diff options
author | Christian Grothoff <christian@grothoff.org> | 2018-07-14 11:44:01 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2018-07-14 13:27:45 +0200 |
commit | 2c47a23dec110fb77e1cda36d6bdb83fc4d5e252 (patch) | |
tree | 37e41d6e5c477105788c74ef7243ec83e92c70d4 /src/microhttpd/daemon.c | |
parent | 2ed04522e24b801251d7fd1768b7fccfd7b8deac (diff) | |
download | libmicrohttpd-2c47a23dec110fb77e1cda36d6bdb83fc4d5e252.tar.gz libmicrohttpd-2c47a23dec110fb77e1cda36d6bdb83fc4d5e252.zip |
integrate TLS PSK patch from Tal Moaz (plus documentation, plus style and bugfixes
Diffstat (limited to 'src/microhttpd/daemon.c')
-rw-r--r-- | src/microhttpd/daemon.c | 94 |
1 files changed, 89 insertions, 5 deletions
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index 0b85764b..31ed1574 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c | |||
@@ -565,7 +565,6 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon) | |||
565 | return -1; | 565 | return -1; |
566 | } | 566 | } |
567 | 567 | ||
568 | |||
569 | /** | 568 | /** |
570 | * Initialize security aspects of the HTTPS daemon | 569 | * Initialize security aspects of the HTTPS daemon |
571 | * | 570 | * |
@@ -582,6 +581,11 @@ MHD_TLS_init (struct MHD_Daemon *daemon) | |||
582 | gnutls_certificate_allocate_credentials (&daemon->x509_cred)) | 581 | gnutls_certificate_allocate_credentials (&daemon->x509_cred)) |
583 | return GNUTLS_E_MEMORY_ERROR; | 582 | return GNUTLS_E_MEMORY_ERROR; |
584 | return MHD_init_daemon_certificate (daemon); | 583 | return MHD_init_daemon_certificate (daemon); |
584 | case GNUTLS_CRD_PSK: | ||
585 | if (0 != | ||
586 | gnutls_psk_allocate_server_credentials (&daemon->psk_cred)) | ||
587 | return GNUTLS_E_MEMORY_ERROR; | ||
588 | return 0; | ||
585 | default: | 589 | default: |
586 | #ifdef HAVE_MESSAGES | 590 | #ifdef HAVE_MESSAGES |
587 | MHD_DLOG (daemon, | 591 | MHD_DLOG (daemon, |
@@ -2137,6 +2141,67 @@ MHD_tls_push_func_(gnutls_transport_ptr_t trnsp, | |||
2137 | #endif /* MHD_TLSLIB_DONT_SUPPRESS_SIGPIPE */ | 2141 | #endif /* MHD_TLSLIB_DONT_SUPPRESS_SIGPIPE */ |
2138 | #endif /* HTTPS_SUPPORT */ | 2142 | #endif /* HTTPS_SUPPORT */ |
2139 | 2143 | ||
2144 | |||
2145 | /** | ||
2146 | * Function called by GNUtls to obtain the PSK for a given session. | ||
2147 | * | ||
2148 | * @param session the session to lookup PSK for | ||
2149 | * @param username username to lookup PSK for | ||
2150 | * @param key[out] where to write PSK | ||
2151 | * @return 0 on success, -1 on error | ||
2152 | */ | ||
2153 | static int | ||
2154 | psk_gnutls_adapter (gnutls_session_t session, | ||
2155 | const char *username, | ||
2156 | gnutls_datum_t *key) | ||
2157 | { | ||
2158 | struct MHD_Connection *connection; | ||
2159 | struct MHD_Daemon *daemon; | ||
2160 | void *app_psk; | ||
2161 | size_t app_psk_size; | ||
2162 | |||
2163 | connection = gnutls_session_get_ptr (session); | ||
2164 | if (NULL == connection) | ||
2165 | { | ||
2166 | #ifdef HAVE_MESSAGES | ||
2167 | MHD_DLOG (daemon, | ||
2168 | _("Internal server error. This should be impossible.\n")); | ||
2169 | #endif | ||
2170 | return -1; | ||
2171 | } | ||
2172 | daemon = connection->daemon; | ||
2173 | if (NULL == daemon->cred_callback) | ||
2174 | { | ||
2175 | #ifdef HAVE_MESSAGES | ||
2176 | MHD_DLOG (daemon, | ||
2177 | _("PSK not supported by this server.\n")); | ||
2178 | #endif | ||
2179 | return -1; | ||
2180 | } | ||
2181 | if (0 != daemon->cred_callback (daemon->cred_callback_cls, | ||
2182 | connection, | ||
2183 | username, | ||
2184 | &app_psk, | ||
2185 | &app_psk_size)) | ||
2186 | return -1; | ||
2187 | if (NULL == (key->data = gnutls_malloc (app_psk_size))) | ||
2188 | { | ||
2189 | #ifdef HAVE_MESSAGES | ||
2190 | MHD_DLOG (daemon, | ||
2191 | _("PSK authentication failed: gnutls_malloc failed to allocate memory\n")); | ||
2192 | #endif | ||
2193 | free (app_psk); | ||
2194 | return -1; | ||
2195 | } | ||
2196 | key->size = app_psk_size; | ||
2197 | memcpy (key->data, | ||
2198 | app_psk, | ||
2199 | app_psk_size); | ||
2200 | free (app_psk); | ||
2201 | return 0; | ||
2202 | } | ||
2203 | |||
2204 | |||
2140 | /** | 2205 | /** |
2141 | * Add another client connection to the set of connections | 2206 | * Add another client connection to the set of connections |
2142 | * managed by MHD. This API is usually not needed (since | 2207 | * managed by MHD. This API is usually not needed (since |
@@ -2372,6 +2437,12 @@ internal_add_connection (struct MHD_Daemon *daemon, | |||
2372 | gnutls_credentials_set (connection->tls_session, | 2437 | gnutls_credentials_set (connection->tls_session, |
2373 | GNUTLS_CRD_CERTIFICATE, | 2438 | GNUTLS_CRD_CERTIFICATE, |
2374 | daemon->x509_cred); | 2439 | daemon->x509_cred); |
2440 | case GNUTLS_CRD_PSK: | ||
2441 | gnutls_credentials_set (connection->tls_session, | ||
2442 | GNUTLS_CRD_PSK, | ||
2443 | daemon->psk_cred); | ||
2444 | gnutls_psk_set_server_credentials_function (daemon->psk_cred, | ||
2445 | &psk_gnutls_adapter); | ||
2375 | break; | 2446 | break; |
2376 | default: | 2447 | default: |
2377 | #ifdef HAVE_MESSAGES | 2448 | #ifdef HAVE_MESSAGES |
@@ -2392,12 +2463,15 @@ internal_add_connection (struct MHD_Daemon *daemon, | |||
2392 | return MHD_NO; | 2463 | return MHD_NO; |
2393 | } | 2464 | } |
2394 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030109) && !defined(_WIN64) | 2465 | #if (GNUTLS_VERSION_NUMBER+0 >= 0x030109) && !defined(_WIN64) |
2395 | gnutls_transport_set_int (connection->tls_session, (int)(client_socket)); | 2466 | gnutls_transport_set_int (connection->tls_session, |
2467 | (int)(client_socket)); | ||
2396 | #else /* GnuTLS before 3.1.9 or Win x64 */ | 2468 | #else /* GnuTLS before 3.1.9 or Win x64 */ |
2397 | gnutls_transport_set_ptr (connection->tls_session, (gnutls_transport_ptr_t)(intptr_t)(client_socket)); | 2469 | gnutls_transport_set_ptr (connection->tls_session, |
2470 | (gnutls_transport_ptr_t)(intptr_t)(client_socket)); | ||
2398 | #endif /* GnuTLS before 3.1.9 */ | 2471 | #endif /* GnuTLS before 3.1.9 */ |
2399 | #ifdef MHD_TLSLIB_NEED_PUSH_FUNC | 2472 | #ifdef MHD_TLSLIB_NEED_PUSH_FUNC |
2400 | gnutls_transport_set_push_function (connection->tls_session, MHD_tls_push_func_); | 2473 | gnutls_transport_set_push_function (connection->tls_session, |
2474 | MHD_tls_push_func_); | ||
2401 | #endif /* MHD_TLSLIB_NEED_PUSH_FUNC */ | 2475 | #endif /* MHD_TLSLIB_NEED_PUSH_FUNC */ |
2402 | if (daemon->https_mem_trust) | 2476 | if (daemon->https_mem_trust) |
2403 | gnutls_certificate_server_set_request (connection->tls_session, | 2477 | gnutls_certificate_server_set_request (connection->tls_session, |
@@ -2407,7 +2481,8 @@ internal_add_connection (struct MHD_Daemon *daemon, | |||
2407 | goto cleanup; | 2481 | goto cleanup; |
2408 | #endif /* ! HTTPS_SUPPORT */ | 2482 | #endif /* ! HTTPS_SUPPORT */ |
2409 | } | 2483 | } |
2410 | 2484 | gnutls_session_set_ptr (connection->tls_session, | |
2485 | connection); | ||
2411 | 2486 | ||
2412 | MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex); | 2487 | MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex); |
2413 | /* Firm check under lock. */ | 2488 | /* Firm check under lock. */ |
@@ -5070,6 +5145,7 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
5070 | case MHD_OPTION_URI_LOG_CALLBACK: | 5145 | case MHD_OPTION_URI_LOG_CALLBACK: |
5071 | case MHD_OPTION_EXTERNAL_LOGGER: | 5146 | case MHD_OPTION_EXTERNAL_LOGGER: |
5072 | case MHD_OPTION_UNESCAPE_CALLBACK: | 5147 | case MHD_OPTION_UNESCAPE_CALLBACK: |
5148 | case MHD_OPTION_GNUTLS_PSK_CRED_HANDLER: | ||
5073 | if (MHD_YES != parse_options (daemon, | 5149 | if (MHD_YES != parse_options (daemon, |
5074 | servaddr, | 5150 | servaddr, |
5075 | opt, | 5151 | opt, |
@@ -5100,6 +5176,12 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
5100 | daemon->unescape_callback_cls = va_arg (ap, | 5176 | daemon->unescape_callback_cls = va_arg (ap, |
5101 | void *); | 5177 | void *); |
5102 | break; | 5178 | break; |
5179 | case MHD_OPTION_GNUTLS_PSK_CRED_HANDLER: | ||
5180 | daemon->cred_callback = va_arg (ap, | ||
5181 | MHD_PskServerCredentialsCallback); | ||
5182 | daemon->cred_callback_cls = va_arg (ap, | ||
5183 | void *); | ||
5184 | break; | ||
5103 | default: | 5185 | default: |
5104 | #ifdef HAVE_MESSAGES | 5186 | #ifdef HAVE_MESSAGES |
5105 | if ( ( (opt >= MHD_OPTION_HTTPS_MEM_KEY) && | 5187 | if ( ( (opt >= MHD_OPTION_HTTPS_MEM_KEY) && |
@@ -6419,6 +6501,8 @@ MHD_stop_daemon (struct MHD_Daemon *daemon) | |||
6419 | gnutls_priority_deinit (daemon->priority_cache); | 6501 | gnutls_priority_deinit (daemon->priority_cache); |
6420 | if (daemon->x509_cred) | 6502 | if (daemon->x509_cred) |
6421 | gnutls_certificate_free_credentials (daemon->x509_cred); | 6503 | gnutls_certificate_free_credentials (daemon->x509_cred); |
6504 | if (daemon->psk_cred) | ||
6505 | gnutls_psk_free_server_credentials (daemon->psk_cred); | ||
6422 | } | 6506 | } |
6423 | #endif /* HTTPS_SUPPORT */ | 6507 | #endif /* HTTPS_SUPPORT */ |
6424 | 6508 | ||