diff options
| author | Werner Koch <[email protected]> | 2017-02-19 09:36:43 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2017-02-19 09:36:43 +0000 |
| commit | 64fffd0ce2a4fd9cba152cf07497b585410cc652 (patch) | |
| tree | c0fc74bc3ef44fc1db161e71c55486400a9ab1fa /dirmngr/t-http.c | |
| parent | dirmngr: Add per-session verify callback to http.c (diff) | |
| download | gnupg-64fffd0ce2a4fd9cba152cf07497b585410cc652.tar.gz gnupg-64fffd0ce2a4fd9cba152cf07497b585410cc652.zip | |
dirmngr: First take on ntbtls cert verification.
* dirmngr/http-ntbtls.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add file.
* dirmngr/dirmngr.h (SERVER_CONTROL_MAGIC): New.
(server_conrol_s): Add field 'magic',
* dirmngr/dirmngr.c (dirmngr_init_default_ctrl): Set MAGIC.
(dirmngr_deinit_default_ctrl): Set MAGIC to deadbeef.
* dirmngr/http.c (my_ntbtls_verify_cb): New.
(http_session_new) [HTTP_USE_NTBTLS]: Remove all CA setting code.
(send_request) [HTTP_USE_NTBTLS]: Set the verify callback. Do not call
the verify callback after the handshake.
* dirmngr/ks-engine-hkp.c (send_request): Pass
gnupg_http_tls_verify_cb to http_session_new.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http.c (my_http_tls_verify_cb): New.
(main): Rename option --gnutls-debug to --tls-debug.
(main) [HTTP_USE_NTBTLS]: Create a session.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'dirmngr/t-http.c')
| -rw-r--r-- | dirmngr/t-http.c | 66 |
1 files changed, 58 insertions, 8 deletions
diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c index 8b1d89ac0..464112198 100644 --- a/dirmngr/t-http.c +++ b/dirmngr/t-http.c @@ -42,7 +42,6 @@ #include "logging.h" #include "http.h" - #if HTTP_USE_NTBTLS # include <ntbtls.h> #elif HTTP_USE_GNUTLS @@ -118,6 +117,56 @@ my_gnutls_log (int level, const char *text) } #endif + +static gpg_error_t +my_http_tls_verify_cb (void *opaque, + http_t http, + http_session_t session, + unsigned int http_flags, + void *tls_context) +{ + gpg_error_t err; + int idx; + ksba_cert_t cert; + ksba_cert_t hostcert = NULL; + + (void)opaque; + (void)http; + (void)session; + + + /* Get the peer's certs fron ntbtls. */ + for (idx = 0; + (cert = ntbtls_x509_get_peer_cert (tls_context, idx)); idx++) + { + if (!idx) + { + log_info ("Received host certificate\n"); + hostcert = cert; + } + else + { + + log_info ("Received additional certificate\n"); + ksba_cert_release (cert); + } + } + if (!idx) + { + err = gpg_error (GPG_ERR_MISSING_CERT); + goto leave; + } + + err = 0; + + leave: + ksba_cert_release (hostcert); + log_info ("my_http_tls_verify_cb returns: %s\n", gpg_strerror (err)); + return err; +} + + + /* Prepend FNAME with the srcdir environment variable's value and return an allocated filename. */ static char * @@ -142,8 +191,7 @@ main (int argc, char **argv) { int last_argc = -1; gpg_error_t err; - int rc; - parsed_uri_t uri; + int rc; parsed_uri_t uri; uri_tuple_t r; http_t hd; int c; @@ -171,7 +219,7 @@ main (int argc, char **argv) "Options:\n" " --verbose print timings etc.\n" " --debug flyswatter\n" - " --gnutls-debug N use GNUTLS debug level N\n" + " --tls-debug N use TLS debug level N\n" " --cacert FNAME expect CA certificate in file FNAME\n" " --no-verify do not verify the certificate\n" " --force-tls use HTTP_FLAG_FORCE_TLS\n" @@ -191,7 +239,7 @@ main (int argc, char **argv) debug++; argc--; argv++; } - else if (!strcmp (*argv, "--gnutls-debug")) + else if (!strcmp (*argv, "--tls-debug")) { argc--; argv++; if (argc) @@ -248,9 +296,11 @@ main (int argc, char **argv) assuan_sock_init (); #if HTTP_USE_NTBTLS - - (void)err; - + log_info ("new session.\n"); + err = http_session_new (&session, NULL, HTTP_FLAG_TRUST_DEF, + my_http_tls_verify_cb, NULL); + if (err) + log_error ("http_session_new failed: %s\n", gpg_strerror (err)); ntbtls_set_debug (tls_dbg, NULL, NULL); #elif HTTP_USE_GNUTLS |