diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-06-22 14:14:07 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-06-27 20:54:34 +0200 |
| commit | f5863ab35f8afbc8d0354dbea08d41e0df2ce292 (patch) | |
| tree | 580aa2db1a4196a3d143fadb593a4253c3e9b775 | |
| parent | 241d579382e939e893b238e5fd0604cc174ffd80 (diff) | |
| download | gnutls-f5863ab35f8afbc8d0354dbea08d41e0df2ce292.tar.gz | |
gnutls-serv: when post-handshake auth is asked; require a certificate
This allows testing post-handshake authentication using gnutls-serv.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | src/common.c | 6 | ||||
| -rw-r--r-- | src/common.h | 2 | ||||
| -rw-r--r-- | src/serv.c | 16 | ||||
| -rw-r--r-- | src/udp-serv.c | 4 |
4 files changed, 21 insertions, 7 deletions
diff --git a/src/common.c b/src/common.c index fb98100677..24b8aa21e0 100644 --- a/src/common.c +++ b/src/common.c @@ -914,7 +914,7 @@ void print_list(const char *priorities, int verbose) } } -int check_command(gnutls_session_t session, const char *str) +int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cert) { size_t len = strnlen(str, 128); int ret; @@ -932,6 +932,10 @@ int check_command(gnutls_session_t session, const char *str) } else if (strncmp (str, "**REAUTH**", sizeof("**REAUTH**") - 1) == 0) { + /* in case we have a re-auth cmd prepare for it */ + if (no_cli_cert) + gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE); + fprintf(stderr, "*** Sending re-auth request\n"); do { diff --git a/src/common.h b/src/common.h index 20faf7d521..61227a5af0 100644 --- a/src/common.h +++ b/src/common.h @@ -69,7 +69,7 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp const char *raw_to_string(const unsigned char *raw, size_t raw_size); const char *raw_to_hex(const unsigned char *raw, size_t raw_size); const char *raw_to_base64(const unsigned char *raw, size_t raw_size); -int check_command(gnutls_session_t session, const char *str); +int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cert); int pin_callback(void *user, int attempt, const char *token_url, diff --git a/src/serv.c b/src/serv.c index 34996d1792..42b4887bdc 100644 --- a/src/serv.c +++ b/src/serv.c @@ -939,9 +939,12 @@ get_response(gnutls_session_t session, char *request, if (http != 0) { *response = peer_print_info(session, response_length, h); } else { + int ret; strip(request); - fprintf(stderr, "received: %s\n", request); - if (check_command(session, request)) { + fprintf(stderr, "received cmd: %s\n", request); + + ret = check_command(session, request, disable_client_cert); + if (ret > 0) { *response = strdup("Successfully executed command\n"); if (*response == NULL) { fprintf(stderr, "Memory error\n"); @@ -949,9 +952,14 @@ get_response(gnutls_session_t session, char *request, } *response_length = strlen(*response); return; + } else if (ret == 0) { + *response = strdup(request); + *response_length = ((*response) ? strlen(*response) : 0); + } else { + do { + ret = gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_UNEXPECTED_MESSAGE); + } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); } - *response = strdup(request); - *response_length = ((*response) ? strlen(*response) : 0); } return; diff --git a/src/udp-serv.c b/src/udp-serv.c index 46e1e70878..fdaa0fb886 100644 --- a/src/udp-serv.c +++ b/src/udp-serv.c @@ -39,6 +39,8 @@ #include "serv-args.h" #include "list.h" +extern int disable_client_cert; + typedef struct { gnutls_session_t session; int fd; @@ -207,7 +209,7 @@ void udp_server(const char *name, int port, int mtu) sequence[3], sequence[4], sequence[5], sequence[6], sequence[7], buffer); - if (check_command(session, buffer) == 0) { + if (check_command(session, buffer, disable_client_cert) == 0) { /* reply back */ ret = gnutls_record_send(session, buffer, |