diff options
author | Christian Grothoff <christian@grothoff.org> | 2020-07-16 17:40:14 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2020-07-16 17:40:37 +0200 |
commit | ee1fbffa1c42f7ac3fc897e73e90c525037dd915 (patch) | |
tree | b8b5f553413fb99a92a59786862ba25049f62725 /src | |
parent | 23820348b1221c78dc2d4eca9a234c375bbc68cb (diff) | |
download | gnunet-ee1fbffa1c42f7ac3fc897e73e90c525037dd915.tar.gz gnunet-ee1fbffa1c42f7ac3fc897e73e90c525037dd915.zip |
support context-wide client authentication
Diffstat (limited to 'src')
-rw-r--r-- | src/curl/curl.c | 114 | ||||
-rw-r--r-- | src/gnsrecord/gnsrecord.c | 8 | ||||
-rw-r--r-- | src/include/gnunet_curl_lib.h | 36 | ||||
-rw-r--r-- | src/util/crypto_kdf.c | 4 |
4 files changed, 156 insertions, 6 deletions
diff --git a/src/curl/curl.c b/src/curl/curl.c index a63a10f3b..f43670944 100644 --- a/src/curl/curl.c +++ b/src/curl/curl.c | |||
@@ -170,10 +170,93 @@ struct GNUNET_CURL_Context | |||
170 | * Closure for @e cb. | 170 | * Closure for @e cb. |
171 | */ | 171 | */ |
172 | void *cb_cls; | 172 | void *cb_cls; |
173 | |||
174 | /** | ||
175 | * USERNAME:PASSWORD to use for client-authentication | ||
176 | * with all requests of this context, or NULL. | ||
177 | */ | ||
178 | char *userpass; | ||
179 | |||
180 | /** | ||
181 | * Type of the TLS client certificate used, or NULL. | ||
182 | */ | ||
183 | char *certtype; | ||
184 | |||
185 | /** | ||
186 | * File with the TLS client certificate, or NULL. | ||
187 | */ | ||
188 | char *certfile; | ||
189 | |||
190 | /** | ||
191 | * File with the private key to authenticate the | ||
192 | * TLS client, or NULL. | ||
193 | */ | ||
194 | char *keyfile; | ||
195 | |||
196 | /** | ||
197 | * Passphrase to decrypt @e keyfile, or NULL. | ||
198 | */ | ||
199 | char *keypass; | ||
200 | |||
173 | }; | 201 | }; |
174 | 202 | ||
175 | 203 | ||
176 | /** | 204 | /** |
205 | * Force use of the provided username and password | ||
206 | * for client authentication for all operations performed | ||
207 | * with @a ctx. | ||
208 | * | ||
209 | * @param ctx context to set authentication data for | ||
210 | * @param userpass string with "$USERNAME:$PASSWORD" | ||
211 | */ | ||
212 | void | ||
213 | GNUNET_CURL_set_userpass (struct GNUNET_CURL_Context *ctx, | ||
214 | const char *userpass) | ||
215 | { | ||
216 | GNUNET_free (ctx->userpass); | ||
217 | if (NULL != userpass) | ||
218 | ctx->userpass = GNUNET_strdup (userpass); | ||
219 | } | ||
220 | |||
221 | |||
222 | /** | ||
223 | * Force use of the provided TLS client certificate | ||
224 | * for client authentication for all operations performed | ||
225 | * with @a ctx. | ||
226 | * | ||
227 | * Note that if the provided information is incorrect, | ||
228 | * the earliest operation that could fail is | ||
229 | * #GNUNET_CURL_job_add() or #GNUNET_CURL_job_add2()! | ||
230 | * | ||
231 | * @param ctx context to set authentication data for | ||
232 | * @param certtype type of the certificate | ||
233 | * @param certfile file with the certificate | ||
234 | * @param keyfile file with the private key | ||
235 | * @param keypass passphrase to decrypt @a keyfile (or NULL) | ||
236 | */ | ||
237 | void | ||
238 | GNUNET_CURL_set_tlscert (struct GNUNET_CURL_Context *ctx, | ||
239 | const char *certtype, | ||
240 | const char *certfile, | ||
241 | const char *keyfile, | ||
242 | const char *keypass) | ||
243 | { | ||
244 | GNUNET_free (ctx->certtype); | ||
245 | GNUNET_free (ctx->certfile); | ||
246 | GNUNET_free (ctx->keyfile); | ||
247 | GNUNET_free (ctx->keypass); | ||
248 | if (NULL != certtype) | ||
249 | ctx->certtype = GNUNET_strdup (certtype); | ||
250 | if (NULL != certfile) | ||
251 | ctx->certfile = GNUNET_strdup (certfile); | ||
252 | if (NULL != keyfile) | ||
253 | ctx->certtype = GNUNET_strdup (keyfile); | ||
254 | if (NULL != keypass) | ||
255 | ctx->certtype = GNUNET_strdup (keypass); | ||
256 | } | ||
257 | |||
258 | |||
259 | /** | ||
177 | * Initialise this library. This function should be called before using any of | 260 | * Initialise this library. This function should be called before using any of |
178 | * the following functions. | 261 | * the following functions. |
179 | * | 262 | * |
@@ -457,6 +540,32 @@ GNUNET_CURL_job_add2 (struct GNUNET_CURL_Context *ctx, | |||
457 | struct curl_slist *all_headers; | 540 | struct curl_slist *all_headers; |
458 | 541 | ||
459 | GNUNET_assert (NULL != jcc); | 542 | GNUNET_assert (NULL != jcc); |
543 | if ( (NULL != ctx->userpass) && | ||
544 | (0 != curl_easy_setopt (eh, | ||
545 | CURLOPT_USERPWD, | ||
546 | ctx->userpass)) ) | ||
547 | return NULL; | ||
548 | if ( (NULL != ctx->certfile) && | ||
549 | (0 != curl_easy_setopt (eh, | ||
550 | CURLOPT_SSLCERT, | ||
551 | ctx->certfile)) ) | ||
552 | return NULL; | ||
553 | if ( (NULL != ctx->certtype) && | ||
554 | (0 != curl_easy_setopt (eh, | ||
555 | CURLOPT_SSLCERTTYPE, | ||
556 | ctx->certtype)) ) | ||
557 | return NULL; | ||
558 | if ( (NULL != ctx->keyfile) && | ||
559 | (0 != curl_easy_setopt (eh, | ||
560 | CURLOPT_SSLKEY, | ||
561 | ctx->keyfile)) ) | ||
562 | return NULL; | ||
563 | if ( (NULL != ctx->keypass) && | ||
564 | (0 != curl_easy_setopt (eh, | ||
565 | CURLOPT_KEYPASSWD, | ||
566 | ctx->keypass)) ) | ||
567 | return NULL; | ||
568 | |||
460 | all_headers = setup_job_headers (ctx, | 569 | all_headers = setup_job_headers (ctx, |
461 | job_headers); | 570 | job_headers); |
462 | if (NULL == (job = setup_job (eh, | 571 | if (NULL == (job = setup_job (eh, |
@@ -899,6 +1008,11 @@ GNUNET_CURL_fini (struct GNUNET_CURL_Context *ctx) | |||
899 | curl_share_cleanup (ctx->share); | 1008 | curl_share_cleanup (ctx->share); |
900 | curl_multi_cleanup (ctx->multi); | 1009 | curl_multi_cleanup (ctx->multi); |
901 | curl_slist_free_all (ctx->common_headers); | 1010 | curl_slist_free_all (ctx->common_headers); |
1011 | GNUNET_free (ctx->userpass); | ||
1012 | GNUNET_free (ctx->certtype); | ||
1013 | GNUNET_free (ctx->certfile); | ||
1014 | GNUNET_free (ctx->keyfile); | ||
1015 | GNUNET_free (ctx->keypass); | ||
902 | GNUNET_free (ctx); | 1016 | GNUNET_free (ctx); |
903 | } | 1017 | } |
904 | 1018 | ||
diff --git a/src/gnsrecord/gnsrecord.c b/src/gnsrecord/gnsrecord.c index a59997934..3cbf5fc8d 100644 --- a/src/gnsrecord/gnsrecord.c +++ b/src/gnsrecord/gnsrecord.c | |||
@@ -102,8 +102,8 @@ init () | |||
102 | if (1 == once) | 102 | if (1 == once) |
103 | return; | 103 | return; |
104 | once = 1; | 104 | once = 1; |
105 | struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get (); | 105 | const struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get (); |
106 | struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default (); | 106 | const struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default (); |
107 | 107 | ||
108 | if (pd != dpd) | 108 | if (pd != dpd) |
109 | GNUNET_OS_init(dpd); | 109 | GNUNET_OS_init(dpd); |
@@ -121,8 +121,8 @@ void __attribute__ ((destructor)) | |||
121 | GNSRECORD_fini () | 121 | GNSRECORD_fini () |
122 | { | 122 | { |
123 | struct Plugin *plugin; | 123 | struct Plugin *plugin; |
124 | struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get (); | 124 | const struct GNUNET_OS_ProjectData *pd = GNUNET_OS_project_data_get (); |
125 | struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default (); | 125 | const struct GNUNET_OS_ProjectData *dpd = GNUNET_OS_project_data_default (); |
126 | 126 | ||
127 | if (pd != dpd) | 127 | if (pd != dpd) |
128 | GNUNET_OS_init(dpd); | 128 | GNUNET_OS_init(dpd); |
diff --git a/src/include/gnunet_curl_lib.h b/src/include/gnunet_curl_lib.h index 875cfa3bd..0bb337ee7 100644 --- a/src/include/gnunet_curl_lib.h +++ b/src/include/gnunet_curl_lib.h | |||
@@ -245,6 +245,42 @@ GNUNET_CURL_job_add (struct GNUNET_CURL_Context *ctx, | |||
245 | 245 | ||
246 | 246 | ||
247 | /** | 247 | /** |
248 | * Force use of the provided username and password | ||
249 | * for client authentication for all operations performed | ||
250 | * with @a ctx. | ||
251 | * | ||
252 | * @param ctx context to set authentication data for | ||
253 | * @param userpass string with "$USERNAME:$PASSWORD" | ||
254 | */ | ||
255 | void | ||
256 | GNUNET_CURL_set_userpass (struct GNUNET_CURL_Context *ctx, | ||
257 | const char *userpass); | ||
258 | |||
259 | |||
260 | /** | ||
261 | * Force use of the provided TLS client certificate | ||
262 | * for client authentication for all operations performed | ||
263 | * with @a ctx. | ||
264 | * | ||
265 | * Note that if the provided information is incorrect, | ||
266 | * the earliest operation that could fail is | ||
267 | * #GNUNET_CURL_job_add() or #GNUNET_CURL_job_add2()! | ||
268 | * | ||
269 | * @param ctx context to set authentication data for | ||
270 | * @param certtype type of the certificate | ||
271 | * @param certfile file with the certificate | ||
272 | * @param keyfile file with the private key | ||
273 | * @param keypass passphrase to decrypt @a keyfile (or NULL) | ||
274 | */ | ||
275 | void | ||
276 | GNUNET_CURL_set_tlscert (struct GNUNET_CURL_Context *ctx, | ||
277 | const char *certtype, | ||
278 | const char *certfile, | ||
279 | const char *keyfile, | ||
280 | const char *keypass); | ||
281 | |||
282 | |||
283 | /** | ||
248 | * Schedule a CURL request to be executed and call the given @a jcc | 284 | * Schedule a CURL request to be executed and call the given @a jcc |
249 | * upon its completion. Note that the context will make use of the | 285 | * upon its completion. Note that the context will make use of the |
250 | * CURLOPT_PRIVATE facility of the CURL @a eh. | 286 | * CURLOPT_PRIVATE facility of the CURL @a eh. |
diff --git a/src/util/crypto_kdf.c b/src/util/crypto_kdf.c index 1b3bd686f..4f3830308 100644 --- a/src/util/crypto_kdf.c +++ b/src/util/crypto_kdf.c | |||
@@ -62,7 +62,8 @@ GNUNET_CRYPTO_kdf_v (void *result, | |||
62 | * hash function." | 62 | * hash function." |
63 | * | 63 | * |
64 | * http://eprint.iacr.org/2010/264 | 64 | * http://eprint.iacr.org/2010/264 |
65 | */return GNUNET_CRYPTO_hkdf_v (result, | 65 | */// |
66 | return GNUNET_CRYPTO_hkdf_v (result, | ||
66 | out_len, | 67 | out_len, |
67 | GCRY_MD_SHA512, | 68 | GCRY_MD_SHA512, |
68 | GCRY_MD_SHA256, | 69 | GCRY_MD_SHA256, |
@@ -142,7 +143,6 @@ GNUNET_CRYPTO_kdf_mod_mpi (gcry_mpi_t *r, | |||
142 | { | 143 | { |
143 | /* Ain't clear if n is always divisible by 8 */ | 144 | /* Ain't clear if n is always divisible by 8 */ |
144 | uint8_t buf[ (nbits - 1) / 8 + 1 ]; | 145 | uint8_t buf[ (nbits - 1) / 8 + 1 ]; |
145 | |||
146 | uint16_t ctr_nbo = htons (ctr); | 146 | uint16_t ctr_nbo = htons (ctr); |
147 | 147 | ||
148 | rc = GNUNET_CRYPTO_kdf (buf, | 148 | rc = GNUNET_CRYPTO_kdf (buf, |