summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2014-05-02 15:37:02 +0200
committerWerner Koch <wk@gnupg.org>2014-05-02 17:28:02 +0200
commit0e59195642eb26263b8e0b9200290538631d35cd (patch)
tree111943e8a19b2ebf2dbc10b665458a8b73f2ceb2
parentcommon: Fix test for openpgp_oid_is_ed25519. (diff)
downloadgnupg2-0e59195642eb26263b8e0b9200290538631d35cd.tar.xz
gnupg2-0e59195642eb26263b8e0b9200290538631d35cd.zip
http: Add HTTP_FLAG_FORCE_TLS and http_get_tls_info.
* common/http.c (http_parse_uri): Factor code out to ... (parse_uri): here. Add arg FORCE_TLS. (do_parse_uri): Ditto. Implement flag. (http_get_tls_info): New. (http_register_tls_ca): Allow clearing of the list. (send_request): Use a default verification function. * common/http.h (HTTP_FLAG_FORCE_TLS): New. * common/t-http.c (main): Add several command line options.
Diffstat
-rw-r--r--common/http.c106
-rw-r--r--common/http.h2
-rw-r--r--common/t-http.c113
3 files changed, 178 insertions, 43 deletions
diff --git a/common/http.c b/common/http.c
index e5516e81e..590893db8 100644
--- a/common/http.c
+++ b/common/http.c
@@ -161,7 +161,9 @@ typedef void * gnutls_session_t;
#endif
static gpg_err_code_t do_parse_uri (parsed_uri_t uri, int only_local_part,
- int no_scheme_check);
+ int no_scheme_check, int force_tls);
+static gpg_error_t parse_uri (parsed_uri_t *ret_uri, const char *uri,
+ int no_scheme_check, int force_tls);
static int remove_escapes (char *string);
static int insert_escapes (char *buffer, const char *string,
const char *special);
@@ -463,7 +465,9 @@ make_header_line (const char *prefix, const char *suffix,
-/* Register the global TLS callback fucntion. */
+/* Register a non-standard global TLS callback function. If no
+ verification is desired a callback needs to be registered which
+ always returns NULL. */
void
http_register_tls_callback (gpg_error_t (*cb)(http_t, http_session_t, int))
{
@@ -473,15 +477,24 @@ http_register_tls_callback (gpg_error_t (*cb)(http_t, http_session_t, int))
/* Register a CA certificate for future use. The certificate is
expected to be in FNAME. PEM format is assume if FNAME has a
- suffix of ".pem" */
+ suffix of ".pem". If FNAME is NULL the list of CA files is
+ removed. */
void
http_register_tls_ca (const char *fname)
{
strlist_t sl;
- sl = add_to_strlist (&tls_ca_certlist, fname);
- if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem"))
- sl->flags = 1;
+ if (!fname)
+ {
+ free_strlist (tls_ca_certlist);
+ tls_ca_certlist = NULL;
+ }
+ else
+ {
+ sl = add_to_strlist (&tls_ca_certlist, fname);
+ if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem"))
+ sl->flags = 1;
+ }
}
@@ -614,7 +627,7 @@ http_open (http_t *r_hd, http_req_t reqtype, const char *url,
hd->flags = flags;
hd->session = session;
- err = http_parse_uri (&hd->uri, url, 0);
+ err = parse_uri (&hd->uri, url, 0, !!(flags & HTTP_FLAG_FORCE_TLS));
if (!err)
err = send_request (hd, auth, proxy, srvtag, headers);
@@ -875,17 +888,29 @@ http_get_status_code (http_t hd)
return hd?hd->status_code:0;
}
+/* Return information pertaining to TLS. If TLS is not in use for HD,
+ NULL is returned. WHAT is used ask for specific information:
-
-/*
- * Parse an URI and put the result into the newly allocated RET_URI.
- * On success the caller must use release_parsed_uri() to releases the
- * resources. If NO_SCHEME_CHECK is set, the function tries to parse
- * the URL in the same way it would do for an HTTP style URI.
+ (NULL) := Only check whether TLS is is use. Returns an
+ unspecified string if TLS is in use. That string may
+ even be the empty string.
*/
-gpg_error_t
-http_parse_uri (parsed_uri_t *ret_uri, const char *uri,
- int no_scheme_check)
+const char *
+http_get_tls_info (http_t hd, const char *what)
+{
+ (void)what;
+
+ if (!hd)
+ return NULL;
+
+ return hd->uri->use_tls? "":NULL;
+}
+
+
+
+static gpg_error_t
+parse_uri (parsed_uri_t *ret_uri, const char *uri,
+ int no_scheme_check, int force_tls)
{
gpg_err_code_t ec;
@@ -893,7 +918,7 @@ http_parse_uri (parsed_uri_t *ret_uri, const char *uri,
if (!*ret_uri)
return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
strcpy ((*ret_uri)->buffer, uri);
- ec = do_parse_uri (*ret_uri, 0, no_scheme_check);
+ ec = do_parse_uri (*ret_uri, 0, no_scheme_check, force_tls);
if (ec)
{
xfree (*ret_uri);
@@ -902,6 +927,21 @@ http_parse_uri (parsed_uri_t *ret_uri, const char *uri,
return gpg_err_make (default_errsource, ec);
}
+
+/*
+ * Parse an URI and put the result into the newly allocated RET_URI.
+ * On success the caller must use release_parsed_uri() to releases the
+ * resources. If NO_SCHEME_CHECK is set, the function tries to parse
+ * the URL in the same way it would do for an HTTP style URI.
+ */
+gpg_error_t
+http_parse_uri (parsed_uri_t *ret_uri, const char *uri,
+ int no_scheme_check)
+{
+ return parse_uri (ret_uri, uri, no_scheme_check, 0);
+}
+
+
void
http_release_parsed_uri (parsed_uri_t uri)
{
@@ -920,7 +960,8 @@ http_release_parsed_uri (parsed_uri_t uri)
static gpg_err_code_t
-do_parse_uri (parsed_uri_t uri, int only_local_part, int no_scheme_check)
+do_parse_uri (parsed_uri_t uri, int only_local_part,
+ int no_scheme_check, int force_tls)
{
uri_tuple_t *tail;
char *p, *p2, *p3, *pp;
@@ -951,18 +992,20 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, int no_scheme_check)
for (pp=p; *pp; pp++)
*pp = tolower (*(unsigned char*)pp);
uri->scheme = p;
- if (!strcmp (uri->scheme, "http"))
+ if (!strcmp (uri->scheme, "http") && !force_tls)
{
uri->port = 80;
uri->is_http = 1;
}
- else if (!strcmp (uri->scheme, "hkp"))
+ else if (!strcmp (uri->scheme, "hkp") && !force_tls)
{
uri->port = 11371;
uri->is_http = 1;
}
#ifdef HTTP_USE_GNUTLS
- else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps"))
+ else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps")
+ || (force_tls && (!strcmp (uri->scheme, "http")
+ || !strcmp (uri->scheme,"hkp"))))
{
uri->port = 443;
uri->is_http = 1;
@@ -1329,7 +1372,8 @@ send_request (http_t hd, const char *auth,
if (proxy)
http_proxy = proxy;
- err = http_parse_uri (&uri, http_proxy, 0);
+ err = parse_uri (&uri, http_proxy, 0,
+ !!(hd->flags & HTTP_FLAG_FORCE_TLS));
if (err)
{
log_error ("invalid HTTP proxy (%s): %s\n",
@@ -1412,17 +1456,17 @@ send_request (http_t hd, const char *auth,
return gpg_err_make (default_errsource, GPG_ERR_NETWORK);
}
+ hd->session->verify.done = 0;
if (tls_callback)
+ err = tls_callback (hd, hd->session, 0);
+ else
+ err = http_verify_server_credentials (hd->session);
+ if (err)
{
- hd->session->verify.done = 0;
- err = tls_callback (hd, hd->session, 0);
- if (err)
- {
- log_info ("TLS connection authentication failed: %s\n",
- gpg_strerror (err));
- xfree (proxy_authstr);
- return err;
- }
+ log_info ("TLS connection authentication failed: %s\n",
+ gpg_strerror (err));
+ xfree (proxy_authstr);
+ return err;
}
}
#endif /*HTTP_USE_GNUTLS*/
diff --git a/common/http.h b/common/http.h
index e38fadcf4..fa73b6e59 100644
--- a/common/http.h
+++ b/common/http.h
@@ -77,6 +77,7 @@ enum
HTTP_FLAG_TRY_PROXY = 1, /* Try to use a proxy. */
HTTP_FLAG_SHUTDOWN = 2, /* Close sending end after the request. */
HTTP_FLAG_LOG_RESP = 8, /* Log the server respone. */
+ HTTP_FLAG_FORCE_TLS = 16, /* Force the use opf TLS. */
HTTP_FLAG_IGNORE_CL = 32, /* Ignore content-length. */
HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */
HTTP_FLAG_IGNORE_IPv6 = 128 /* Do not use IPv6. */
@@ -133,6 +134,7 @@ gpg_error_t http_open_document (http_t *r_hd,
estream_t http_get_read_ptr (http_t hd);
estream_t http_get_write_ptr (http_t hd);
unsigned int http_get_status_code (http_t hd);
+const char *http_get_tls_info (http_t hd, const char *what);
const char *http_get_header (http_t hd, const char *name);
const char **http_get_header_names (http_t hd);
gpg_error_t http_verify_server_credentials (http_session_t sess);
diff --git a/common/t-http.c b/common/t-http.c
index f515287a1..0191e8519 100644
--- a/common/t-http.c
+++ b/common/t-http.c
@@ -46,7 +46,11 @@
# include <gnutls/gnutls.h> /* For init, logging, and deinit. */
#endif /*HTTP_USE_GNUTLS*/
+#define PGM "t-http"
+static int verbose;
+static int debug;
+static int no_verify;
/* static void */
/* read_dh_params (const char *fname) */
@@ -98,7 +102,7 @@ verify_callback (http_t hd, http_session_t session, int reserved)
{
(void)hd;
(void)reserved;
- return http_verify_server_credentials (session);
+ return no_verify? 0 : http_verify_server_credentials (session);
}
@@ -131,23 +135,92 @@ prepend_srcdir (const char *fname)
int
main (int argc, char **argv)
{
+ int last_argc = -1;
gpg_error_t err;
int rc;
parsed_uri_t uri;
uri_tuple_t r;
http_t hd;
int c;
+ unsigned int my_http_flags = 0;
+ int no_out = 0;
+ const char *cafile = NULL;
http_session_t session = NULL;
es_init ();
- log_set_prefix ("t-http", 1 | 4);
- if (argc != 2)
+ log_set_prefix (PGM, 1 | 4);
+ if (argc)
+ { argc--; argv++; }
+ while (argc && last_argc != argc )
{
- fprintf (stderr, "usage: t-http uri\n");
- return 1;
+ last_argc = argc;
+ if (!strcmp (*argv, "--"))
+ {
+ argc--; argv++;
+ break;
+ }
+ else if (!strcmp (*argv, "--help"))
+ {
+ fputs ("usage: " PGM " URL\n"
+ "Options:\n"
+ " --verbose print timings etc.\n"
+ " --debug flyswatter\n"
+ " --cacert FNAME expect CA certificate in file FNAME\n"
+ " --no-verify do not verify the certificate\n"
+ " --force-tls use HTTP_FLAG_FORCE_TLS\n"
+ " --no-out do not print the content\n",
+ stdout);
+ exit (0);
+ }
+ else if (!strcmp (*argv, "--verbose"))
+ {
+ verbose++;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--debug"))
+ {
+ verbose += 2;
+ debug++;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--cacert"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ cafile = *argv;
+ argc--; argv++;
+ }
+ }
+ else if (!strcmp (*argv, "--no-verify"))
+ {
+ no_verify = 1;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--force-tls"))
+ {
+ my_http_flags |= HTTP_FLAG_FORCE_TLS;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--no-out"))
+ {
+ no_out = 1;
+ argc--; argv++;
+ }
+ else if (!strncmp (*argv, "--", 2))
+ {
+ fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
+ exit (1);
+ }
+ }
+ if (argc != 1)
+ {
+ fprintf (stderr, PGM ": no or roo many URLS given\n");
+ exit (1);
}
- argc--;
- argv++;
+
+ if (!cafile)
+ cafile = prepend_srcdir ("tls-ca.pem");
#ifdef HTTP_USE_GNUTLS
rc = gnutls_global_init ();
@@ -155,7 +228,7 @@ main (int argc, char **argv)
log_error ("gnutls_global_init failed: %s\n", gnutls_strerror (rc));
http_register_tls_callback (verify_callback);
- http_register_tls_ca (prepend_srcdir ("tls-ca.pem"));
+ http_register_tls_ca (cafile);
err = http_session_new (&session, NULL);
if (err)
@@ -217,11 +290,17 @@ main (int argc, char **argv)
}
putchar ('\n');
}
+ printf ("TLS : %s\n",
+ uri->use_tls? "yes":
+ (my_http_flags&HTTP_FLAG_FORCE_TLS)? "forced" : "no");
+
}
+ fflush (stdout);
http_release_parsed_uri (uri);
uri = NULL;
- rc = http_open_document (&hd, *argv, NULL, 0, NULL, session, NULL, NULL);
+ rc = http_open_document (&hd, *argv, NULL, my_http_flags,
+ NULL, session, NULL, NULL);
if (rc)
{
log_error ("can't get '%s': %s\n", *argv, gpg_strerror (rc));
@@ -242,6 +321,7 @@ main (int argc, char **argv)
printf ("HDR: %s: %s\n", names[i], http_get_header (hd, names[i]));
xfree (names);
}
+ fflush (stdout);
switch (http_get_status_code (hd))
{
@@ -250,12 +330,21 @@ main (int argc, char **argv)
case 401:
case 403:
case 404:
- while ((c = es_getc (http_get_read_ptr (hd))) != EOF)
- putchar (c);
+ {
+ unsigned long count = 0;
+ while ((c = es_getc (http_get_read_ptr (hd))) != EOF)
+ {
+ count++;
+ if (!no_out)
+ putchar (c);
+ }
+ log_info ("Received bytes: %lu\n", count);
+ }
break;
case 301:
case 302:
- printf ("Redirected to '%s'\n", http_get_header (hd, "Location"));
+ case 307:
+ log_info ("Redirected to: %s\n", http_get_header (hd, "Location"));
break;
}
http_close (hd, 0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 21:02:44 +0100