integrate TLS PSK patch from Tal Moaz (plus documentation, plus style and bugfixes

author: Christian Grothoff <christian@grothoff.org> 2018-07-14 11:44:01 +0200
committer: Christian Grothoff <christian@grothoff.org> 2018-07-14 13:27:45 +0200
commit: 2c47a23dec110fb77e1cda36d6bdb83fc4d5e252 (patch)
tree: 37e41d6e5c477105788c74ef7243ec83e92c70d4 /src/microhttpd/daemon.c
parent: 2ed04522e24b801251d7fd1768b7fccfd7b8deac (diff)
download: libmicrohttpd-2c47a23dec110fb77e1cda36d6bdb83fc4d5e252.tar.gz
libmicrohttpd-2c47a23dec110fb77e1cda36d6bdb83fc4d5e252.zip
1 files changed, 89 insertions, 5 deletions
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index 0b85764b..31ed1574 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -565,7 +565,6 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
  return -1;
 }
 /**
 * Initialize security aspects of the HTTPS daemon
 *
@@ -582,6 +581,11 @@ MHD_TLS_init (struct MHD_Daemon *daemon)
          gnutls_certificate_allocate_credentials (&daemon->x509_cred))
        return GNUTLS_E_MEMORY_ERROR;
      return MHD_init_daemon_certificate (daemon);
+    case GNUTLS_CRD_PSK:
+      if (0 != 
+          gnutls_psk_allocate_server_credentials (&daemon->psk_cred))
+        return GNUTLS_E_MEMORY_ERROR;
+      return 0;
    default:
 #ifdef HAVE_MESSAGES
      MHD_DLOG (daemon,
@@ -2137,6 +2141,67 @@ MHD_tls_push_func_(gnutls_transport_ptr_t trnsp,
 #endif /* MHD_TLSLIB_DONT_SUPPRESS_SIGPIPE */
 #endif /* HTTPS_SUPPORT */
+/**
+ * Function called by GNUtls to obtain the PSK for a given session.
+ * 
+ * @param session the session to lookup PSK for
+ * @param username username to lookup PSK for
+ * @param key[out] where to write PSK
+ * @return 0 on success, -1 on error
+ */
+static int
+psk_gnutls_adapter (gnutls_session_t session,
+                    const char *username,
+                    gnutls_datum_t *key)
+{
+  struct MHD_Connection *connection;
+  struct MHD_Daemon *daemon;
+  void *app_psk;
+  size_t app_psk_size;
+  connection = gnutls_session_get_ptr (session);
+  if (NULL == connection)
+  {
+#ifdef HAVE_MESSAGES
+    MHD_DLOG (daemon,
+              _("Internal server error. This should be impossible.\n"));
+#endif
+    return -1;
+  }
+  daemon = connection->daemon;
+  if (NULL == daemon->cred_callback)
+  {
+#ifdef HAVE_MESSAGES
+    MHD_DLOG (daemon,
+              _("PSK not supported by this server.\n"));
+#endif
+    return -1;
+  }
+  if (0 != daemon->cred_callback (daemon->cred_callback_cls,
+                                  connection,
+                                  username,
+                                  &app_psk,
+                                  &app_psk_size))
+    return -1;
+  if (NULL == (key->data = gnutls_malloc (app_psk_size)))
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                _("PSK authentication failed: gnutls_malloc failed to allocate memory\n"));
+#endif
+      free (app_psk);
+      return -1;
+    }
+  key->size = app_psk_size;
+  memcpy (key->data,
+          app_psk,
+          app_psk_size);
+  free (app_psk);
+  return 0;
+}
 /**
 * Add another client connection to the set of connections
 * managed by MHD.  This API is usually not needed (since
@@ -2372,6 +2437,12 @@ internal_add_connection (struct MHD_Daemon *daemon,
          gnutls_credentials_set (connection->tls_session,
                                  GNUTLS_CRD_CERTIFICATE,
                                  daemon->x509_cred);
+        case GNUTLS_CRD_PSK:
+          gnutls_credentials_set (connection->tls_session,
+                                  GNUTLS_CRD_PSK,
+                                  daemon->psk_cred);
+          gnutls_psk_set_server_credentials_function (daemon->psk_cred,
+                                                      &psk_gnutls_adapter);
          break;
        default:
 #ifdef HAVE_MESSAGES
@@ -2392,12 +2463,15 @@ internal_add_connection (struct MHD_Daemon *daemon,
          return MHD_NO;
        }
 #if (GNUTLS_VERSION_NUMBER+0 >= 0x030109) && !defined(_WIN64)
-      gnutls_transport_set_int (connection->tls_session, (int)(client_socket));
+      gnutls_transport_set_int (connection->tls_session,
+                                (int)(client_socket));
 #else  /* GnuTLS before 3.1.9 or Win x64 */
-      gnutls_transport_set_ptr (connection->tls_session, (gnutls_transport_ptr_t)(intptr_t)(client_socket));
+      gnutls_transport_set_ptr (connection->tls_session,
+                                (gnutls_transport_ptr_t)(intptr_t)(client_socket));
 #endif /* GnuTLS before 3.1.9 */
 #ifdef MHD_TLSLIB_NEED_PUSH_FUNC
-      gnutls_transport_set_push_function (connection->tls_session, MHD_tls_push_func_);
+      gnutls_transport_set_push_function (connection->tls_session,
+                                          MHD_tls_push_func_);
 #endif /* MHD_TLSLIB_NEED_PUSH_FUNC */
      if (daemon->https_mem_trust)
          gnutls_certificate_server_set_request (connection->tls_session,
@@ -2407,7 +2481,8 @@ internal_add_connection (struct MHD_Daemon *daemon,
      goto cleanup;
 #endif /* ! HTTPS_SUPPORT */
    }
+  gnutls_session_set_ptr (connection->tls_session,
+                          connection);
  MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex);
  /* Firm check under lock. */
@@ -5070,6 +5145,7 @@ parse_options_va (struct MHD_Daemon *daemon,
                case MHD_OPTION_URI_LOG_CALLBACK:
                case MHD_OPTION_EXTERNAL_LOGGER:
                case MHD_OPTION_UNESCAPE_CALLBACK:
+                case MHD_OPTION_GNUTLS_PSK_CRED_HANDLER:
                  if (MHD_YES != parse_options (daemon,
                                                servaddr,
                                                opt,
@@ -5100,6 +5176,12 @@ parse_options_va (struct MHD_Daemon *daemon,
          daemon->unescape_callback_cls = va_arg (ap,
                                                  void *);
          break;
+        case MHD_OPTION_GNUTLS_PSK_CRED_HANDLER:
+          daemon->cred_callback = va_arg (ap,
+                                          MHD_PskServerCredentialsCallback);
+          daemon->cred_callback_cls = va_arg (ap,
+                                              void *);
+          break;
        default:
 #ifdef HAVE_MESSAGES
          if ( ( (opt >= MHD_OPTION_HTTPS_MEM_KEY) &&
@@ -6419,6 +6501,8 @@ MHD_stop_daemon (struct MHD_Daemon *daemon)
          gnutls_priority_deinit (daemon->priority_cache);
          if (daemon->x509_cred)
            gnutls_certificate_free_credentials (daemon->x509_cred);
+          if (daemon->psk_cred)
+              gnutls_psk_free_server_credentials (daemon->psk_cred);
        }
 #endif /* HTTPS_SUPPORT */
author	Christian Grothoff <christian@grothoff.org>	2018-07-14 11:44:01 +0200
committer	Christian Grothoff <christian@grothoff.org>	2018-07-14 13:27:45 +0200
commit	2c47a23dec110fb77e1cda36d6bdb83fc4d5e252 (patch)
tree	37e41d6e5c477105788c74ef7243ec83e92c70d4 /src/microhttpd/daemon.c
parent	2ed04522e24b801251d7fd1768b7fccfd7b8deac (diff)
download	libmicrohttpd-2c47a23dec110fb77e1cda36d6bdb83fc4d5e252.tar.gz libmicrohttpd-2c47a23dec110fb77e1cda36d6bdb83fc4d5e252.zip

diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index 0b85764b..31ed1574 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c
@@ -565,7 +565,6 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
565	return -1;	565	return -1;
566	}	566	}
567		567
568
569	/**	568	/**
570	* Initialize security aspects of the HTTPS daemon	569	* Initialize security aspects of the HTTPS daemon
571	*	570	*
@@ -582,6 +581,11 @@ MHD_TLS_init (struct MHD_Daemon *daemon)
582	gnutls_certificate_allocate_credentials (&daemon->x509_cred))	581	gnutls_certificate_allocate_credentials (&daemon->x509_cred))
583	return GNUTLS_E_MEMORY_ERROR;	582	return GNUTLS_E_MEMORY_ERROR;
584	return MHD_init_daemon_certificate (daemon);	583	return MHD_init_daemon_certificate (daemon);
		584	case GNUTLS_CRD_PSK:
		585	if (0 !=
		586	gnutls_psk_allocate_server_credentials (&daemon->psk_cred))
		587	return GNUTLS_E_MEMORY_ERROR;
		588	return 0;
585	default:	589	default:
586	#ifdef HAVE_MESSAGES	590	#ifdef HAVE_MESSAGES
587	MHD_DLOG (daemon,	591	MHD_DLOG (daemon,
@@ -2137,6 +2141,67 @@ MHD_tls_push_func_(gnutls_transport_ptr_t trnsp,
2137	#endif /* MHD_TLSLIB_DONT_SUPPRESS_SIGPIPE */	2141	#endif /* MHD_TLSLIB_DONT_SUPPRESS_SIGPIPE */
2138	#endif /* HTTPS_SUPPORT */	2142	#endif /* HTTPS_SUPPORT */
2139		2143
		2144
		2145	/**
		2146	* Function called by GNUtls to obtain the PSK for a given session.
		2147	*
		2148	* @param session the session to lookup PSK for
		2149	* @param username username to lookup PSK for
		2150	* @param key[out] where to write PSK
		2151	* @return 0 on success, -1 on error
		2152	*/
		2153	static int
		2154	psk_gnutls_adapter (gnutls_session_t session,
		2155	const char *username,
		2156	gnutls_datum_t *key)
		2157	{
		2158	struct MHD_Connection *connection;
		2159	struct MHD_Daemon *daemon;
		2160	void *app_psk;
		2161	size_t app_psk_size;
		2162
		2163	connection = gnutls_session_get_ptr (session);
		2164	if (NULL == connection)
		2165	{
		2166	#ifdef HAVE_MESSAGES
		2167	MHD_DLOG (daemon,
		2168	_("Internal server error. This should be impossible.\n"));
		2169	#endif
		2170	return -1;
		2171	}
		2172	daemon = connection->daemon;
		2173	if (NULL == daemon->cred_callback)
		2174	{
		2175	#ifdef HAVE_MESSAGES
		2176	MHD_DLOG (daemon,
		2177	_("PSK not supported by this server.\n"));
		2178	#endif
		2179	return -1;
		2180	}
		2181	if (0 != daemon->cred_callback (daemon->cred_callback_cls,
		2182	connection,
		2183	username,
		2184	&app_psk,
		2185	&app_psk_size))
		2186	return -1;
		2187	if (NULL == (key->data = gnutls_malloc (app_psk_size)))
		2188	{
		2189	#ifdef HAVE_MESSAGES
		2190	MHD_DLOG (daemon,
		2191	_("PSK authentication failed: gnutls_malloc failed to allocate memory\n"));
		2192	#endif
		2193	free (app_psk);
		2194	return -1;
		2195	}
		2196	key->size = app_psk_size;
		2197	memcpy (key->data,
		2198	app_psk,
		2199	app_psk_size);
		2200	free (app_psk);
		2201	return 0;
		2202	}
		2203
		2204
2140	/**	2205	/**
2141	* Add another client connection to the set of connections	2206	* Add another client connection to the set of connections
2142	* managed by MHD. This API is usually not needed (since	2207	* managed by MHD. This API is usually not needed (since
@@ -2372,6 +2437,12 @@ internal_add_connection (struct MHD_Daemon *daemon,
2372	gnutls_credentials_set (connection->tls_session,	2437	gnutls_credentials_set (connection->tls_session,
2373	GNUTLS_CRD_CERTIFICATE,	2438	GNUTLS_CRD_CERTIFICATE,
2374	daemon->x509_cred);	2439	daemon->x509_cred);
		2440	case GNUTLS_CRD_PSK:
		2441	gnutls_credentials_set (connection->tls_session,
		2442	GNUTLS_CRD_PSK,
		2443	daemon->psk_cred);
		2444	gnutls_psk_set_server_credentials_function (daemon->psk_cred,
		2445	&psk_gnutls_adapter);
2375	break;	2446	break;
2376	default:	2447	default:
2377	#ifdef HAVE_MESSAGES	2448	#ifdef HAVE_MESSAGES
@@ -2392,12 +2463,15 @@ internal_add_connection (struct MHD_Daemon *daemon,
2392	return MHD_NO;	2463	return MHD_NO;
2393	}	2464	}
2394	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030109) && !defined(_WIN64)	2465	#if (GNUTLS_VERSION_NUMBER+0 >= 0x030109) && !defined(_WIN64)
2395	gnutls_transport_set_int (connection->tls_session, (int)(client_socket));	2466	gnutls_transport_set_int (connection->tls_session,
		2467	(int)(client_socket));
2396	#else /* GnuTLS before 3.1.9 or Win x64 */	2468	#else /* GnuTLS before 3.1.9 or Win x64 */
2397	gnutls_transport_set_ptr (connection->tls_session, (gnutls_transport_ptr_t)(intptr_t)(client_socket));	2469	gnutls_transport_set_ptr (connection->tls_session,
		2470	(gnutls_transport_ptr_t)(intptr_t)(client_socket));
2398	#endif /* GnuTLS before 3.1.9 */	2471	#endif /* GnuTLS before 3.1.9 */
2399	#ifdef MHD_TLSLIB_NEED_PUSH_FUNC	2472	#ifdef MHD_TLSLIB_NEED_PUSH_FUNC
2400	gnutls_transport_set_push_function (connection->tls_session, MHD_tls_push_func_);	2473	gnutls_transport_set_push_function (connection->tls_session,
		2474	MHD_tls_push_func_);
2401	#endif /* MHD_TLSLIB_NEED_PUSH_FUNC */	2475	#endif /* MHD_TLSLIB_NEED_PUSH_FUNC */
2402	if (daemon->https_mem_trust)	2476	if (daemon->https_mem_trust)
2403	gnutls_certificate_server_set_request (connection->tls_session,	2477	gnutls_certificate_server_set_request (connection->tls_session,
@@ -2407,7 +2481,8 @@ internal_add_connection (struct MHD_Daemon *daemon,
2407	goto cleanup;	2481	goto cleanup;
2408	#endif /* ! HTTPS_SUPPORT */	2482	#endif /* ! HTTPS_SUPPORT */
2409	}	2483	}
2410		2484	gnutls_session_set_ptr (connection->tls_session,
		2485	connection);
2411		2486
2412	MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex);	2487	MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex);
2413	/* Firm check under lock. */	2488	/* Firm check under lock. */
@@ -5070,6 +5145,7 @@ parse_options_va (struct MHD_Daemon *daemon,
5070	case MHD_OPTION_URI_LOG_CALLBACK:	5145	case MHD_OPTION_URI_LOG_CALLBACK:
5071	case MHD_OPTION_EXTERNAL_LOGGER:	5146	case MHD_OPTION_EXTERNAL_LOGGER:
5072	case MHD_OPTION_UNESCAPE_CALLBACK:	5147	case MHD_OPTION_UNESCAPE_CALLBACK:
		5148	case MHD_OPTION_GNUTLS_PSK_CRED_HANDLER:
5073	if (MHD_YES != parse_options (daemon,	5149	if (MHD_YES != parse_options (daemon,
5074	servaddr,	5150	servaddr,
5075	opt,	5151	opt,
@@ -5100,6 +5176,12 @@ parse_options_va (struct MHD_Daemon *daemon,
5100	daemon->unescape_callback_cls = va_arg (ap,	5176	daemon->unescape_callback_cls = va_arg (ap,
5101	void *);	5177	void *);
5102	break;	5178	break;
		5179	case MHD_OPTION_GNUTLS_PSK_CRED_HANDLER:
		5180	daemon->cred_callback = va_arg (ap,
		5181	MHD_PskServerCredentialsCallback);
		5182	daemon->cred_callback_cls = va_arg (ap,
		5183	void *);
		5184	break;
5103	default:	5185	default:
5104	#ifdef HAVE_MESSAGES	5186	#ifdef HAVE_MESSAGES
5105	if ( ( (opt >= MHD_OPTION_HTTPS_MEM_KEY) &&	5187	if ( ( (opt >= MHD_OPTION_HTTPS_MEM_KEY) &&
@@ -6419,6 +6501,8 @@ MHD_stop_daemon (struct MHD_Daemon *daemon)
6419	gnutls_priority_deinit (daemon->priority_cache);	6501	gnutls_priority_deinit (daemon->priority_cache);
6420	if (daemon->x509_cred)	6502	if (daemon->x509_cred)
6421	gnutls_certificate_free_credentials (daemon->x509_cred);	6503	gnutls_certificate_free_credentials (daemon->x509_cred);
		6504	if (daemon->psk_cred)
		6505	gnutls_psk_free_server_credentials (daemon->psk_cred);
6422	}	6506	}
6423	#endif /* HTTPS_SUPPORT */	6507	#endif /* HTTPS_SUPPORT */
6424		6508