From 64fffd0ce2a4fd9cba152cf07497b585410cc652 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sun, 19 Feb 2017 10:36:43 +0100 Subject: dirmngr: First take on ntbtls cert verification. * dirmngr/http-ntbtls.c: New. * dirmngr/Makefile.am (dirmngr_SOURCES): Add file. * dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New. (server_conrol_s): Add field 'magic', * dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC. (dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef. * dirmngr/http.c (my_ntbtls_verify_cb): New. (http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code. (send_request) [HTTP_USE_NTBTLS]: Set the verify callback. Do not call the verify callback after the handshake. * dirmngr/ks-engine-hkp.c (send_request): Pass gnupg_http_tls_verify_cb to http_session_new. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. * dirmngr/t-http.c (my_http_tls_verify_cb): New. (main): Rename option --gnutls-debug to --tls-debug. (main) [HTTP_USE_NTBTLS]: Create a session. Signed-off-by: Werner Koch --- dirmngr/t-http.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 58 insertions(+), 8 deletions(-) (limited to 'dirmngr/t-http.c') diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c index 8b1d89ac0..464112198 100644 --- a/dirmngr/t-http.c +++ b/dirmngr/t-http.c @@ -42,7 +42,6 @@ #include "logging.h" #include "http.h" - #if HTTP_USE_NTBTLS # include #elif HTTP_USE_GNUTLS @@ -118,6 +117,56 @@ my_gnutls_log (int level, const char *text) } #endif + +static gpg_error_t +my_http_tls_verify_cb (void *opaque, + http_t http, + http_session_t session, + unsigned int http_flags, + void *tls_context) +{ + gpg_error_t err; + int idx; + ksba_cert_t cert; + ksba_cert_t hostcert = NULL; + + (void)opaque; + (void)http; + (void)session; + + + /* Get the peer's certs fron ntbtls. */ + for (idx = 0; + (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++) + { + if (!idx) + { + log_info ("Received host certificate\n"); + hostcert = cert; + } + else + { + + log_info ("Received additional certificate\n"); + ksba_cert_release (cert); + } + } + if (!idx) + { + err = gpg_error (GPG_ERR_MISSING_CERT); + goto leave; + } + + err = 0; + + leave: + ksba_cert_release (hostcert); + log_info ("my_http_tls_verify_cb returns: %s\n", gpg_strerror (err)); + return err; +} + + + /* Prepend FNAME with the srcdir environment variable's value and return an allocated filename. */ static char * @@ -142,8 +191,7 @@ main (int argc, char **argv) { int last_argc = -1; gpg_error_t err; - int rc; - parsed_uri_t uri; + int rc; parsed_uri_t uri; uri_tuple_t r; http_t hd; int c; @@ -171,7 +219,7 @@ main (int argc, char **argv) "Options:\n" " --verbose print timings etc.\n" " --debug flyswatter\n" - " --gnutls-debug N use GNUTLS debug level N\n" + " --tls-debug N use TLS debug level N\n" " --cacert FNAME expect CA certificate in file FNAME\n" " --no-verify do not verify the certificate\n" " --force-tls use HTTP_FLAG_FORCE_TLS\n" @@ -191,7 +239,7 @@ main (int argc, char **argv) debug++; argc--; argv++; } - else if (!strcmp (*argv, "--gnutls-debug")) + else if (!strcmp (*argv, "--tls-debug")) { argc--; argv++; if (argc) @@ -248,9 +296,11 @@ main (int argc, char **argv) assuan_sock_init (); #if HTTP_USE_NTBTLS - - (void)err; - + log_info ("new session.\n"); + err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, + my_http_tls_verify_cb, NULL); + if (err) + log_error ("http_session_new failed: %s\n", gpg_strerror (err)); ntbtls_set_debug (tls_dbg, NULL, NULL); #elif HTTP_USE_GNUTLS -- cgit v1.2.3