diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | devel/libgnutls-latest-x86_64.abi | 2 | ||||
-rw-r--r-- | devel/symbols.last | 2 | ||||
-rw-r--r-- | doc/Makefile.am | 4 | ||||
-rw-r--r-- | doc/manpages/Makefile.am | 2 | ||||
-rw-r--r-- | lib/cert-cred.c | 35 | ||||
-rw-r--r-- | lib/includes/gnutls/x509.h | 4 | ||||
-rw-r--r-- | lib/libgnutls.map | 2 | ||||
-rw-r--r-- | lib/x509/verify-high.h | 2 | ||||
-rw-r--r-- | src/cli-args.def | 8 | ||||
-rw-r--r-- | src/cli.c | 196 |
11 files changed, 255 insertions, 4 deletions
@@ -12,6 +12,8 @@ See the end for copying conditions. ** API and ABI modifications: gnutls_x509_trust_list_set_getissuer_function: Added +gnutls_x509_trust_list_get_ptr: Added +gnutls_x509_trust_list_set_ptr: Added * Version 3.6.14 (released 2020-06-03) diff --git a/devel/libgnutls-latest-x86_64.abi b/devel/libgnutls-latest-x86_64.abi index 2242bcc785..7f0ddd46c7 100644 --- a/devel/libgnutls-latest-x86_64.abi +++ b/devel/libgnutls-latest-x86_64.abi @@ -1259,6 +1259,7 @@ <elf-symbol name='gnutls_x509_trust_list_get_issuer' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_get_issuer_by_dn' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_get_issuer_by_subject_key_id' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> + <elf-symbol name='gnutls_x509_trust_list_get_ptr' version='GNUTLS_3_7_0' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_init' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_iter_deinit' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_iter_get_ca' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> @@ -1266,6 +1267,7 @@ <elf-symbol name='gnutls_x509_trust_list_remove_trust_file' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_remove_trust_mem' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_set_getissuer_function' version='GNUTLS_3_7_0' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> + <elf-symbol name='gnutls_x509_trust_list_set_ptr' version='GNUTLS_3_7_0' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_verify_crt2' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_verify_crt' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> <elf-symbol name='gnutls_x509_trust_list_verify_named_crt' version='GNUTLS_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/> diff --git a/devel/symbols.last b/devel/symbols.last index d9a5289b7d..c671c3dcda 100644 --- a/devel/symbols.last +++ b/devel/symbols.last @@ -1242,6 +1242,7 @@ gnutls_x509_trust_list_deinit@GNUTLS_3_4 gnutls_x509_trust_list_get_issuer@GNUTLS_3_4 gnutls_x509_trust_list_get_issuer_by_dn@GNUTLS_3_4 gnutls_x509_trust_list_get_issuer_by_subject_key_id@GNUTLS_3_4 +gnutls_x509_trust_list_get_ptr@GNUTLS_3_7_0 gnutls_x509_trust_list_init@GNUTLS_3_4 gnutls_x509_trust_list_iter_deinit@GNUTLS_3_4 gnutls_x509_trust_list_iter_get_ca@GNUTLS_3_4 @@ -1249,6 +1250,7 @@ gnutls_x509_trust_list_remove_cas@GNUTLS_3_4 gnutls_x509_trust_list_remove_trust_file@GNUTLS_3_4 gnutls_x509_trust_list_remove_trust_mem@GNUTLS_3_4 gnutls_x509_trust_list_set_getissuer_function@GNUTLS_3_7_0 +gnutls_x509_trust_list_set_ptr@GNUTLS_3_7_0 gnutls_x509_trust_list_verify_crt2@GNUTLS_3_4 gnutls_x509_trust_list_verify_crt@GNUTLS_3_4 gnutls_x509_trust_list_verify_named_crt@GNUTLS_3_4 diff --git a/doc/Makefile.am b/doc/Makefile.am index d8b2d02ce5..e1834016b1 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -2875,6 +2875,8 @@ FUNCS += functions/gnutls_x509_trust_list_get_issuer_by_dn FUNCS += functions/gnutls_x509_trust_list_get_issuer_by_dn.short FUNCS += functions/gnutls_x509_trust_list_get_issuer_by_subject_key_id FUNCS += functions/gnutls_x509_trust_list_get_issuer_by_subject_key_id.short +FUNCS += functions/gnutls_x509_trust_list_get_ptr +FUNCS += functions/gnutls_x509_trust_list_get_ptr.short FUNCS += functions/gnutls_x509_trust_list_init FUNCS += functions/gnutls_x509_trust_list_init.short FUNCS += functions/gnutls_x509_trust_list_iter_deinit @@ -2889,6 +2891,8 @@ FUNCS += functions/gnutls_x509_trust_list_remove_trust_mem FUNCS += functions/gnutls_x509_trust_list_remove_trust_mem.short FUNCS += functions/gnutls_x509_trust_list_set_getissuer_function FUNCS += functions/gnutls_x509_trust_list_set_getissuer_function.short +FUNCS += functions/gnutls_x509_trust_list_set_ptr +FUNCS += functions/gnutls_x509_trust_list_set_ptr.short FUNCS += functions/gnutls_x509_trust_list_verify_crt FUNCS += functions/gnutls_x509_trust_list_verify_crt.short FUNCS += functions/gnutls_x509_trust_list_verify_crt2 diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am index 6a16687c01..c1043bca4a 100644 --- a/doc/manpages/Makefile.am +++ b/doc/manpages/Makefile.am @@ -1239,6 +1239,7 @@ APIMANS += gnutls_x509_trust_list_deinit.3 APIMANS += gnutls_x509_trust_list_get_issuer.3 APIMANS += gnutls_x509_trust_list_get_issuer_by_dn.3 APIMANS += gnutls_x509_trust_list_get_issuer_by_subject_key_id.3 +APIMANS += gnutls_x509_trust_list_get_ptr.3 APIMANS += gnutls_x509_trust_list_init.3 APIMANS += gnutls_x509_trust_list_iter_deinit.3 APIMANS += gnutls_x509_trust_list_iter_get_ca.3 @@ -1246,6 +1247,7 @@ APIMANS += gnutls_x509_trust_list_remove_cas.3 APIMANS += gnutls_x509_trust_list_remove_trust_file.3 APIMANS += gnutls_x509_trust_list_remove_trust_mem.3 APIMANS += gnutls_x509_trust_list_set_getissuer_function.3 +APIMANS += gnutls_x509_trust_list_set_ptr.3 APIMANS += gnutls_x509_trust_list_verify_crt.3 APIMANS += gnutls_x509_trust_list_verify_crt2.3 APIMANS += gnutls_x509_trust_list_verify_named_crt.3 diff --git a/lib/cert-cred.c b/lib/cert-cred.c index a5b9493ab4..06a7054330 100644 --- a/lib/cert-cred.c +++ b/lib/cert-cred.c @@ -914,6 +914,41 @@ void gnutls_x509_trust_list_set_getissuer_function(gnutls_x509_trust_list_t tlis tlist->issuer_callback = func; } +/** + * gnutls_x509_trust_list_set_ptr: + * @tlist: is a #gnutls_x509_trust_list_t type. + * @ptr: is the user pointer + * + * This function will set (associate) the user given pointer @ptr to + * the tlist structure. This pointer can be accessed with + * gnutls_x509_trust_list_get_ptr(). Useful in the callback function + * gnutls_x509_trust_list_set_getissuer_function. + * + * Since: 3.7.0 + **/ +void gnutls_x509_trust_list_set_ptr(gnutls_x509_trust_list_t tlist, void *ptr) +{ + tlist->usr_ptr = ptr; +} + +/** + * gnutls_x509_trust_list_get_ptr: + * @tlist: is a #gnutls_x509_trust_list_t type. + * + * Get user pointer for tlist. Useful in callback function + * gnutls_x509_trust_list_set_getissuer_function. + * This is the pointer set with gnutls_x509_trust_list_set_ptr(). + * + * Returns: the user given pointer from the tlist structure, or + * %NULL if it was never set. + * + * Since: 3.7.0 + **/ +void *gnutls_x509_trust_list_get_ptr(gnutls_x509_trust_list_t tlist) +{ + return tlist->usr_ptr; +} + #define TEST_TEXT "test text" /* returns error if the certificate has different algorithm than * the given key parameters. diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 444c9f0494..c0c509dc11 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -1704,6 +1704,10 @@ typedef int gnutls_x509_trust_list_getissuer_function(gnutls_x509_trust_list_t t void gnutls_x509_trust_list_set_getissuer_function(gnutls_x509_trust_list_t tlist, gnutls_x509_trust_list_getissuer_function *func); +void gnutls_x509_trust_list_set_ptr(gnutls_x509_trust_list_t tlist, void *ptr); + +void *gnutls_x509_trust_list_get_ptr(gnutls_x509_trust_list_t tlist); + void gnutls_certificate_set_trust_list (gnutls_certificate_credentials_t res, gnutls_x509_trust_list_t tlist, unsigned flags); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index e29f064a30..61276e5340 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1335,6 +1335,8 @@ GNUTLS_3_7_0 { global: gnutls_x509_trust_list_set_getissuer_function; + gnutls_x509_trust_list_get_ptr; + gnutls_x509_trust_list_set_ptr; local: *; } GNUTLS_3_4; diff --git a/lib/x509/verify-high.h b/lib/x509/verify-high.h index 6ce5f958ae..4cbb29a9c8 100644 --- a/lib/x509/verify-high.h +++ b/lib/x509/verify-high.h @@ -45,6 +45,8 @@ struct gnutls_x509_trust_list_st { /* set this callback if the issuer in the certificate * chain is missing. */ gnutls_x509_trust_list_getissuer_function *issuer_callback; + /* set user pointer. */ + void *usr_ptr; }; int _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, diff --git a/src/cli-args.def b/src/cli-args.def index ac04591325..2279b9cc0a 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -477,6 +477,14 @@ flag = { doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; }; +flag = { + name = ca-auto-retrieve; + descrip = "Enable automatic retrieval of missing CA certificates"; + disabled; + disable = "no"; + doc = "This option enables the client to automatically retrieve the missing intermediate CA certificates in the certificate chain, based on the Authority Information Access (AIA) extension."; +}; + doc-section = { ds-type = 'SEE ALSO'; // or anything else ds-format = 'texi'; // or texi or mdoc format @@ -76,6 +76,11 @@ #define MAX_BUF 4096 +#define HEADER_PATTERN "GET /%s HTTP/1.0\r\n" \ + "Host: %s\r\n" \ + "Accept: */*\r\n" \ + "Connection: close\r\n\r\n" + /* global stuff here */ int resume, starttls, insecure, ranges, rehandshake, udp, mtu, inline_commands, waitresumption; @@ -118,6 +123,10 @@ static gnutls_certificate_credentials_t xcred; static void check_server_cmd(socket_st * socket, int ret); static void init_global_tls_stuff(void); static int cert_verify_ocsp(gnutls_session_t session); +static const char *host_from_url(const char *url, unsigned int *port, const char **path); +static size_t get_data(void *buf, size_t size, size_t nmemb, void *userp); +static int getissuer_callback(const gnutls_x509_trust_list_t tlist, + const gnutls_x509_crt_t cert); #define MAX_CRT 6 static unsigned int x509_crt_size; @@ -1949,6 +1958,7 @@ psk_callback(gnutls_session_t session, char **username, static void init_global_tls_stuff(void) { + gnutls_x509_trust_list_t tlist; int ret; #ifdef ENABLE_PKCS11 @@ -1980,13 +1990,24 @@ static void init_global_tls_stuff(void) gnutls_certificate_set_verify_flags(xcred, global_vflags); gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_VERIFY_CRLS); + if (gnutls_x509_trust_list_init(&tlist, 0) < 0) { + fprintf(stderr, "Trust list allocation memory error\n"); + exit(1); + } + gnutls_certificate_set_trust_list(xcred, tlist, 0); + if (x509_cafile != NULL) { - ret = gnutls_certificate_set_x509_trust_file(xcred, - x509_cafile, - x509ctype); + ret = gnutls_x509_trust_list_add_trust_file(tlist, + x509_cafile, + NULL, + x509ctype, + GNUTLS_TL_USE_IN_TLS, + 0); } else { if (insecure == 0) { - ret = gnutls_certificate_set_x509_system_trust(xcred); + ret = gnutls_x509_trust_list_add_system_trust(tlist, + GNUTLS_TL_USE_IN_TLS, + 0); if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE) { fprintf(stderr, "Warning: this system doesn't support a default trust store\n"); ret = 0; @@ -2002,6 +2023,9 @@ static void init_global_tls_stuff(void) log_msg(stdout, "Processed %d CA certificate(s).\n", ret); } + if (ENABLED_OPT(CA_AUTO_RETRIEVE)) + gnutls_x509_trust_list_set_getissuer_function(tlist, getissuer_callback); + if (x509_crlfile != NULL) { ret = gnutls_certificate_set_x509_crl_file(xcred, @@ -2165,3 +2189,167 @@ cleanup: return ok >= 1 ? (int) ok : -1; } #endif + +/* returns the host part of a URL */ +static const char *host_from_url(const char *url, unsigned int *port, const char **path) +{ + static char buffer[512]; + char *p; + + *port = 0; + *path = ""; + + if ((p = strstr(url, "http://")) != NULL) { + snprintf(buffer, sizeof(buffer), "%s", p + 7); + p = strchr(buffer, '/'); + if (p != NULL) { + *p = 0; + *path = p+1; + } + + p = strchr(buffer, ':'); + if (p != NULL) { + *p = 0; + *port = atoi(p + 1); + } + + return buffer; + } else { + return url; + } +} + +static size_t get_data(void *buf, size_t size, size_t nmemb, void *userp) +{ + gnutls_datum_t *ud = userp; + + size *= nmemb; + + ud->data = realloc(ud->data, size + ud->size); + if (ud->data == NULL) { + fprintf(stderr, "Not enough memory for the request\n"); + exit(1); + } + + memcpy(&ud->data[ud->size], buf, size); + ud->size += size; + + return size; +} + +/* Returns 0 on ok, and -1 on error */ +static int +getissuer_callback(const gnutls_x509_trust_list_t tlist, + const gnutls_x509_crt_t cert) +{ + gnutls_datum_t ud; + int ret; + gnutls_datum_t resp; + char *url = NULL; + char headers[1024]; + char _service[16]; + unsigned char *p; + const char *_hostname; + const char *path = ""; + unsigned i; + unsigned int headers_size = 0, port; + socket_st hd; + gnutls_x509_crt_t issuer; + gnutls_datum_t data = { NULL, 0 }; + static char buffer[MAX_BUF + 1]; + + sockets_init(); + + i = 0; + do { + ret = gnutls_x509_crt_get_authority_info_access(cert, i++, + GNUTLS_IA_CAISSUERS_URI, + &data, + NULL); + } while (ret == GNUTLS_E_UNKNOWN_ALGORITHM); + + if (ret < 0) { + fprintf(stderr, + "*** Cannot find caIssuer URI in certificate: %s\n", + gnutls_strerror(ret)); + return 0; + } + + url = malloc(data.size + 1); + if (url == NULL) { + return -1; + } + memcpy(url, data.data, data.size); + url[data.size] = 0; + + gnutls_free(data.data); + + _hostname = host_from_url(url, &port, &path); + if (port != 0) + snprintf(_service, sizeof(_service), "%u", port); + else + strcpy(_service, "80"); + + fprintf(stderr, "Connecting to caIssuer server: %s...\n", _hostname); + + memset(&ud, 0, sizeof(ud)); + + snprintf(headers, sizeof(headers), HEADER_PATTERN, path, _hostname); + headers_size = strlen(headers); + + socket_open(&hd, _hostname, _service, NULL, SOCKET_FLAG_RAW|SOCKET_FLAG_SKIP_INIT, CONNECT_MSG, NULL); + socket_send(&hd, headers, headers_size); + + do { + ret = socket_recv(&hd, buffer, sizeof(buffer)); + if (ret > 0) + get_data(buffer, ret, 1, &ud); + } while (ret > 0); + + if (ret < 0 || ud.size == 0) { + perror("recv"); + ret = -1; + socket_bye(&hd, 0); + goto cleanup; + } + + socket_bye(&hd, 0); + + p = memmem(ud.data, ud.size, "\r\n\r\n", 4); + if (p == NULL) { + fprintf(stderr, "Cannot interpret HTTP response\n"); + ret = -1; + goto cleanup; + } + p += 4; + resp.size = ud.size - (p - ud.data); + resp.data = p; + + ret = gnutls_x509_crt_init(&issuer); + if (ret < 0) { + fprintf(stderr, "Memory error\n"); + ret = -1; + goto cleanup; + } + ret = gnutls_x509_crt_import(issuer, &resp, GNUTLS_X509_FMT_DER); + if (ret < 0) { + fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); + ret = -1; + goto cleanup; + } + ret = gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0); + if (ret < 0) { + fprintf(stderr, "Memory error\n"); + ret = -1; + goto cleanup; + } + + ret = 0; + +cleanup: + gnutls_free(data.data); + free(ud.data); + free(url); + + return ret; +} |