aboutsummaryrefslogtreecommitdiffstats
path: root/common
diff options
context:
space:
mode:
authorWerner Koch <[email protected]>2014-10-02 15:33:57 +0000
committerWerner Koch <[email protected]>2014-10-02 15:33:57 +0000
commitf2361e6d582d4343d71d294ed1da654afe7750ee (patch)
tree4864aac70c3ef5f5b121e210d671b5b67d7ba422 /common
parentbuild: Update m4 scripts (diff)
downloadgnupg-f2361e6d582d4343d71d294ed1da654afe7750ee.tar.gz
gnupg-f2361e6d582d4343d71d294ed1da654afe7750ee.zip
First changes for future use of NTBTLS.
* configure.ac (NEED_NTBTLS_ABI, NEED_NTBTLS_VERSION): New. (HTTP_USE_NTBTLS): New. Prefer over GNUTLS. * m4/ntbtls.m4: New. * m4/Makefile.am (EXTRA_DIST): Add new file. * common/http.c: Add conditionals to eventually use NTBTLS. -- This is only the configure stuff. If you have NTBTLS installed GNUTLS will not be used but there won't be any https support either :-(. This patch is used to have a real world test bench for the forthcoming library.
Diffstat (limited to 'common')
-rw-r--r--common/Makefile.am5
-rw-r--r--common/http.c122
-rw-r--r--common/t-http.c19
3 files changed, 112 insertions, 34 deletions
diff --git a/common/Makefile.am b/common/Makefile.am
index 03bc5eb06..87d68208e 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -226,8 +226,9 @@ t_zb32_LDADD = $(t_common_ldadd)
# http tests
t_http_SOURCES = t-http.c
-t_http_CFLAGS = $(t_common_cflags) $(LIBGNUTLS_CFLAGS)
-t_http_LDADD = libcommontls.a $(t_common_ldadd) $(LIBGNUTLS_LIBS) $(DNSLIBS)
+t_http_CFLAGS = $(t_common_cflags) $(NTBTLS_CFLAGS) $(LIBGNUTLS_CFLAGS)
+t_http_LDADD = libcommontls.a $(t_common_ldadd) \
+ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS)
# All programs should depend on the created libs.
$(PROGRAMS) : libcommon.a libcommonpth.a libcommontls.a libcommontlsnpth.a
diff --git a/common/http.c b/common/http.c
index 7e3bb5717..413efd840 100644
--- a/common/http.c
+++ b/common/http.c
@@ -39,7 +39,7 @@
- fixme: list other requirements.
- - With HTTP_USE_GNUTLS or HTTP_USE_POLARSSL support for https is
+ - With HTTP_USE_NTBTLS or HTTP_USE_GNUTLS support for https is
provided (this also requires estream).
- With HTTP_NO_WSASTARTUP the socket initialization is not done
@@ -82,17 +82,16 @@
# include <npth.h>
#endif
-#if defined (HTTP_USE_GNUTLS) && defined (HTTP_USE_POLARSSL)
-# error Both, HTTP_USE_GNUTLS and HTTP_USE_POLARSSL, are defined.
+#if defined (HTTP_USE_GNUTLS) && defined (HTTP_USE_NTBTLS)
+# error Both, HTTP_USE_GNUTLS and HTTP_USE_NTBTLS, are defined.
#endif
-#ifdef HTTP_USE_GNUTLS
+#ifdef HTTP_USE_NTBTLS
+# include <ntbtls.h>
+#elif HTTP_USE_GNUTLS
# include <gnutls/gnutls.h>
# include <gnutls/x509.h>
#endif /*HTTP_USE_GNUTLS*/
-#ifdef HTTP_USE_POLARSSL
-# error Support for PolarSSL has not yet been added
-#endif
#include "util.h"
@@ -156,8 +155,15 @@ typedef unsigned long longcounter_t;
# define counter_strtoul(a) strtoul ((a), NULL, 10)
#endif
-#ifndef HTTP_USE_GNUTLS
-typedef void * gnutls_session_t;
+#if HTTP_USE_NTBTLS
+typedef ntbtls_t tls_session_t;
+# define USE_TLS 1
+#elif HTTP_USE_GNUTLS
+typedef gnutls_session_t tls_session_t;
+# define USE_TLS 1
+#else
+typedef void *tls_session_t;
+# undef USE_TLS
#endif
static gpg_err_code_t do_parse_uri (parsed_uri_t uri, int only_local_part,
@@ -226,14 +232,16 @@ struct http_session_s
int refcount; /* Number of references to this object. */
#ifdef HTTP_USE_GNUTLS
gnutls_certificate_credentials_t certcred;
- gnutls_session_t tls_session;
+#endif /*HTTP_USE_GNUTLS*/
+#ifdef USE_TLS
+ tls_session_t tls_session;
struct {
int done; /* Verifciation has been done. */
- int rc; /* GnuTLS verification return code. */
+ int rc; /* TLS verification return code. */
unsigned int status; /* Verification status. */
} verify;
char *servername; /* Malloced server name. */
-#endif /*HTTP_USE_GNUTLS*/
+#endif /*USE_TLS*/
/* A callback function to log details of TLS certifciates. */
void (*cert_log_cb) (http_session_t, gpg_error_t, const char *,
const void **, size_t *);
@@ -522,7 +530,8 @@ session_unref (int lnr, http_session_t sess)
if (sess->refcount)
return;
-#ifdef HTTP_USE_GNUTLS
+#ifdef USE_TLS
+# ifdef HTTP_USE_GNUTLS
if (sess->tls_session)
{
my_socket_t sock = gnutls_transport_get_ptr (sess->tls_session);
@@ -531,8 +540,9 @@ session_unref (int lnr, http_session_t sess)
}
if (sess->certcred)
gnutls_certificate_free_credentials (sess->certcred);
+# endif /*HTTP_USE_GNUTLS*/
xfree (sess->servername);
-#endif /*HTTP_USE_GNUTLS*/
+#endif /*USE_TLS*/
xfree (sess);
}
@@ -560,7 +570,18 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
return gpg_error_from_syserror ();
sess->refcount = 1;
-#ifdef HTTP_USE_GNUTLS
+#if HTTP_USE_NTBTLS
+ {
+ (void)tls_priority;
+
+ err = ntbtls_new (&sess->tls_session, NTBTLS_CLIENT);
+ if (err)
+ {
+ log_error ("ntbtls_new failed: %s\n", gpg_strerror (err));
+ goto leave;
+ }
+ }
+#elif HTTP_USE_GNUTLS
{
const char *errpos;
int rc;
@@ -616,17 +637,18 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
goto leave;
}
}
-
#else /*!HTTP_USE_GNUTLS*/
- (void)tls_priority;
+ {
+ (void)tls_priority;
+ }
#endif /*!HTTP_USE_GNUTLS*/
/* log_debug ("http.c:session_new: sess %p created\n", sess); */
err = 0;
-#ifdef HTTP_USE_GNUTLS
+#if USE_TLS
leave:
-#endif /*HTTP_USE_GNUTLS*/
+#endif /*USE_TLS*/
if (err)
http_session_unref (sess);
else
@@ -1067,7 +1089,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
uri->port = 11371;
uri->is_http = 1;
}
-#ifdef HTTP_USE_GNUTLS
+#ifdef USE_TLS
else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps")
|| (force_tls && (!strcmp (uri->scheme, "http")
|| !strcmp (uri->scheme,"hkp"))))
@@ -1076,7 +1098,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part,
uri->is_http = 1;
uri->use_tls = 1;
}
-#endif
+#endif /*USE_TLS*/
else if (!no_scheme_check)
return GPG_ERR_INV_URI; /* Unsupported scheme */
@@ -1393,22 +1415,24 @@ send_request (http_t hd, const char *httphost, const char *auth,
log_error ("TLS requested but no session object provided\n");
return gpg_err_make (default_errsource, GPG_ERR_INTERNAL);
}
-#ifdef HTTP_USE_GNUTLS
+#ifdef USE_TLS
if (hd->uri->use_tls && !hd->session->tls_session)
{
log_error ("TLS requested but no GNUTLS context available\n");
return gpg_err_make (default_errsource, GPG_ERR_INTERNAL);
}
-#endif /*HTTP_USE_GNUTLS*/
+#endif /*USE_TLS*/
server = *hd->uri->host ? hd->uri->host : "localhost";
port = hd->uri->port ? hd->uri->port : 80;
/* Try to use SNI. */
-#ifdef HTTP_USE_GNUTLS
+#ifdef USE_TLS
if (hd->uri->use_tls)
{
+# if HTTP_USE_GNUTLS
int rc;
+# endif
xfree (hd->session->servername);
hd->session->servername = xtrystrdup (httphost? httphost : server);
@@ -1418,13 +1442,22 @@ send_request (http_t hd, const char *httphost, const char *auth,
return err;
}
+# if HTTP_USE_NTBTLS
+ err = ntbtls_set_hostname (hd->session->tls_session, server);
+ if (err)
+ {
+ log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err));
+ return err;
+ }
+# elif HTTP_USE_GNUTLS
rc = gnutls_server_name_set (hd->session->tls_session,
GNUTLS_NAME_DNS,
server, strlen (server));
if (rc < 0)
log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc));
+# endif /*HTTP_USE_GNUTLS*/
}
-#endif /*HTTP_USE_GNUTLS*/
+#endif /*USE_TLS*/
if ( (proxy && *proxy)
|| ( (hd->flags & HTTP_FLAG_TRY_PROXY)
@@ -1490,7 +1523,37 @@ send_request (http_t hd, const char *httphost, const char *auth,
-#ifdef HTTP_USE_GNUTLS
+#if HTTP_USE_NTBTLS
+ if (hd->uri->use_tls)
+ {
+ my_socket_ref (hd->sock);
+
+ while ((err = ntbtls_handshake (hd->session->tls_session)))
+ {
+ switch (err)
+ {
+ default:
+ log_info ("TLS handshake failed: %s <%s>\n",
+ gpg_strerror (err), gpg_strsource (err));
+ xfree (proxy_authstr);
+ return err;
+ }
+ }
+
+ hd->session->verify.done = 0;
+ if (tls_callback)
+ err = tls_callback (hd, hd->session, 0);
+ else
+ err = http_verify_server_credentials (hd->session);
+ if (err)
+ {
+ log_info ("TLS connection authentication failed: %s <%s>\n",
+ gpg_strerror (err), gpg_strsource (err));
+ xfree (proxy_authstr);
+ return err;
+ }
+ }
+#elif HTTP_USE_GNUTLS
if (hd->uri->use_tls)
{
int rc;
@@ -2423,7 +2486,7 @@ cookie_write (void *cookie, const void *buffer_arg, size_t size)
static void
send_gnutls_bye (void *opaque)
{
- gnutls_session_t tls_session = opaque;
+ tls_session_t tls_session = opaque;
int ret;
again:
@@ -2473,7 +2536,10 @@ cookie_close (void *cookie)
gpg_error_t
http_verify_server_credentials (http_session_t sess)
{
-#ifdef HTTP_USE_GNUTLS
+#if HTTP_USE_NTBTLS
+ (void)sess;
+ return 0; /* FIXME!! */
+#elif HTTP_USE_GNUTLS
static const char const errprefix[] = "TLS verification of peer failed";
int rc;
unsigned int status;
diff --git a/common/t-http.c b/common/t-http.c
index 9872f9a74..e031ef943 100644
--- a/common/t-http.c
+++ b/common/t-http.c
@@ -42,7 +42,9 @@
#include "http.h"
-#ifdef HTTP_USE_GNUTLS
+#if HTTP_USE_NTBTLS
+# include <ntbtls.h>
+#elif HTTP_USE_GNUTLS
# include <gnutls/gnutls.h> /* For init, logging, and deinit. */
#endif /*HTTP_USE_GNUTLS*/
@@ -97,6 +99,7 @@ static int no_verify;
+#if HTTP_USE_GNUTLS
static gpg_error_t
verify_callback (http_t hd, http_session_t session, int reserved)
{
@@ -104,14 +107,15 @@ verify_callback (http_t hd, http_session_t session, int reserved)
(void)reserved;
return no_verify? 0 : http_verify_server_credentials (session);
}
+#endif
-
+#if HTTP_USE_GNUTLS
static void
my_gnutls_log (int level, const char *text)
{
fprintf (stderr, "gnutls:L%d: %s", level, text);
}
-
+#endif
/* Prepend FNAME with the srcdir environment variable's value and
return an allocated filename. */
@@ -233,7 +237,14 @@ main (int argc, char **argv)
if (!cafile)
cafile = prepend_srcdir ("tls-ca.pem");
-#ifdef HTTP_USE_GNUTLS
+#if HTTP_USE_NTBTLS
+
+ (void)err;
+
+ ntbtls_set_debug (tls_dbg, NULL, NULL);
+
+#elif HTTP_USE_GNUTLS
+
rc = gnutls_global_init ();
if (rc)
log_error ("gnutls_global_init failed: %s\n", gnutls_strerror (rc));
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-12 05:20:44 +0000