRP;
if (strcasecmp(kx[i], "SRP-RSA") == 0)
kx_priority[j++] = GNUTLS_KX_SRP_RSA;
if (strcasecmp(kx[i], "SRP-DSS") == 0)
kx_priority[j++] = GNUTLS_KX_SRP_DSS;
if (strcasecmp(kx[i], "RSA") == 0)
kx_priority[j++] = GNUTLS_KX_RSA;
if (strcasecmp(kx[i], "RSA-EXPORT") == 0)
kx_priority[j++] = GNUTLS_KX_RSA_EXPORT;
if (strncasecmp(kx[i], "DHE-RSA", 7) == 0)
kx_priority[j++] = GNUTLS_KX_DHE_RSA;
if (strncasecmp(kx[i], "DHE-DSS", 7) == 0)
kx_priority[j++] = GNUTLS_KX_DHE_DSS;
if (strncasecmp(kx[i], "ANON", 4) == 0)
kx_priority[j++] = GNUTLS_KX_ANON_DH;
}
kx_priority[j] = 0;
}
}
void parse_comp(char **comp, int ncomp, int *comp_priority)
{
int i, j;
if (comp != NULL && ncomp > 0) {
for (j = i = 0; i < ncomp; i++) {
if (strncasecmp(comp[i], "NUL", 3) == 0)
comp_priority[j++] = GNUTLS_COMP_NULL;
if (strncasecmp(comp[i], "ZLI", 3) == 0)
comp_priority[j++] = GNUTLS_COMP_ZLIB;
if (strncasecmp(comp[i], "LZO", 3) == 0)
comp_priority[j++] = GNUTLS_COMP_LZO;
}
comp_priority[j] = 0;
}
}
#ifndef HAVE_INET_NTOP
#ifdef _WIN32
# include <winsock.h>
#else
# include <sys/socket.h>
# include <netinet/in.h>
# include <arpa/inet.h>
#endif
const char *inet_ntop(int af __attribute__((unused)), const void *src,
char *dst, size_t cnt)
{
char* ret;
ret = inet_ntoa( *((struct in_addr*)src));
if (strlen(ret) > cnt) {
return NULL;
}
strcpy( dst, ret);
return dst;
}
#endif
void sockets_init( void)
{
#ifdef _WIN32
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) != 0) {
perror("WSA_STARTUP_ERROR");
}
#endif
}