aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2020-07-16 17:40:14 +0200
committerChristian Grothoff <christian@grothoff.org>2020-07-16 17:40:37 +0200
commitee1fbffa1c42f7ac3fc897e73e90c525037dd915 (patch)
treeb8b5f553413fb99a92a59786862ba25049f62725
parent23820348b1221c78dc2d4eca9a234c375bbc68cb (diff)
downloadgnunet-ee1fbffa1c42f7ac3fc897e73e90c525037dd915.tar.gz
gnunet-ee1fbffa1c42f7ac3fc897e73e90c525037dd915.zip
support context-wide client authentication
m---------contrib/build-common0
-rw-r--r--src/curl/curl.c114
-rw-r--r--src/gnsrecord/gnsrecord.c8
-rw-r--r--src/include/gnunet_curl_lib.h36
-rw-r--r--src/util/crypto_kdf.c4
5 files changed, 156 insertions, 6 deletions
diff --git a/contrib/build-common b/contrib/build-common
Subproject 1915a74bbb4cd2ae9bc541a382dfebc37064a2f Subproject d81bbfabc2538932f631d3946bd6a9b95182b4f
diff --git a/src/curl/curl.c b/src/curl/curl.c
index a63a10f3b..f43670944 100644
--- a/src/curl/curl.c
+++ b/src/curl/curl.c
@@ -170,10 +170,93 @@ struct GNUNET_CURL_Context
170 * Closure for @e cb. 170 * Closure for @e cb.
171 */ 171 */
172 void *cb_cls; 172 void *cb_cls;
173
174 /**
175 * USERNAME:PASSWORD to use for client-authentication
176 * with all requests of this context, or NULL.
177 */
178 char *userpass;
179
180 /**
181 * Type of the TLS client certificate used, or NULL.
182 */
183 char *certtype;
184
185 /**
186 * File with the TLS client certificate, or NULL.
187 */
188 char *certfile;
189
190 /**
191 * File with the private key to authenticate the
192 * TLS client, or NULL.
193 */
194 char *keyfile;
195
196 /**
197 * Passphrase to decrypt @e keyfile, or NULL.
198 */
199 char *keypass;
200
173}; 201};
174 202
175 203
176/** 204/**
205 * Force use of the provided username and password
206 * for client authentication for all operations performed
207 * with @a ctx.
208 *
209 * @param ctx context to set authentication data for
210 * @param userpass string with "$USERNAME:$PASSWORD"
211 */
212void
213GNUNET_CURL_set_userpass (struct GNUNET_CURL_Context *ctx,
214 const char *userpass)
215{
216 GNUNET_free (ctx->userpass);
217 if (NULL != userpass)
218 ctx->userpass = GNUNET_strdup (userpass);
219}
220
221
222/**
223 * Force use of the provided TLS client certificate
224 * for client authentication for all operations performed
225 * with @a ctx.
226 *
227 * Note that if the provided information is incorrect,
228 * the earliest operation that could fail is
229 * #GNUNET_CURL_job_add() or #GNUNET_CURL_job_add2()!
230 *
231 * @param ctx context to set authentication data for
232 * @param certtype type of the certificate
233 * @param certfile file with the certificate
234 * @param keyfile file with the private key
235 * @param keypass passphrase to decrypt @a keyfile (or NULL)
236 */
237void
238GNUNET_CURL_set_tlscert (struct GNUNET_CURL_Context *ctx,
239 const char *certtype,
240 const char *certfile,
241 const char *keyfile,
242 const char *keypass)
243{
244 GNUNET_free (ctx->certtype);
245 GNUNET_free (ctx->certfile);
246 GNUNET_free (ctx->keyfile);
247 GNUNET_free (ctx->keypass);
248 if (NULL != certtype)
249 ctx->certtype = GNUNET_strdup (certtype);
250 if (NULL != certfile)
251 ctx->certfile = GNUNET_strdup (certfile);
252 if (NULL != keyfile)
253 ctx->certtype = GNUNET_strdup (keyfile);
254 if (NULL != keypass)
255 ctx->certtype = GNUNET_strdup (keypass);
256}
257
258
259/**
177 * Initialise this library. This function should be called before using any of 260 * Initialise this library. This function should be called before using any of
178 * the following functions. 261 * the following functions.
179 * 262 *
@@ -457,6 +540,32 @@ GNUNET_CURL_job_add2 (struct GNUNET_CURL_Context *ctx,
457 struct curl_slist *all_headers; 540 struct curl_slist *all_headers;
458 541
459 GNUNET_assert (NULL != jcc); 542 GNUNET_assert (NULL != jcc);
543 if ( (NULL != ctx->userpass) &&
544 (0 != curl_easy_setopt (eh,
545 CURLOPT_USERPWD,
546 ctx->userpass)) )
547 return NULL;
548 if ( (NULL != ctx->certfile) &&
549 (0 != curl_easy_setopt (eh,
550 CURLOPT_SSLCERT,
551 ctx->certfile)) )
552 return NULL;
553 if ( (NULL != ctx->certtype) &&
554 (0 != curl_easy_setopt (eh,
555 CURLOPT_SSLCERTTYPE,
556 ctx->certtype)) )
557 return NULL;
558 if ( (NULL != ctx->keyfile) &&
559 (0 != curl_easy_setopt (eh,
560 CURLOPT_SSLKEY,
561 ctx->keyfile)) )
562 return NULL;
563 if ( (NULL != ctx->keypass) &&
564 (0 != curl_easy_setopt (eh,
565 CURLOPT_KEYPASSWD,
566 ctx->keypass)) )
567 return NULL;
568
460 all_headers = setup_job_headers (ctx, 569 all_headers = setup_job_headers (ctx,
461 job_headers); 570 job_headers);
462 if (NULL == (job = setup_job (eh, 571 if (NULL == (job = setup_job (eh,
@@ -899,6 +1008,11 @@ GNUNET_CURL_fini (struct GNUNET_CURL_Context *ctx)
899 curl_share_cleanup (ctx->share); 1008 curl_share_cleanup (ctx->share);
900 curl_multi_cleanup (ctx->multi); 1009 curl_multi_cleanup (ctx->multi);
901 curl_slist_free_all (ctx->common_headers); 1010 curl_slist_free_all (ctx->common_headers);
1011 GNUNET_free (ctx->userpass);
1012 GNUNET_free (ctx->certtype);
1013 GNUNET_free (ctx->certfile);
1014 GNUNET_free (ctx->keyfile);
1015 GNUNET_free (ctx->keypass);
902 GNUNET_free (ctx); 1016 GNUNET_free (ctx);
903} 1017}
904 1018
diff --git a/src/gnsrecord/gnsrecord.c b/src/gnsrecord/gnsrecord.c
index a59997934..3cbf5fc8d 100644
--- a/src/gnsrecord/gnsrecord.c
+++ b/src/gnsrecord/gnsrecord.c
@@ -102,8 +102,8 @@ init ()
102 if (1 == once) 102 if (1 == once)
103 return; 103 return;
104 once = 1; 104 once = 1;
105 struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get (); 105 const struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get ();
106 struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default (); 106 const struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default ();
107 107
108 if (pd != dpd) 108 if (pd != dpd)
109 GNUNET_OS_init(dpd); 109 GNUNET_OS_init(dpd);
@@ -121,8 +121,8 @@ void __attribute__ ((destructor))
121GNSRECORD_fini () 121GNSRECORD_fini ()
122{ 122{
123 struct Plugin *plugin; 123 struct Plugin *plugin;
124 struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get (); 124 const struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get ();
125 struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default (); 125 const struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default ();
126 126
127 if (pd != dpd) 127 if (pd != dpd)
128 GNUNET_OS_init(dpd); 128 GNUNET_OS_init(dpd);
diff --git a/src/include/gnunet_curl_lib.h b/src/include/gnunet_curl_lib.h
index 875cfa3bd..0bb337ee7 100644
--- a/src/include/gnunet_curl_lib.h
+++ b/src/include/gnunet_curl_lib.h
@@ -245,6 +245,42 @@ GNUNET_CURL_job_add (struct GNUNET_CURL_Context *ctx,
245 245
246 246
247/** 247/**
248 * Force use of the provided username and password
249 * for client authentication for all operations performed
250 * with @a ctx.
251 *
252 * @param ctx context to set authentication data for
253 * @param userpass string with "$USERNAME:$PASSWORD"
254 */
255void
256GNUNET_CURL_set_userpass (struct GNUNET_CURL_Context *ctx,
257 const char *userpass);
258
259
260/**
261 * Force use of the provided TLS client certificate
262 * for client authentication for all operations performed
263 * with @a ctx.
264 *
265 * Note that if the provided information is incorrect,
266 * the earliest operation that could fail is
267 * #GNUNET_CURL_job_add() or #GNUNET_CURL_job_add2()!
268 *
269 * @param ctx context to set authentication data for
270 * @param certtype type of the certificate
271 * @param certfile file with the certificate
272 * @param keyfile file with the private key
273 * @param keypass passphrase to decrypt @a keyfile (or NULL)
274 */
275void
276GNUNET_CURL_set_tlscert (struct GNUNET_CURL_Context *ctx,
277 const char *certtype,
278 const char *certfile,
279 const char *keyfile,
280 const char *keypass);
281
282
283/**
248 * Schedule a CURL request to be executed and call the given @a jcc 284 * Schedule a CURL request to be executed and call the given @a jcc
249 * upon its completion. Note that the context will make use of the 285 * upon its completion. Note that the context will make use of the
250 * CURLOPT_PRIVATE facility of the CURL @a eh. 286 * CURLOPT_PRIVATE facility of the CURL @a eh.
diff --git a/src/util/crypto_kdf.c b/src/util/crypto_kdf.c
index 1b3bd686f..4f3830308 100644
--- a/src/util/crypto_kdf.c
+++ b/src/util/crypto_kdf.c
@@ -62,7 +62,8 @@ GNUNET_CRYPTO_kdf_v (void *result,
62 * hash function." 62 * hash function."
63 * 63 *
64 * http://eprint.iacr.org/2010/264 64 * http://eprint.iacr.org/2010/264
65 */return GNUNET_CRYPTO_hkdf_v (result, 65 *///
66 return GNUNET_CRYPTO_hkdf_v (result,
66 out_len, 67 out_len,
67 GCRY_MD_SHA512, 68 GCRY_MD_SHA512,
68 GCRY_MD_SHA256, 69 GCRY_MD_SHA256,
@@ -142,7 +143,6 @@ GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r,
142 { 143 {
143 /* Ain't clear if n is always divisible by 8 */ 144 /* Ain't clear if n is always divisible by 8 */
144 uint8_t buf[ (nbits - 1) / 8 + 1 ]; 145 uint8_t buf[ (nbits - 1) / 8 + 1 ];
145
146 uint16_t ctr_nbo = htons (ctr); 146 uint16_t ctr_nbo = htons (ctr);
147 147
148 rc = GNUNET_CRYPTO_kdf (buf, 148 rc = GNUNET_CRYPTO_kdf (buf,