Client cert renegotiation in http #687
Conversation
fAuernigg
force-pushed
the
client_cert_renegotiation_in_http
branch
from
121ef13
to
6476e0d
Compare
include/re_tls.h
Outdated
| int tls_renegotiate(const struct tls_conn *tc); | ||
| int tls_disable_session_on_reneg(struct tls_conn *tc); | ||
| int tls_set_posthandshake_auth(struct tls *tls, int enabled); | ||
| #endif |
There was a problem hiding this comment.
We should try to avoid ifdef in public APIs, its fine if libre.so is build with Libressl and a application is build with openssl.
There was a problem hiding this comment.
BTW: any chance to make these new apis LibreSSL compatible?
include/re_tls.h
Outdated
| @@ -8,6 +8,10 @@ struct tls; | |||
| struct tls_conn; | |||
| struct tcp_conn; | |||
| struct udp_sock; | |||
| #if !defined(LIBRESSL_VERSION_NUMBER) | |||
| struct x509_store_ctx_st; | |||
| typedef struct x509_store_ctx_st X509_STORE_CTX; | |||
There was a problem hiding this comment.
The TLS api should be generic to not to be bound to a specific ssl library.
fAuernigg
force-pushed
the
client_cert_renegotiation_in_http
branch
12 times, most recently
from
adb661a
to
811e5de
Compare
| @@ -28,6 +28,10 @@ enum tls_keytype { | |||
| TLS_KEYTYPE_EC, | |||
| }; | |||
|
|
|||
| struct tls_conn_d { | |||
| int (*verify_cb) (int ok, void *d); | |||
| void *verify_d; | |||
There was a problem hiding this comment.
rename to
struct tls_conn_d {
int (*verifyh) (int ok, void *arg);
void *arg;
| @@ -46,6 +50,10 @@ int tls_set_certificate_der(struct tls *tls, enum tls_keytype keytype, | |||
| const uint8_t *key, size_t len_key); | |||
| int tls_set_certificate(struct tls *tls, const char *cert, size_t len); | |||
| void tls_set_verify_client(struct tls *tls); | |||
| void tls_set_verify_client_trust_all(struct tls *tls); | |||
| int tls_set_conn_verify_client_handler(struct tls_conn *tc, int depth, | |||
| int (*cb) (int ok, void *d), void *d); | |||
There was a problem hiding this comment.
rename to
int tls_set_verify_client_handler(struct tls_conn *tc, int depth,
int (*verifyh) (int ok, void *arg), void *arg);
include/re_tls.h
Outdated
|
|
||
| /* TCP */ | ||
|
|
||
| int tls_conn_change_cert(struct tls_conn *tc, const char *file); | ||
| int tls_start_tcp(struct tls_conn **ptc, struct tls *tls, | ||
| struct tcp_conn *tcp, int layer); | ||
|
|
||
| int tls_conn_verify_client_post_handshake(struct tls_conn *tc); |
There was a problem hiding this comment.
rename
int tls_verify_client_post_handshake(struct tls_conn *tc);
include/re_tls.h
Outdated
|
|
||
| /* TCP */ | ||
|
|
||
| int tls_conn_change_cert(struct tls_conn *tc, const char *file); | ||
| int tls_start_tcp(struct tls_conn **ptc, struct tls *tls, | ||
| struct tcp_conn *tcp, int layer); | ||
|
|
||
| int tls_conn_verify_client_post_handshake(struct tls_conn *tc); | ||
| const char* tls_conn_version(struct tls_conn *tc); |
There was a problem hiding this comment.
rename to
const char* tls_version(struct tls_conn *tc);
src/http/client.c
Outdated
| if (n < (size_t)s) { | ||
| mem_deref(buf); | ||
| return EIO; | ||
| while ((n=fread(buf+idx, 1, PEMBUF_SIZE, f)) == PEMBUF_SIZE) { |
There was a problem hiding this comment.
maybe we should use the portable function fs_fopen()
src/http/client.c
Outdated
| return ENOMEM; | ||
| } | ||
| buf = nbuf; | ||
| memset(buf+idx, 0, PEMBUF_SIZE); |
There was a problem hiding this comment.
We should use mbuf:
struct mbuf *cert;
struct mbuf *key;Please try this patch:
http_client_read_mbuf.patch.zip
src/tls/openssl/tls.c
Outdated
| @@ -39,6 +40,7 @@ struct session_reuse { | |||
| struct hash *ht_sessions; | |||
| }; | |||
|
|
|||
|
|
|||
src/tls/openssl/tls.c
Outdated
| @@ -61,6 +63,7 @@ struct tls_cert { | |||
| char *host; | |||
| }; | |||
|
|
|||
|
|
|||
| * Set TLS server context to request certificate from peer | ||
| * and set trust all certificates of peer. | ||
| * | ||
| * @deprecated Use tls_set_verify_peer_trust_all instead |
There was a problem hiding this comment.
please prepare also a PR for baresip to replace the deprecated function:
./modules/dtls_srtp/dtls_srtp.c:534: tls_set_verify_client(tls);
There was a problem hiding this comment.
| @@ -28,6 +28,7 @@ | |||
| struct tls_conn { | |||
| SSL *ssl; /* inheritance */ | |||
| struct tls *tls; /* inheritance */ | |||
| struct tls_conn_d cd; /* inheritance */ | |||
There was a problem hiding this comment.
"struct tls_conn_d cd;" is inherited in tls.c and defined in tls_*.c simliar to tls and ssl.
| @@ -60,6 +60,7 @@ struct dtls_sock { | |||
| struct tls_conn { | |||
| SSL *ssl; /* inheritance */ | |||
| struct tls *tls; /* inheritance */ | |||
| struct tls_conn_d cd; /* inheritance */ | |||
fAuernigg
force-pushed
the
client_cert_renegotiation_in_http
branch
from
811e5de
to
98c6d9a
Compare
Add tls_set_conn_verify_client_handler, tls_renegotiate, tls_disable_session_on_reneg, tls_set_posthandshake_auth, tls_conn_verify_client_post_handshake, tls_conn_version Add http_sock_tls
fAuernigg
force-pushed
the
client_cert_renegotiation_in_http
branch
from
98c6d9a
to
e240a55
Compare
|
this patch is quite large, around 1100 lines is it possible to split it up into smaller parts, for easier review ? |
The libre test added in this PR #713 requires new api's to test renegotiation in the http server. This test requires #712 to fix renegotiation in the tls state machine under TLS v1.2 So what I wanted to say is PR #713 will never have the green light for test ok until TLS #712 / #711 was merged. |
Add server support for certificate renegotiation.
Fix tls state machine on client and server for tls1.2 renegotiation.
Feature Commits:
tls: handle client hello/finished state during tls 1.2 renegotiation
tls: handle server done state during tls 1.2 renegotiation
Commits with new Apis:
tls, http: add tls and http apis for renegotiation
Add tls_set_conn_verify_client_handler,
tls_renegotiate, tls_disable_session_on_reneg,
tls_set_posthandshake_auth, tls_conn_verify_client_post_handshake,
tls_conn_version
Add http_sock_tls
Commit to fix retest on win32:
http: fix read_file on win32 (incorrect get fsize)