Commit 8412a582 authored by Werner Koch's avatar Werner Koch

http: Revamp TLS API.

* configure.ac (NEED_GNUTLS_VERSION): New.
(HTTP_USE_GNUTLS, LIBGNUTLS_CFLAGS, LIBGNUTLS_LIBS): New ac_subst.

* common/http.h (http_session_t): New.
* common/http.c: Remove compatibility for gnutls < 3.0.
(http_session_s): New.
(cookie_s): Replace gnutls_session_t by http_session_t.
(tls_callback, tls_ca_certlist): New variables.
(my_socket_unref): Add preclose args.
(my_npth_read, my_npth_write): New.
(make_header_line): Fix bug using int* instead of char*.
(http_register_tls_callback): New.
(http_register_tls_ca): New.
(http_session_new): New.
(http_session_release): New.
(http_get_header_names): New.
(escape_data): Add hack to escape in forms mode.
(send_request) [HTTP_USE_GNUTLS]: Support SNI.
(send_request) [HTTP_USE_GNUTLS]: Fix use of make_header_line.
(send_gnutls_bye): New.
(cookie_close): Make use of preclose feature.
(http_verify_server_credentials): New.
(main) [TEST]: Remove test code.
* common/t-http.c: New.
* common/tls-ca.pem: New.
* common/Makefile.am (tls_sources): New. Move http code to here.
(libcommontls_a_SOURCES): New.
(libcommontlsnpth_a_SOURCES): New.
(EXTRA_DIST): Add tls-ca.pem
(module_maint_tests): Add t-http.
(t_http_SOURCES, t_http_CFLAGS, t_http_LDADD): New.

* dirmngr/Makefile.am (dirmngr_LDADD): Add libcommontlsnpth.
--

This new TLS API for http.c is much more flexible than the crude old
hack.
parent 84289e85
......@@ -75,3 +75,5 @@ resource_objs =
# Convenience macros
libcommon = ../common/libcommon.a
libcommonpth = ../common/libcommonpth.a
libcommontls = ../common/libcommontls.a
libcommontlsnpth = ../common/libcommontlsnpth.a
......@@ -20,9 +20,10 @@
EXTRA_DIST = mkstrtable.awk exaudit.awk exstatus.awk ChangeLog-2011 \
audit-events.h status-codes.h README.jnlib ChangeLog.jnlib \
ChangeLog-2011.include w32info-rc.h.in gnupg.ico
ChangeLog-2011.include w32info-rc.h.in gnupg.ico tls-ca.pem
noinst_LIBRARIES = libcommon.a libcommonpth.a libgpgrl.a
noinst_LIBRARIES = libcommon.a libcommonpth.a libgpgrl.a \
libcommontls.a libcommontlsnpth.a
if !HAVE_W32CE_SYSTEM
noinst_LIBRARIES += libsimple-pwquery.a
endif
......@@ -88,7 +89,6 @@ common_sources = \
srv.h \
dns-cert.c dns-cert.h \
pka.c pka.h \
http.c http.h \
localename.c \
session-env.c session-env.h \
userids.c userids.h \
......@@ -97,6 +97,12 @@ common_sources = \
agent-opt.c \
helpfile.c
# Sources possible requiring a TLS library are put into a separate
# conveince library.
tls_sources = \
http.c http.h
# To make the code easier to read we have split home some code into
# separate source files.
if HAVE_W32_SYSTEM
......@@ -126,6 +132,12 @@ libcommonpth_a_SOURCES += srv.c
endif
libcommonpth_a_CFLAGS = $(AM_CFLAGS) $(LIBASSUAN_CFLAGS) $(NPTH_CFLAGS)
libcommontls_a_SOURCES = $(tls_sources)
libcommontls_a_CFLAGS = $(AM_CFLAGS) $(LIBGNUTLS_CFLAGS) -DWITHOUT_NPTH=1
libcommontlsnpth_a_SOURCES = $(tls_sources)
libcommontlsnpth_a_CFLAGS = $(AM_CFLAGS) $(LIBGNUTLS_CFLAGS) $(NPTH_CFLAGS)
if !HAVE_W32CE_SYSTEM
libsimple_pwquery_a_SOURCES = \
simple-pwquery.c simple-pwquery.h asshelp.c asshelp.h
......@@ -170,11 +182,12 @@ module_tests = t-convert t-percent t-gettime t-sysutils t-sexputil \
if !HAVE_W32CE_SYSTEM
module_tests += t-exechelp
endif
module_maint_tests = t-helpfile t-b64
module_maint_tests = t-helpfile t-b64 t-http
t_common_ldadd = libcommon.a ../gl/libgnu.a \
$(LIBGCRYPT_LIBS) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) $(LIBICONV)
$(LIBGCRYPT_LIBS) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \
$(LIBINTL) $(LIBICONV)
# jnlib tests
t_stringhelp_SOURCES = t-stringhelp.c $(t_jnlib_src)
......@@ -203,3 +216,8 @@ t_ssh_utils_LDADD = $(t_common_ldadd)
t_dns_cert_LDADD = $(t_common_ldadd) $(DNSLIBS)
t_mapstrings_LDADD = $(t_common_ldadd)
t_zb32_LDADD = $(t_common_ldadd)
# http tests
t_http_SOURCES = t-http.c
t_http_CFLAGS = $(t_common_cflags) $(LIBGNUTLS_CFLAGS)
t_http_LDADD = $(libcommontls) $(t_common_ldadd) $(LIBGNUTLS_LIBS) $(DNSLIBS)
This diff is collapsed.
......@@ -82,10 +82,20 @@ enum
HTTP_FLAG_IGNORE_IPv6 = 128 /* Do not use IPv6. */
};
struct http_session_s;
typedef struct http_session_s *http_session_t;
struct http_context_s;
typedef struct http_context_s *http_t;
void http_register_tls_callback (gpg_error_t (*cb) (http_t, void *, int));
void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
void http_register_tls_ca (const char *fname);
gpg_error_t http_session_new (http_session_t *r_session,
const char *tls_priority);
void http_session_release (http_session_t sess);
gpg_error_t http_parse_uri (parsed_uri_t *ret_uri, const char *uri,
int no_scheme_check);
......@@ -101,7 +111,7 @@ gpg_error_t http_open (http_t *r_hd, http_req_t reqtype,
const char *auth,
unsigned int flags,
const char *proxy,
void *tls_context,
http_session_t session,
const char *srvtag,
strlist_t headers);
......@@ -116,7 +126,7 @@ gpg_error_t http_open_document (http_t *r_hd,
const char *auth,
unsigned int flags,
const char *proxy,
void *tls_context,
http_session_t session,
const char *srvtag,
strlist_t headers);
......@@ -124,6 +134,8 @@ estream_t http_get_read_ptr (http_t hd);
estream_t http_get_write_ptr (http_t hd);
unsigned int http_get_status_code (http_t hd);
const char *http_get_header (http_t hd, const char *name);
const char **http_get_header_names (http_t hd);
gpg_error_t http_verify_server_credentials (http_session_t sess);
char *http_escape_string (const char *string, const char *specials);
char *http_escape_data (const void *data, size_t datalen, const char *specials);
......
/* t-http.c
* Copyright (C) 1999, 2001, 2002, 2003, 2004, 2006, 2009, 2010,
* 2011 Free Software Foundation, Inc.
* Copyright (C) 2014 Werner Koch
*
* This file is part of GnuPG.
*
* This file is free software; you can redistribute it and/or modify
* it under the terms of either
*
* - the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 3 of the License, or (at
* your option) any later version.
*
* or
*
* - the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* or both in parallel, as here.
*
* This file is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include "util.h"
#include "logging.h"
#include "http.h"
#ifdef HTTP_USE_GNUTLS
# include <gnutls/gnutls.h> /* For init, logging, and deinit. */
#endif /*HTTP_USE_GNUTLS*/
/* static void */
/* read_dh_params (const char *fname) */
/* { */
/* gpg_error_t err; */
/* int rc; */
/* FILE *fp; */
/* struct stat st; */
/* char *buf; */
/* size_t buflen; */
/* gnutls_datum_t datum; */
/* fp = fopen (fname, "rb"); */
/* if (!fp) */
/* { */
/* err = gpg_error_from_syserror (); */
/* log_fatal ("can't open '%s': %s\n", fname, gpg_strerror (err)); */
/* } */
/* if (fstat (fileno(fp), &st)) */
/* { */
/* err = gpg_error_from_syserror (); */
/* log_fatal ("can't stat '%s': %s\n", fname, gpg_strerror (err)); */
/* } */
/* buflen = st.st_size; */
/* buf = xmalloc (buflen+1); */
/* if (fread (buf, buflen, 1, fp) != 1) */
/* { */
/* err = gpg_error_from_syserror (); */
/* log_fatal ("error reading '%s': %s\n", fname, gpg_strerror (err)); */
/* } */
/* fclose (fp); */
/* datum.size = buflen; */
/* datum.data = buf; */
/* rc = gnutls_dh_params_import_pkcs3 (dh_params, &datum, GNUTLS_X509_FMT_PEM); */
/* if (rc < 0) */
/* log_fatal ("gnutls_dh_param_import failed: %s\n", gnutls_strerror (rc)); */
/* xfree (buf); */
/* } */
static gpg_error_t
verify_callback (http_t hd, http_session_t session, int reserved)
{
(void)hd;
(void)reserved;
return http_verify_server_credentials (session);
}
static void
my_gnutls_log (int level, const char *text)
{
fprintf (stderr, "gnutls:L%d: %s", level, text);
}
/* Prepend FNAME with the srcdir environment variable's value and
return an allocated filename. */
static char *
prepend_srcdir (const char *fname)
{
static const char *srcdir;
char *result;
if (!srcdir && !(srcdir = getenv ("srcdir")))
srcdir = ".";
result = xmalloc (strlen (srcdir) + 1 + strlen (fname) + 1);
strcpy (result, srcdir);
strcat (result, "/");
strcat (result, fname);
return result;
}
int
main (int argc, char **argv)
{
gpg_error_t err;
int rc;
parsed_uri_t uri;
uri_tuple_t r;
http_t hd;
int c;
http_session_t session = NULL;
es_init ();
log_set_prefix ("t-http", 1 | 4);
if (argc != 2)
{
fprintf (stderr, "usage: t-http uri\n");
return 1;
}
argc--;
argv++;
#ifdef HTTP_USE_GNUTLS
rc = gnutls_global_init ();
if (rc)
log_error ("gnutls_global_init failed: %s\n", gnutls_strerror (rc));
http_register_tls_callback (verify_callback);
http_register_tls_ca (prepend_srcdir ("tls-ca.pem"));
err = http_session_new (&session, NULL);
if (err)
log_error ("http_session_new failed: %s\n", gpg_strerror (err));
/* rc = gnutls_dh_params_init(&dh_params); */
/* if (rc) */
/* log_error ("gnutls_dh_params_init failed: %s\n", gnutls_strerror (rc)); */
/* read_dh_params ("dh_param.pem"); */
/* rc = gnutls_certificate_set_x509_trust_file */
/* (certcred, "ca.pem", GNUTLS_X509_FMT_PEM); */
/* if (rc) */
/* log_error ("gnutls_certificate_set_x509_trust_file failed: %s\n", */
/* gnutls_strerror (rc)); */
/* gnutls_certificate_set_dh_params (certcred, dh_params); */
gnutls_global_set_log_function (my_gnutls_log);
/* gnutls_global_set_log_level (2); */
#endif /*HTTP_USE_GNUTLS*/
rc = http_parse_uri (&uri, *argv, 1);
if (rc)
{
log_error ("'%s': %s\n", *argv, gpg_strerror (rc));
return 1;
}
printf ("Scheme: %s\n", uri->scheme);
if (uri->opaque)
printf ("Value : %s\n", uri->path);
else
{
printf ("Auth : %s\n", uri->auth? uri->auth:"[none]");
printf ("Host : %s\n", uri->host);
printf ("Port : %u\n", uri->port);
printf ("Path : %s\n", uri->path);
for (r = uri->params; r; r = r->next)
{
printf ("Params: %s", r->name);
if (!r->no_value)
{
printf ("=%s", r->value);
if (strlen (r->value) != r->valuelen)
printf (" [real length=%d]", (int) r->valuelen);
}
putchar ('\n');
}
for (r = uri->query; r; r = r->next)
{
printf ("Query : %s", r->name);
if (!r->no_value)
{
printf ("=%s", r->value);
if (strlen (r->value) != r->valuelen)
printf (" [real length=%d]", (int) r->valuelen);
}
putchar ('\n');
}
}
http_release_parsed_uri (uri);
uri = NULL;
rc = http_open_document (&hd, *argv, NULL, 0, NULL, session, NULL, NULL);
if (rc)
{
log_error ("can't get '%s': %s\n", *argv, gpg_strerror (rc));
return 1;
}
log_info ("open_http_document succeeded; status=%u\n",
http_get_status_code (hd));
{
const char **names;
int i;
names = http_get_header_names (hd);
if (!names)
log_fatal ("http_get_header_names failed: %s\n",
gpg_strerror (gpg_error_from_syserror ()));
for (i = 0; names[i]; i++)
printf ("HDR: %s: %s\n", names[i], http_get_header (hd, names[i]));
xfree (names);
}
switch (http_get_status_code (hd))
{
case 200:
case 400:
case 401:
case 403:
case 404:
while ((c = es_getc (http_get_read_ptr (hd))) != EOF)
putchar (c);
break;
case 301:
case 302:
printf ("Redirected to '%s'\n", http_get_header (hd, "Location"));
break;
}
http_close (hd, 0);
http_session_release (session);
#ifdef HTTP_USE_GNUTLS
gnutls_global_deinit ();
#endif /*HTTP_USE_GNUTLS*/
return 0;
}
Issuer ...: /CN=UTN-USERFirst-Hardware/OU=http:\x2f\x2fwww.usertrust.com/O=The USERTRUST Network/L=Salt Lake City/ST=UT/C=US
Serial ...: 44BE0C8B500024B411D3362AFE650AFD
Subject ..: /CN=UTN-USERFirst-Hardware/OU=http:\x2f\x2fwww.usertrust.com/O=The USERTRUST Network/L=Salt Lake City/ST=UT/C=US
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIQRL4Mi1AAJLQR0zYq/mUK/TANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNOTkwNzA5MTgxMDQyWhcNMTkwNzA5MTgxOTIyWjCBlzELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEe
MBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8v
d3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdh
cmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx98M4P7Sof885glFn
0G2f0v9Y8+efK+wNiVSZuTiZFvfgIXlIwrthdBKWHTxqctU8EGc6Oe0rE81m65UJ
M6Rsl7HoxuzBdXmcRl6Nq9Bq/bkqVRcQVLMZ8Jr28bFdtqdt++BxF2uiiPsA3/4a
MXcMmgF6sTLjKwEHOG7DpV4jvEWbe1DByTCP2+UretNb+zNAHqDVmBe8i4fDidNd
oI6yqqr2jmmIBsX6iSHzCJ1pLgkzmykNRg+MzEk0sGlRvfkGzWitZky8PqxhvQqI
DsjfPe58BEydCl5rkdbux+0ojatNh4lz0G6k0B4WixThdkQDf2Os5M1JnMWS9Ksy
oUhbAgMBAAGjgbkwgbYwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFKFyXyYbKJhDlV0HN9WFlp1L0sNFMEQGA1UdHwQ9MDswOaA3oDWGM2h0
dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJlLmNy
bDAxBgNVHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMGBggrBgEF
BQcDBzANBgkqhkiG9w0BAQUFAAOCAQEARxkP3nTGmZev/K0oXnWO6y1n7k57K9cM
//bey1WiCuFMVGWTYGufEpytXoMs61quwOQt9ABjHbjAbPLPSbtNk28Gpgoiskli
CE7/yMgUsogWXecB5BKV5UU0s4tpvc+0hY91UZ59Ojg6FEgSxvunOxqNDYJAB+gE
CJChicsZUN/KHAG8HQQZexB2lzvukJDKxA4fFm517zP4029bHpbj4HR3dHuKom4t
3XbWOTCC8KucUvIqx69JXn7HaOWCgchqJ/kniCrVWFCVH/A7HFe7fRQ5YiuayZSS
KqMiDP+JJn1fIytH1xUdqWqeUQ0qUZ6B+dQ7XnASfxAynB67nfhmqA==
-----END CERTIFICATE-----
......@@ -58,6 +58,8 @@ NEED_KSBA_VERSION=1.2.0
NEED_NPTH_API=1
NEED_NPTH_VERSION=0.91
NEED_GNUTLS_VERSION=3.0
development_version=mym4_isgit
PACKAGE=$PACKAGE_NAME
......@@ -912,6 +914,26 @@ else
***]])
fi
#
# Check whether GNUTLS is available
#
PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $NEED_GNUTLS_VERSION],
[have_gnutls=yes],
[have_gnutls=no])
if test "$have_gnutls" = "yes"; then
AC_SUBST([LIBGNUTLS_CFLAGS])
AC_SUBST([LIBGNUTLS_LIBS])
AC_DEFINE(HTTP_USE_GNUTLS, 1, [Enable GNUTLS support in http.c])
else
tmp=$(echo "$LIBGNUTLS_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g')
AC_MSG_WARN([[
***
*** Building without GNUTLS - no TLS access to keyservers.
***
*** $tmp]])
fi
AC_MSG_NOTICE([checking for networking options])
......@@ -1867,6 +1889,8 @@ echo "
Use standard socket: $use_standard_socket
Dirmngr auto start: $dirmngr_auto_start
Readline support: $gnupg_cv_have_readline
DNS SRV support: $use_dns_srv
TLS support: $have_gnutls
"
if test x"$use_regex" != xyes ; then
echo "
......
......@@ -60,8 +60,10 @@ dirmngr_SOURCES += ldap-wrapper-ce.c dirmngr_ldap.c
endif
dirmngr_LDADD = $(libcommonpth) ../gl/libgnu.a $(DNSLIBS) $(LIBASSUAN_LIBS) \
$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) $(LIBINTL) $(LIBICONV)
dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \
../gl/libgnu.a $(DNSLIBS) $(LIBASSUAN_LIBS) \
$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
$(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV)
if !USE_LDAPWRAPPER
dirmngr_LDADD += $(LDAPLIBS)
endif
......@@ -79,8 +81,7 @@ endif
dirmngr_client_SOURCES = dirmngr-client.c
dirmngr_client_LDADD = $(libcommon) no-libgcrypt.o \
../gl/libgnu.a $(LIBASSUAN_LIBS) \
$(GPG_ERROR_LIBS) $(LIBINTL) \
$(LIBICONV)
$(GPG_ERROR_LIBS) $(NETLIBS) $(LIBINTL) $(LIBICONV)
dirmngr_client_LDFLAGS = $(extra_bin_ldflags)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment