[GNUnet-SVN] [gnurl] 68/220: mesalink: implement client authentication

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 68/220: mesalink: implement client authentication

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 68/220: mesalink: implement client authentication
Date:	Thu, 12 Sep 2019 17:27:08 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit 9b5f2ad329c4401c16de2e6d24a54b9d0f5478d7
Author: Yiming Jing <address@hidden>
AuthorDate: Thu Aug 1 15:20:30 2019 -0700

    mesalink: implement client authentication
    
    Closes #4184
---
 lib/vtls/mesalink.c | 62 ++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 49 insertions(+), 13 deletions(-)

diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
index 7ca4f0eac..9507888bd 100644
--- a/lib/vtls/mesalink.c
+++ b/lib/vtls/mesalink.c
@@ -73,6 +73,17 @@ struct ssl_backend_data
 static Curl_recv mesalink_recv;
 static Curl_send mesalink_send;
 
+static int do_file_type(const char *type)
+{
+  if(!type || !type[0])
+    return SSL_FILETYPE_PEM;
+  if(strcasecompare(type, "PEM"))
+    return SSL_FILETYPE_PEM;
+  if(strcasecompare(type, "DER"))
+    return SSL_FILETYPE_ASN1;
+  return -1;
+}
+
 /*
  * This function loads all the client/CA certificates and CRLs. Setup the TLS
  * layer and do all necessary magic.
@@ -83,9 +94,6 @@ mesalink_connect_step1(struct connectdata *conn, int 
sockindex)
   char *ciphers;
   struct Curl_easy *data = conn->data;
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-  const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
-  const char *const ssl_cafile = SSL_CONN_CONFIG(CAfile);
-  const char *const ssl_capath = SSL_CONN_CONFIG(CApath);
   struct in_addr addr4;
 #ifdef ENABLE_IPV6
   struct in6_addr addr6;
@@ -142,21 +150,25 @@ mesalink_connect_step1(struct connectdata *conn, int 
sockindex)
   }
 
   SSL_CTX_set_verify(
-    BACKEND->ctx, verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
+    BACKEND->ctx, SSL_CONN_CONFIG(verifypeer) ?
+      SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
 
-  if(ssl_cafile || ssl_capath) {
-    if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
-      if(verifypeer) {
+  if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath)) {
+    if(!SSL_CTX_load_verify_locations(BACKEND->ctx, SSL_CONN_CONFIG(CAfile),
+                                                    SSL_CONN_CONFIG(CApath))) {
+      if(SSL_CONN_CONFIG(verifypeer)) {
         failf(data,
               "error setting certificate verify locations:\n"
               "  CAfile: %s\n  CApath: %s",
-              ssl_cafile ? ssl_cafile : "none",
-              ssl_capath ? ssl_capath : "none");
+              SSL_CONN_CONFIG(CAfile) ?
+              SSL_CONN_CONFIG(CAfile) : "none",
+              SSL_CONN_CONFIG(CApath) ?
+              SSL_CONN_CONFIG(CApath) : "none");
         return CURLE_SSL_CACERT_BADFILE;
       }
       infof(data,
-            "error setting certificate verify locations,"
-            " continuing anyway:\n");
+          "error setting certificate verify locations,"
+          " continuing anyway:\n");
     }
     else {
       infof(data, "successfully set certificate verify locations:\n");
@@ -164,8 +176,32 @@ mesalink_connect_step1(struct connectdata *conn, int 
sockindex)
     infof(data,
           "  CAfile: %s\n"
           "  CApath: %s\n",
-          ssl_cafile ? ssl_cafile : "none",
-          ssl_capath ? ssl_capath : "none");
+          SSL_CONN_CONFIG(CAfile)?
+          SSL_CONN_CONFIG(CAfile): "none",
+          SSL_CONN_CONFIG(CApath)?
+          SSL_CONN_CONFIG(CApath): "none");
+  }
+
+  if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
+    int file_type = do_file_type(SSL_SET_OPTION(cert_type));
+
+    if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx, SSL_SET_OPTION(cert),
+                                     file_type) != 1) {
+      failf(data, "unable to use client certificate (no key or wrong pass"
+            " phrase?)");
+      return CURLE_SSL_CONNECT_ERROR;
+    }
+
+    file_type = do_file_type(SSL_SET_OPTION(key_type));
+    if(SSL_CTX_use_PrivateKey_file(BACKEND->ctx, SSL_SET_OPTION(key),
+                                    file_type) != 1) {
+      failf(data, "unable to set private key");
+      return CURLE_SSL_CONNECT_ERROR;
+    }
+    infof(data,
+          "client cert: %s\n",
+          SSL_CONN_CONFIG(clientcert)?
+          SSL_CONN_CONFIG(clientcert): "none");
   }
 
   ciphers = SSL_CONN_CONFIG(cipher_list);

-- 
To stop receiving notification emails like this one, please contact
address@hidden.

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 35/220: timediff: make it 64 bit (if possible) even with 32 bit time_t, (continued)
- [GNUnet-SVN] [gnurl] 35/220: timediff: make it 64 bit (if possible) even with 32 bit time_t, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 50/220: md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 47/220: url: make use of new HTTP version if alt-svc has one, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 48/220: OS400: Add CURLOPT_H3 symbols, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 55/220: md4: No need for the NTLM code to call Curl_md4it() for each TLS library, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 60/220: lib/Makefile.am: make checksrc run in vquic too, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 64/220: quiche: show the actual version number, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 49/220: md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 57/220: md4: Use our own MD4 implementation when no crypto libraries are available, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 62/220: http09: disable HTTP/0.9 by default in both tool and library, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 68/220: mesalink: implement client authentication, gnunet <=
- [GNUnet-SVN] [gnurl] 80/220: curl.h: add CURL_HTTP_VERSION_3 to the version enum, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 79/220: quiche: make use of the connection timeout API properly, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 52/220: md4: Move the SecureTransport implementation out of the NTLM code, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 65/220: altsvc: make quiche use h3-22 now, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 66/220: quiche:h3_stream_recv return 0 at end of stream, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 61/220: quiche: initial h3 request send/receive, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 63/220: quiche: first working HTTP/3 request, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 76/220: quiche: flush egress in h3_stream_recv() too, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 82/220: docs/ALTSVC.md: first basic file format description, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 75/220: RELEASE-NOTES: synced, gnunet, 2019/09/12

Prev by Date: [GNUnet-SVN] [gnurl] 62/220: http09: disable HTTP/0.9 by default in both tool and library
Next by Date: [GNUnet-SVN] [gnurl] 80/220: curl.h: add CURL_HTTP_VERSION_3 to the version enum
Previous by thread: [GNUnet-SVN] [gnurl] 62/220: http09: disable HTTP/0.9 by default in both tool and library
Next by thread: [GNUnet-SVN] [gnurl] 80/220: curl.h: add CURL_HTTP_VERSION_3 to the version enum
Index(es):
- Date
- Thread