mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
TLS-SRP: support added when using GnuTLS
This commit is contained in:
parent
4f13340ab8
commit
59cf93ccdb
42
configure.ac
42
configure.ac
@ -146,6 +146,7 @@ dnl initialize all the info variables
|
|||||||
curl_krb4_msg="no (--with-krb4*)"
|
curl_krb4_msg="no (--with-krb4*)"
|
||||||
curl_gss_msg="no (--with-gssapi)"
|
curl_gss_msg="no (--with-gssapi)"
|
||||||
curl_spnego_msg="no (--with-spnego)"
|
curl_spnego_msg="no (--with-spnego)"
|
||||||
|
curl_tls_srp_msg="no (--enable-tls-srp)"
|
||||||
curl_res_msg="default (--enable-ares / --enable-threaded-resolver)"
|
curl_res_msg="default (--enable-ares / --enable-threaded-resolver)"
|
||||||
curl_ipv6_msg="no (--enable-ipv6)"
|
curl_ipv6_msg="no (--enable-ipv6)"
|
||||||
curl_idn_msg="no (--with-libidn)"
|
curl_idn_msg="no (--with-libidn)"
|
||||||
@ -1754,6 +1755,17 @@ if test "$GNUTLS_ENABLED" = "1"; then
|
|||||||
])
|
])
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
dnl ---
|
||||||
|
dnl We require GnuTLS with SRP support.
|
||||||
|
dnl ---
|
||||||
|
if test "$GNUTLS_ENABLED" = "1"; then
|
||||||
|
AC_CHECK_LIB(gnutls, gnutls_srp_verifier,
|
||||||
|
[
|
||||||
|
AC_DEFINE(HAVE_GNUTLS_SRP, 1, [if you have the function gnutls_srp_verifier])
|
||||||
|
AC_SUBST(HAVE_GNUTLS_SRP, [1])
|
||||||
|
])
|
||||||
|
fi
|
||||||
|
|
||||||
dnl ----------------------------------------------------
|
dnl ----------------------------------------------------
|
||||||
dnl check for PolarSSL
|
dnl check for PolarSSL
|
||||||
dnl ----------------------------------------------------
|
dnl ----------------------------------------------------
|
||||||
@ -2654,6 +2666,32 @@ AC_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]),
|
|||||||
AC_MSG_RESULT(yes)
|
AC_MSG_RESULT(yes)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
dnl ************************************************************
|
||||||
|
dnl disable TLS-SRP authentication
|
||||||
|
dnl
|
||||||
|
AC_MSG_CHECKING([whether to enable TLS-SRP authentication])
|
||||||
|
AC_ARG_ENABLE(tls-srp,
|
||||||
|
AC_HELP_STRING([--enable-tls-srp],[Enable TLS-SRP authentication])
|
||||||
|
AC_HELP_STRING([--disable-tls-srp],[Disable TLS-SRP authentication]),
|
||||||
|
[ case "$enableval" in
|
||||||
|
no)
|
||||||
|
AC_MSG_RESULT(no)
|
||||||
|
AC_DEFINE(CURL_DISABLE_TLS_SRP, 1, [to disable TLS-SRP authentication])
|
||||||
|
want_tls_srp=no
|
||||||
|
;;
|
||||||
|
*) AC_MSG_RESULT(yes)
|
||||||
|
want_tls_srp=yes
|
||||||
|
;;
|
||||||
|
esac ],
|
||||||
|
AC_MSG_RESULT(yes)
|
||||||
|
want_tls_srp=yes
|
||||||
|
)
|
||||||
|
|
||||||
|
if test "$want_tls_srp" = "yes" && test "x$HAVE_GNUTLS_SRP" = "x1"; then
|
||||||
|
AC_DEFINE(USE_TLS_SRP, 1, [Use TLS-SRP authentication])
|
||||||
|
curl_tls_srp_msg="enabled"
|
||||||
|
fi
|
||||||
|
|
||||||
dnl ************************************************************
|
dnl ************************************************************
|
||||||
dnl disable cookies support
|
dnl disable cookies support
|
||||||
dnl
|
dnl
|
||||||
@ -2802,6 +2840,9 @@ if test "x$USE_SSLEAY" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \
|
|||||||
-o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1"; then
|
-o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1"; then
|
||||||
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
|
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
|
||||||
fi
|
fi
|
||||||
|
if test "x$USE_TLS_SRP" = "x1"; then
|
||||||
|
SUPPORT_FEATURES="$SUPPORT_FEATURES TLS-SRP"
|
||||||
|
fi
|
||||||
|
|
||||||
AC_SUBST(SUPPORT_FEATURES)
|
AC_SUBST(SUPPORT_FEATURES)
|
||||||
|
|
||||||
@ -2945,6 +2986,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
|
|||||||
krb4 support: ${curl_krb4_msg}
|
krb4 support: ${curl_krb4_msg}
|
||||||
GSSAPI support: ${curl_gss_msg}
|
GSSAPI support: ${curl_gss_msg}
|
||||||
SPNEGO support: ${curl_spnego_msg}
|
SPNEGO support: ${curl_spnego_msg}
|
||||||
|
TLS-SRP support: ${curl_tls_srp_msg}
|
||||||
resolver: ${curl_res_msg}
|
resolver: ${curl_res_msg}
|
||||||
ipv6 support: ${curl_ipv6_msg}
|
ipv6 support: ${curl_ipv6_msg}
|
||||||
IDN support: ${curl_idn_msg}
|
IDN support: ${curl_idn_msg}
|
||||||
|
@ -502,6 +502,7 @@ typedef enum {
|
|||||||
CURLE_RTSP_SESSION_ERROR, /* 86 - mismatch of RTSP Session Identifiers */
|
CURLE_RTSP_SESSION_ERROR, /* 86 - mismatch of RTSP Session Identifiers */
|
||||||
CURLE_FTP_BAD_FILE_LIST, /* 87 - unable to parse FTP file list */
|
CURLE_FTP_BAD_FILE_LIST, /* 87 - unable to parse FTP file list */
|
||||||
CURLE_CHUNK_FAILED, /* 88 - chunk callback reported error */
|
CURLE_CHUNK_FAILED, /* 88 - chunk callback reported error */
|
||||||
|
CURLE_TLSAUTH_FAILED, /* 89 - Failed TLS authentication */
|
||||||
|
|
||||||
CURL_LAST /* never use! */
|
CURL_LAST /* never use! */
|
||||||
} CURLcode;
|
} CURLcode;
|
||||||
@ -1442,6 +1443,15 @@ typedef enum {
|
|||||||
/* send linked-list of name:port:address sets */
|
/* send linked-list of name:port:address sets */
|
||||||
CINIT(RESOLVE, OBJECTPOINT, 203),
|
CINIT(RESOLVE, OBJECTPOINT, 203),
|
||||||
|
|
||||||
|
/* Set a username for authenticated TLS */
|
||||||
|
CINIT(TLSAUTH_USERNAME, OBJECTPOINT, 204),
|
||||||
|
|
||||||
|
/* Set a password for authenticated TLS */
|
||||||
|
CINIT(TLSAUTH_PASSWORD, OBJECTPOINT, 205),
|
||||||
|
|
||||||
|
/* Set authentication type for authenticated TLS */
|
||||||
|
CINIT(TLSAUTH_TYPE, OBJECTPOINT, 206),
|
||||||
|
|
||||||
CURLOPT_LASTENTRY /* the last unused */
|
CURLOPT_LASTENTRY /* the last unused */
|
||||||
} CURLoption;
|
} CURLoption;
|
||||||
|
|
||||||
@ -1538,6 +1548,12 @@ enum {
|
|||||||
CURL_SSLVERSION_LAST /* never use, keep last */
|
CURL_SSLVERSION_LAST /* never use, keep last */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enum CURL_TLSAUTH {
|
||||||
|
CURL_TLSAUTH_NONE,
|
||||||
|
CURL_TLSAUTH_SRP,
|
||||||
|
CURL_TLSAUTH_LAST /* never use, keep last */
|
||||||
|
};
|
||||||
|
|
||||||
/* symbols to use with CURLOPT_POSTREDIR.
|
/* symbols to use with CURLOPT_POSTREDIR.
|
||||||
CURL_REDIR_POST_301 and CURL_REDIR_POST_302 can be bitwise ORed so that
|
CURL_REDIR_POST_301 and CURL_REDIR_POST_302 can be bitwise ORed so that
|
||||||
CURL_REDIR_POST_301 | CURL_REDIR_POST_302 == CURL_REDIR_POST_ALL */
|
CURL_REDIR_POST_301 | CURL_REDIR_POST_302 == CURL_REDIR_POST_ALL */
|
||||||
@ -2043,6 +2059,7 @@ typedef struct {
|
|||||||
#define CURL_VERSION_SSPI (1<<11) /* SSPI is supported */
|
#define CURL_VERSION_SSPI (1<<11) /* SSPI is supported */
|
||||||
#define CURL_VERSION_CONV (1<<12) /* character conversions supported */
|
#define CURL_VERSION_CONV (1<<12) /* character conversions supported */
|
||||||
#define CURL_VERSION_CURLDEBUG (1<<13) /* debug memory tracking supported */
|
#define CURL_VERSION_CURLDEBUG (1<<13) /* debug memory tracking supported */
|
||||||
|
#define CURL_VERSION_TLSAUTH_SRP (1<<14) /* TLS-SRP auth is supported */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* NAME curl_version_info()
|
* NAME curl_version_info()
|
||||||
|
63
lib/gtls.c
63
lib/gtls.c
@ -346,6 +346,29 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
return CURLE_SSL_CONNECT_ERROR;
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
|
||||||
|
infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
|
||||||
|
|
||||||
|
rc = gnutls_srp_allocate_client_credentials(
|
||||||
|
&conn->ssl[sockindex].srp_client_cred);
|
||||||
|
if(rc != GNUTLS_E_SUCCESS) {
|
||||||
|
failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
|
||||||
|
gnutls_strerror(rc));
|
||||||
|
return CURLE_TLSAUTH_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
rc = gnutls_srp_set_client_credentials(conn->ssl[sockindex].srp_client_cred,
|
||||||
|
data->set.ssl.username,
|
||||||
|
data->set.ssl.password);
|
||||||
|
if(rc != GNUTLS_E_SUCCESS) {
|
||||||
|
failf(data, "gnutls_srp_set_client_cred() failed: %s",
|
||||||
|
gnutls_strerror(rc));
|
||||||
|
return CURLE_TLSAUTH_FAILED;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if(data->set.ssl.CAfile) {
|
if(data->set.ssl.CAfile) {
|
||||||
/* set the trusted CA cert bundle file */
|
/* set the trusted CA cert bundle file */
|
||||||
gnutls_certificate_set_verify_flags(conn->ssl[sockindex].cred,
|
gnutls_certificate_set_verify_flags(conn->ssl[sockindex].cred,
|
||||||
@ -431,7 +454,16 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
/* put the credentials to the current session */
|
/* put the credentials to the current session */
|
||||||
|
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
|
||||||
|
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
||||||
|
conn->ssl[sockindex].srp_client_cred);
|
||||||
|
if (rc != GNUTLS_E_SUCCESS) {
|
||||||
|
failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
|
||||||
|
}
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
|
rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
|
||||||
conn->ssl[sockindex].cred);
|
conn->ssl[sockindex].cred);
|
||||||
|
|
||||||
@ -496,8 +528,21 @@ gtls_connect_step3(struct connectdata *conn,
|
|||||||
if(data->set.ssl.verifypeer ||
|
if(data->set.ssl.verifypeer ||
|
||||||
data->set.ssl.verifyhost ||
|
data->set.ssl.verifyhost ||
|
||||||
data->set.ssl.issuercert) {
|
data->set.ssl.issuercert) {
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP
|
||||||
|
&& data->set.ssl.username != NULL
|
||||||
|
&& !data->set.ssl.verifypeer
|
||||||
|
&& gnutls_cipher_get(session)) {
|
||||||
|
/* no peer cert, but auth is ok if we have SRP user and cipher and no
|
||||||
|
peer verify */
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
#endif
|
||||||
failf(data, "failed to get server cert");
|
failf(data, "failed to get server cert");
|
||||||
return CURLE_PEER_FAILED_VERIFICATION;
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
infof(data, "\t common name: WARNING couldn't obtain\n");
|
infof(data, "\t common name: WARNING couldn't obtain\n");
|
||||||
}
|
}
|
||||||
@ -530,8 +575,10 @@ gtls_connect_step3(struct connectdata *conn,
|
|||||||
else
|
else
|
||||||
infof(data, "\t server certificate verification OK\n");
|
infof(data, "\t server certificate verification OK\n");
|
||||||
}
|
}
|
||||||
else
|
else {
|
||||||
infof(data, "\t server certificate verification SKIPPED\n");
|
infof(data, "\t server certificate verification SKIPPED\n");
|
||||||
|
goto after_server_cert_verification;
|
||||||
|
}
|
||||||
|
|
||||||
/* initialize an X.509 certificate structure. */
|
/* initialize an X.509 certificate structure. */
|
||||||
gnutls_x509_crt_init(&x509_cert);
|
gnutls_x509_crt_init(&x509_cert);
|
||||||
@ -661,6 +708,8 @@ gtls_connect_step3(struct connectdata *conn,
|
|||||||
|
|
||||||
gnutls_x509_crt_deinit(x509_cert);
|
gnutls_x509_crt_deinit(x509_cert);
|
||||||
|
|
||||||
|
after_server_cert_verification:
|
||||||
|
|
||||||
/* compression algorithm (if any) */
|
/* compression algorithm (if any) */
|
||||||
ptr = gnutls_compression_get_name(gnutls_compression_get(session));
|
ptr = gnutls_compression_get_name(gnutls_compression_get(session));
|
||||||
/* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */
|
/* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */
|
||||||
@ -820,6 +869,12 @@ static void close_one(struct connectdata *conn,
|
|||||||
gnutls_certificate_free_credentials(conn->ssl[idx].cred);
|
gnutls_certificate_free_credentials(conn->ssl[idx].cred);
|
||||||
conn->ssl[idx].cred = NULL;
|
conn->ssl[idx].cred = NULL;
|
||||||
}
|
}
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if (conn->ssl[idx].srp_client_cred) {
|
||||||
|
gnutls_srp_free_client_credentials(conn->ssl[idx].srp_client_cred);
|
||||||
|
conn->ssl[idx].srp_client_cred = NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
void Curl_gtls_close(struct connectdata *conn, int sockindex)
|
void Curl_gtls_close(struct connectdata *conn, int sockindex)
|
||||||
@ -889,6 +944,12 @@ int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
|
|||||||
}
|
}
|
||||||
gnutls_certificate_free_credentials(conn->ssl[sockindex].cred);
|
gnutls_certificate_free_credentials(conn->ssl[sockindex].cred);
|
||||||
|
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP
|
||||||
|
&& data->set.ssl.username != NULL)
|
||||||
|
gnutls_srp_free_client_credentials(conn->ssl[sockindex].srp_client_cred);
|
||||||
|
#endif
|
||||||
|
|
||||||
conn->ssl[sockindex].cred = NULL;
|
conn->ssl[sockindex].cred = NULL;
|
||||||
conn->ssl[sockindex].session = NULL;
|
conn->ssl[sockindex].session = NULL;
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
* | (__| |_| | _ <| |___
|
* | (__| |_| | _ <| |___
|
||||||
* \___|\___/|_| \_\_____|
|
* \___|\___/|_| \_\_____|
|
||||||
*
|
*
|
||||||
* Copyright (C) 2004 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
|
* Copyright (C) 2004 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
*
|
*
|
||||||
* This software is licensed as described in the file COPYING, which
|
* This software is licensed as described in the file COPYING, which
|
||||||
* you should have received as part of this distribution. The terms
|
* you should have received as part of this distribution. The terms
|
||||||
@ -281,6 +281,9 @@ curl_easy_strerror(CURLcode error)
|
|||||||
case CURLE_CHUNK_FAILED:
|
case CURLE_CHUNK_FAILED:
|
||||||
return "Chunk callback failed";
|
return "Chunk callback failed";
|
||||||
|
|
||||||
|
case CURLE_TLSAUTH_FAILED:
|
||||||
|
return "TLS Authentication failed";
|
||||||
|
|
||||||
/* error codes not used by current libcurl */
|
/* error codes not used by current libcurl */
|
||||||
case CURLE_OBSOLETE4:
|
case CURLE_OBSOLETE4:
|
||||||
case CURLE_OBSOLETE10:
|
case CURLE_OBSOLETE10:
|
||||||
|
27
lib/url.c
27
lib/url.c
@ -751,6 +751,9 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
|
|||||||
*/
|
*/
|
||||||
set->ssl.verifypeer = TRUE;
|
set->ssl.verifypeer = TRUE;
|
||||||
set->ssl.verifyhost = 2;
|
set->ssl.verifyhost = 2;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
set->ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
#endif
|
||||||
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
|
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
|
||||||
type */
|
type */
|
||||||
set->ssl.sessionid = TRUE; /* session ID caching enabled by default */
|
set->ssl.sessionid = TRUE; /* session ID caching enabled by default */
|
||||||
@ -2526,6 +2529,26 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
|
|||||||
case CURLOPT_FNMATCH_DATA:
|
case CURLOPT_FNMATCH_DATA:
|
||||||
data->set.fnmatch_data = va_arg(param, void *);
|
data->set.fnmatch_data = va_arg(param, void *);
|
||||||
break;
|
break;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
case CURLOPT_TLSAUTH_USERNAME:
|
||||||
|
result = setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
||||||
|
va_arg(param, char *));
|
||||||
|
if (data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
case CURLOPT_TLSAUTH_PASSWORD:
|
||||||
|
result = setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||||||
|
va_arg(param, char *));
|
||||||
|
if (data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
case CURLOPT_TLSAUTH_TYPE:
|
||||||
|
if (strncmp((char *)va_arg(param, char *), "SRP", strlen("SRP")) == 0)
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
else
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
default:
|
default:
|
||||||
/* unknown tag and its companion, just ignore: */
|
/* unknown tag and its companion, just ignore: */
|
||||||
result = CURLE_FAILED_INIT; /* correct this */
|
result = CURLE_FAILED_INIT; /* correct this */
|
||||||
@ -4929,6 +4952,10 @@ static CURLcode create_conn(struct SessionHandle *data,
|
|||||||
data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
||||||
data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
||||||
data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
|
data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
|
data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
|
#endif
|
||||||
|
|
||||||
if(!Curl_clone_ssl_config(&data->set.ssl, &conn->ssl_config))
|
if(!Curl_clone_ssl_config(&data->set.ssl, &conn->ssl_config))
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
@ -251,6 +251,9 @@ struct ssl_connect_data {
|
|||||||
#ifdef USE_GNUTLS
|
#ifdef USE_GNUTLS
|
||||||
gnutls_session session;
|
gnutls_session session;
|
||||||
gnutls_certificate_credentials cred;
|
gnutls_certificate_credentials cred;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
gnutls_srp_client_credentials srp_client_cred;
|
||||||
|
#endif
|
||||||
ssl_connect_state connecting_state;
|
ssl_connect_state connecting_state;
|
||||||
#endif /* USE_GNUTLS */
|
#endif /* USE_GNUTLS */
|
||||||
#ifdef USE_POLARSSL
|
#ifdef USE_POLARSSL
|
||||||
@ -300,6 +303,12 @@ struct ssl_config_data {
|
|||||||
void *fsslctxp; /* parameter for call back */
|
void *fsslctxp; /* parameter for call back */
|
||||||
bool sessionid; /* cache session IDs or not */
|
bool sessionid; /* cache session IDs or not */
|
||||||
bool certinfo; /* gather lots of certificate info */
|
bool certinfo; /* gather lots of certificate info */
|
||||||
|
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
char *username; /* TLS username (for, e.g., SRP) */
|
||||||
|
char *password; /* TLS password (for, e.g., SRP) */
|
||||||
|
enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||||||
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
/* information stored about one single SSL session */
|
/* information stored about one single SSL session */
|
||||||
@ -1315,6 +1324,11 @@ enum dupstring {
|
|||||||
#endif
|
#endif
|
||||||
STRING_MAIL_FROM,
|
STRING_MAIL_FROM,
|
||||||
|
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
STRING_TLSAUTH_USERNAME, /* TLS auth <username> */
|
||||||
|
STRING_TLSAUTH_PASSWORD, /* TLS auth <password> */
|
||||||
|
#endif
|
||||||
|
|
||||||
/* -- end of strings -- */
|
/* -- end of strings -- */
|
||||||
STRING_LAST /* not used, just an end-of-list marker */
|
STRING_LAST /* not used, just an end-of-list marker */
|
||||||
};
|
};
|
||||||
|
@ -264,6 +264,9 @@ static curl_version_info_data version_info = {
|
|||||||
#endif
|
#endif
|
||||||
#if defined(CURL_DOES_CONVERSIONS)
|
#if defined(CURL_DOES_CONVERSIONS)
|
||||||
| CURL_VERSION_CONV
|
| CURL_VERSION_CONV
|
||||||
|
#endif
|
||||||
|
#if defined(USE_TLS_SRP)
|
||||||
|
| CURL_VERSION_TLSAUTH_SRP
|
||||||
#endif
|
#endif
|
||||||
,
|
,
|
||||||
NULL, /* ssl_version */
|
NULL, /* ssl_version */
|
||||||
|
50
src/main.c
50
src/main.c
@ -503,6 +503,9 @@ struct Configurable {
|
|||||||
long low_speed_time;
|
long low_speed_time;
|
||||||
bool showerror;
|
bool showerror;
|
||||||
char *userpwd;
|
char *userpwd;
|
||||||
|
char *tls_username;
|
||||||
|
char *tls_password;
|
||||||
|
char *tls_authtype;
|
||||||
char *proxyuserpwd;
|
char *proxyuserpwd;
|
||||||
char *proxy;
|
char *proxy;
|
||||||
int proxyver; /* set to CURLPROXY_HTTP* define */
|
int proxyver; /* set to CURLPROXY_HTTP* define */
|
||||||
@ -903,6 +906,11 @@ static void help(void)
|
|||||||
" --url <URL> Set URL to work with",
|
" --url <URL> Set URL to work with",
|
||||||
" -B/--use-ascii Use ASCII/text transfer",
|
" -B/--use-ascii Use ASCII/text transfer",
|
||||||
" -u/--user <user[:password]> Set server user and password",
|
" -u/--user <user[:password]> Set server user and password",
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
" --tlsuser <user> Set TLS username",
|
||||||
|
" --tlspassword <string> Set TLS password",
|
||||||
|
" --tlsauthtype <string> Set TLS authentication type (default SRP)",
|
||||||
|
#endif
|
||||||
" -A/--user-agent <string> User-Agent to send to server (H)",
|
" -A/--user-agent <string> User-Agent to send to server (H)",
|
||||||
" -v/--verbose Make the operation more talkative",
|
" -v/--verbose Make the operation more talkative",
|
||||||
" -V/--version Show version number and quit",
|
" -V/--version Show version number and quit",
|
||||||
@ -1916,6 +1924,11 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
|
|||||||
{"Eh","pubkey", TRUE},
|
{"Eh","pubkey", TRUE},
|
||||||
{"Ei", "hostpubmd5", TRUE},
|
{"Ei", "hostpubmd5", TRUE},
|
||||||
{"Ej","crlfile", TRUE},
|
{"Ej","crlfile", TRUE},
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
{"Ek","tlsuser", TRUE},
|
||||||
|
{"El","tlspassword", TRUE},
|
||||||
|
{"Em","tlsauthtype", TRUE},
|
||||||
|
#endif
|
||||||
{"f", "fail", FALSE},
|
{"f", "fail", FALSE},
|
||||||
{"F", "form", TRUE},
|
{"F", "form", TRUE},
|
||||||
{"Fs","form-string", TRUE},
|
{"Fs","form-string", TRUE},
|
||||||
@ -2744,6 +2757,28 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
|
|||||||
/* CRL file */
|
/* CRL file */
|
||||||
GetStr(&config->crlfile, nextarg);
|
GetStr(&config->crlfile, nextarg);
|
||||||
break;
|
break;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
case 'k': /* TLS username */
|
||||||
|
if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) {
|
||||||
|
GetStr(&config->tls_username, nextarg);
|
||||||
|
} else
|
||||||
|
return PARAM_LIBCURL_DOESNT_SUPPORT;
|
||||||
|
break;
|
||||||
|
case 'l': /* TLS password */
|
||||||
|
if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) {
|
||||||
|
GetStr(&config->tls_password, nextarg);
|
||||||
|
} else
|
||||||
|
return PARAM_LIBCURL_DOESNT_SUPPORT;
|
||||||
|
break;
|
||||||
|
case 'm': /* TLS authentication type */
|
||||||
|
if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) {
|
||||||
|
GetStr(&config->tls_authtype, nextarg);
|
||||||
|
if (strncmp(config->tls_authtype, "SRP", strlen("SRP")) != 0)
|
||||||
|
return PARAM_LIBCURL_DOESNT_SUPPORT; /* only support TLS-SRP */
|
||||||
|
} else
|
||||||
|
return PARAM_LIBCURL_DOESNT_SUPPORT;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
default: /* certificate file */
|
default: /* certificate file */
|
||||||
{
|
{
|
||||||
char *ptr = strchr(nextarg, ':');
|
char *ptr = strchr(nextarg, ':');
|
||||||
@ -3122,7 +3157,8 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
|
|||||||
{"SSPI", CURL_VERSION_SSPI},
|
{"SSPI", CURL_VERSION_SSPI},
|
||||||
{"krb4", CURL_VERSION_KERBEROS4},
|
{"krb4", CURL_VERSION_KERBEROS4},
|
||||||
{"libz", CURL_VERSION_LIBZ},
|
{"libz", CURL_VERSION_LIBZ},
|
||||||
{"CharConv", CURL_VERSION_CONV}
|
{"CharConv", CURL_VERSION_CONV},
|
||||||
|
{"TLS-SRP", CURL_VERSION_TLSAUTH_SRP}
|
||||||
};
|
};
|
||||||
printf("Features: ");
|
printf("Features: ");
|
||||||
for(i=0; i<sizeof(feats)/sizeof(feats[0]); i++) {
|
for(i=0; i<sizeof(feats)/sizeof(feats[0]); i++) {
|
||||||
@ -4048,6 +4084,14 @@ static void free_config_fields(struct Configurable *config)
|
|||||||
free(config->hostpubmd5);
|
free(config->hostpubmd5);
|
||||||
if(config->mail_from)
|
if(config->mail_from)
|
||||||
free(config->mail_from);
|
free(config->mail_from);
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if(config->tls_authtype)
|
||||||
|
free(config->tls_authtype);
|
||||||
|
if(config->tls_username)
|
||||||
|
free(config->tls_username);
|
||||||
|
if(config->tls_password)
|
||||||
|
free(config->tls_password);
|
||||||
|
#endif
|
||||||
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
||||||
if(config->socks5_gssapi_service)
|
if(config->socks5_gssapi_service)
|
||||||
free(config->socks5_gssapi_service);
|
free(config->socks5_gssapi_service);
|
||||||
@ -5462,6 +5506,10 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
|
|||||||
/* new in 7.21.3 */
|
/* new in 7.21.3 */
|
||||||
my_setopt(curl, CURLOPT_RESOLVE, config->resolve);
|
my_setopt(curl, CURLOPT_RESOLVE, config->resolve);
|
||||||
|
|
||||||
|
/* TODO: new in ### */
|
||||||
|
curl_easy_setopt(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username);
|
||||||
|
curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password);
|
||||||
|
|
||||||
retry_numretries = config->req_retry;
|
retry_numretries = config->req_retry;
|
||||||
|
|
||||||
retrystart = cutil_tvnow();
|
retrystart = cutil_tvnow();
|
||||||
|
@ -158,6 +158,7 @@ rtsp-ipv6
|
|||||||
imap
|
imap
|
||||||
pop3
|
pop3
|
||||||
smtp
|
smtp
|
||||||
|
http+tls-srp
|
||||||
|
|
||||||
Give only one per line. This subsection is mandatory.
|
Give only one per line. This subsection is mandatory.
|
||||||
</server>
|
</server>
|
||||||
|
3
tests/certs/srp-verifier-conf
Normal file
3
tests/certs/srp-verifier-conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
1:Ewl2hcjiutMd3Fu2lgFnUXWSc67TVyy2vwYCKoS9MLsrdJVT9RgWTCuEqWJrfB6uE3LsE9GkOlaZabS7M29sj5TnzUqOLJMjiwEzArfiLr9WbMRANlF68N5AVLcPWvNx6Zjl3m5Scp0BzJBz9TkgfhzKJZ.WtP3Mv/67I/0wmRZ:2
|
||||||
|
2:dUyyhxav9tgnyIg65wHxkzkb7VIPh4o0lkwfOKiPp4rVJrzLRYVBtb76gKlaO7ef5LYGEw3G.4E0jbMxcYBetDy2YdpiP/3GWJInoBbvYHIRO9uBuxgsFKTKWu7RnR7yTau/IrFTdQ4LY/q.AvoCzMxV0PKvD9Odso/LFIItn8PbTov3VMn/ZEH2SqhtpBUkWtmcIkEflhX/YY/fkBKfBbe27/zUaKUUZEUYZ2H2nlCL60.JIPeZJSzsu/xHDVcx:2
|
||||||
|
3:2iQzj1CagQc/5ctbuJYLWlhtAsPHc7xWVyCPAKFRLWKADpASkqe9djWPFWTNTdeJtL8nAhImCn3Sr/IAdQ1FrGw0WvQUstPx3FO9KNcXOwisOQ1VlL.gheAHYfbYyBaxXL.NcJx9TUwgWDT0hRzFzqSrdGGTN3FgSTA1v4QnHtEygNj3eZ.u0MThqWUaDiP87nqha7XnT66bkTCkQ8.7T8L4KZjIImrNrUftedTTBi.WCi.zlrBxDuOM0da0JbUkQlXqvp0yvJAPpC11nxmmZOAbQOywZGmu9nhZNuwTlxjfIro0FOdthaDTuZRL9VL7MRPUDo/DQEyW.d4H.UIlzp:2
|
2
tests/certs/srp-verifier-db
Normal file
2
tests/certs/srp-verifier-db
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
jsmith:34fPk7u.w3R/M1k2sQ9F.04GZqLKAsqDn44CHGu7ML0M8VWwu1p79OLxi6jRhSNdSM46Kx9GRVyJLXz7eok53..A6X5p3NdnMSYX8WwYrDmuseHDr.eua7gjd04S4EoY4ZuKix2.WGAsMTwk86AmTvcqyzqsH7GDhGOHEhjP5zs:lTjBBoK04K9vTKiL10rI/:1
|
||||||
|
alice:3IIP1g1HDTN6VEUr8DUkMleocoC1cpuFZnmunDaGhMyIsw8LAwCc7ZapWaC66gZSyis4ezSuCqvhsJdwdc.0es2UrH6PBkBQflcQDuC.dEpjhWgAcH2Dw.2qU.E0ApQzLkcKOjXMQ2R6jMBL14kEUPjjHS3aa16yB.Afj3bNPdf:1JxU4GkweUEii6.b0grkzU:1
|
@ -69,7 +69,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \
|
|||||||
test569 test570 test571 test572 test804 test805 test806 test807 test573 \
|
test569 test570 test571 test572 test804 test805 test806 test807 test573 \
|
||||||
test313 test1115 test578 test579 test1116 test1200 test1201 test1202 \
|
test313 test1115 test578 test579 test1116 test1200 test1201 test1202 \
|
||||||
test1203 test1117 test1118 test1119 test1120 test1300 test1301 test1302 \
|
test1203 test1117 test1118 test1119 test1120 test1300 test1301 test1302 \
|
||||||
test1303
|
test1303 test320 test321 test322 test323 test324
|
||||||
|
|
||||||
filecheck:
|
filecheck:
|
||||||
@mkdir test-place; \
|
@mkdir test-place; \
|
||||||
|
95
tests/data/test320
Normal file
95
tests/data/test320
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
<testcase>
|
||||||
|
<info>
|
||||||
|
<keywords>
|
||||||
|
HTTPS
|
||||||
|
HTTP GET
|
||||||
|
TLS-SRP
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
# Server-side
|
||||||
|
<reply>
|
||||||
|
<data nocheck="yes">
|
||||||
|
HTTP/1.0 200 OK
|
||||||
|
Content-type: text/html
|
||||||
|
|
||||||
|
|
||||||
|
<HTML><BODY>
|
||||||
|
<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GNUTLS</a></H1></CENTER>
|
||||||
|
|
||||||
|
|
||||||
|
<p>Session ID: <i>003030000100000001000000000000000030330001000000B062410001000000</i></p>
|
||||||
|
<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5>
|
||||||
|
<p>Connected as user 'jsmith'.</p>
|
||||||
|
<P>
|
||||||
|
<TABLE border=1><TR><TD>Protocol version:</TD><TD>TLS1.2</TD></TR>
|
||||||
|
<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR>
|
||||||
|
<TR><TD>Compression</TD><TD>NULL</TD></TR>
|
||||||
|
<TR><TD>Cipher</TD><TD>AES-128-CBC</TD></TR>
|
||||||
|
<TR><TD>MAC</TD><TD>SHA1</TD></TR>
|
||||||
|
<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_128_CBC_SHA1</TD></TR></p></TABLE>
|
||||||
|
<hr><P>Your HTTP header was:<PRE>User-Agent: curl/7.21.4-DEV (x86_64-apple-darwin10.5.0) libcurl/7.21.4-DEV GnuTLS/2.10.4 zlib/1.2.5 libidn/1.19
|
||||||
|
Host: localhost:9011
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
</PRE></P>
|
||||||
|
</BODY></HTML>
|
||||||
|
|
||||||
|
</data>
|
||||||
|
</reply>
|
||||||
|
|
||||||
|
# Client-side
|
||||||
|
<client>
|
||||||
|
<server>
|
||||||
|
http+tls-srp
|
||||||
|
</server>
|
||||||
|
<features>
|
||||||
|
TLS-SRP
|
||||||
|
</features>
|
||||||
|
<name>
|
||||||
|
simple TLS-SRP HTTPS GET, check user in response
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
--insecure --tlsauthtype SRP --tlsuser jsmith --tlspassword abc https://%HOSTIP:%HTTPTLSSRPPORT
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
# Verify data after the test has been "shot"
|
||||||
|
<verify>
|
||||||
|
<protocol>
|
||||||
|
</protocol>
|
||||||
|
<file name="log/curl320.out" mode="text">
|
||||||
|
HTTP/1.0 200 OK
|
||||||
|
Content-type: text/html
|
||||||
|
|
||||||
|
|
||||||
|
<HTML><BODY>
|
||||||
|
<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GNUTLS</a></H1></CENTER>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5>
|
||||||
|
<p>Connected as user 'jsmith'.</p>
|
||||||
|
<P>
|
||||||
|
<TABLE border=1><TR><TD>
|
||||||
|
<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR>
|
||||||
|
<TR><TD>Compression</TD><TD>NULL</TD></TR>
|
||||||
|
<TR><TD>Cipher</TD><TD>AES-128-CBC</TD></TR>
|
||||||
|
<TR><TD>MAC</TD><TD>SHA1</TD></TR>
|
||||||
|
<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_128_CBC_SHA1</TD></TR></p></TABLE>
|
||||||
|
|
||||||
|
Host: %HOSTIP:%HTTPTLSSRPPORT
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
</PRE></P>
|
||||||
|
</BODY></HTML>
|
||||||
|
|
||||||
|
</file>
|
||||||
|
<stripfile>
|
||||||
|
s/^<p>Session ID:.*//
|
||||||
|
s/^<hr><P>Your HTTP header was:.*//
|
||||||
|
s/Protocol version:.*//
|
||||||
|
</stripfile>
|
||||||
|
</verify>
|
||||||
|
|
||||||
|
</testcase>
|
33
tests/data/test321
Normal file
33
tests/data/test321
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<testcase>
|
||||||
|
<info>
|
||||||
|
<keywords>
|
||||||
|
HTTPS
|
||||||
|
TLS-SRP
|
||||||
|
FAILURE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
# Client-side
|
||||||
|
<client>
|
||||||
|
<server>
|
||||||
|
http+tls-srp
|
||||||
|
</server>
|
||||||
|
<features>
|
||||||
|
TLS-SRP
|
||||||
|
</features>
|
||||||
|
<name>
|
||||||
|
TLS-SRP with bad username and password
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
--insecure --tlsauthtype SRP --tlsuser baduser --tlspassword badpass https://%HOSTIP:%HTTPTLSSRPPORT
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
# Verify data after the test has been "shot"
|
||||||
|
<verify>
|
||||||
|
<errorcode>
|
||||||
|
35
|
||||||
|
</errorcode>
|
||||||
|
</verify>
|
||||||
|
|
||||||
|
</testcase>
|
33
tests/data/test322
Normal file
33
tests/data/test322
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<testcase>
|
||||||
|
<info>
|
||||||
|
<keywords>
|
||||||
|
HTTPS
|
||||||
|
TLS-SRP
|
||||||
|
FAILURE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
# Client-side
|
||||||
|
<client>
|
||||||
|
<server>
|
||||||
|
http+tls-srp
|
||||||
|
</server>
|
||||||
|
<features>
|
||||||
|
TLS-SRP
|
||||||
|
</features>
|
||||||
|
<name>
|
||||||
|
TLS-SRP with bad password
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
--insecure --tlsauthtype SRP --tlsuser jsmith --tlspassword badpass https://%HOSTIP:%HTTPTLSSRPPORT
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
# Verify data after the test has been "shot"
|
||||||
|
<verify>
|
||||||
|
<errorcode>
|
||||||
|
35
|
||||||
|
</errorcode>
|
||||||
|
</verify>
|
||||||
|
|
||||||
|
</testcase>
|
33
tests/data/test323
Normal file
33
tests/data/test323
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<testcase>
|
||||||
|
<info>
|
||||||
|
<keywords>
|
||||||
|
HTTPS
|
||||||
|
TLS-SRP
|
||||||
|
FAILURE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
# Client-side
|
||||||
|
<client>
|
||||||
|
<server>
|
||||||
|
https
|
||||||
|
</server>
|
||||||
|
<features>
|
||||||
|
TLS-SRP
|
||||||
|
</features>
|
||||||
|
<name>
|
||||||
|
TLS-SRP to non-TLS-SRP server
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
--insecure --tlsauthtype SRP --tlsuser jsmith --tlspassword badpass https://%HOSTIP:%HTTPSPORT/want/323
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
# Verify data after the test has been "shot"
|
||||||
|
<verify>
|
||||||
|
<errorcode>
|
||||||
|
35
|
||||||
|
</errorcode>
|
||||||
|
</verify>
|
||||||
|
|
||||||
|
</testcase>
|
33
tests/data/test324
Normal file
33
tests/data/test324
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<testcase>
|
||||||
|
<info>
|
||||||
|
<keywords>
|
||||||
|
HTTPS
|
||||||
|
TLS-SRP
|
||||||
|
FAILURE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
# Client-side
|
||||||
|
<client>
|
||||||
|
<server>
|
||||||
|
http+tls-srp
|
||||||
|
</server>
|
||||||
|
<features>
|
||||||
|
TLS-SRP
|
||||||
|
</features>
|
||||||
|
<name>
|
||||||
|
TLS-SRP with server cert checking
|
||||||
|
</name>
|
||||||
|
<command> # no --insecure
|
||||||
|
--tlsauthtype SRP --tlsuser jsmith --tlspassword abc https://%HOSTIP:%HTTPTLSSRPPORT/want/323
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
# Verify data after the test has been "shot"
|
||||||
|
<verify>
|
||||||
|
<errorcode>
|
||||||
|
51
|
||||||
|
</errorcode>
|
||||||
|
</verify>
|
||||||
|
|
||||||
|
</testcase>
|
@ -100,6 +100,7 @@ use sshhelp qw(
|
|||||||
find_sshd
|
find_sshd
|
||||||
find_ssh
|
find_ssh
|
||||||
find_sftp
|
find_sftp
|
||||||
|
find_gnutls_serv
|
||||||
sshversioninfo
|
sshversioninfo
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -135,6 +136,7 @@ my $RTSPPORT; # RTSP
|
|||||||
my $RTSP6PORT; # RTSP IPv6 server port
|
my $RTSP6PORT; # RTSP IPv6 server port
|
||||||
my $GOPHERPORT; # Gopher
|
my $GOPHERPORT; # Gopher
|
||||||
my $GOPHER6PORT; # Gopher IPv6 server port
|
my $GOPHER6PORT; # Gopher IPv6 server port
|
||||||
|
my $HTTPTLSSRPPORT; # TLS-SRP HTTP port
|
||||||
|
|
||||||
my $srcdir = $ENV{'srcdir'} || '.';
|
my $srcdir = $ENV{'srcdir'} || '.';
|
||||||
my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests
|
my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests
|
||||||
@ -202,6 +204,7 @@ my $has_libz; # set if libcurl is built with libz support
|
|||||||
my $has_getrlimit; # set if system has getrlimit()
|
my $has_getrlimit; # set if system has getrlimit()
|
||||||
my $has_ntlm; # set if libcurl is built with NTLM support
|
my $has_ntlm; # set if libcurl is built with NTLM support
|
||||||
my $has_charconv;# set if libcurl is built with CharConv support
|
my $has_charconv;# set if libcurl is built with CharConv support
|
||||||
|
my $has_tls_srp; # set if libcurl is built with TLS-SRP support
|
||||||
|
|
||||||
my $has_openssl; # built with a lib using an OpenSSL-like API
|
my $has_openssl; # built with a lib using an OpenSSL-like API
|
||||||
my $has_gnutls; # built with GnuTLS
|
my $has_gnutls; # built with GnuTLS
|
||||||
@ -334,7 +337,7 @@ sub init_serverpidfile_hash {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for my $proto (('tftp', 'sftp', 'socks', 'ssh', 'rtsp', 'gopher')) {
|
for my $proto (('tftp', 'sftp', 'socks', 'ssh', 'rtsp', 'gopher', 'http+tls-srp')) {
|
||||||
for my $ipvnum ((4, 6)) {
|
for my $ipvnum ((4, 6)) {
|
||||||
for my $idnum ((1, 2)) {
|
for my $idnum ((1, 2)) {
|
||||||
my $serv = servername_id($proto, $ipvnum, $idnum);
|
my $serv = servername_id($proto, $ipvnum, $idnum);
|
||||||
@ -957,6 +960,81 @@ sub verifysftp {
|
|||||||
return $verified;
|
return $verified;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
# Verify that the TLS-SRP HTTP server that runs on $ip, $port is our server.
|
||||||
|
# This also implies that we can speak with it, as there might be occasions when
|
||||||
|
# the server runs fine but we cannot talk to it ("Failed to connect to ::1:
|
||||||
|
# Can't assign requested address" #
|
||||||
|
|
||||||
|
sub verifyhttptlssrp {
|
||||||
|
my ($proto, $ipvnum, $idnum, $ip, $port) = @_;
|
||||||
|
my $server = servername_id($proto, $ipvnum, $idnum);
|
||||||
|
my $pidfile = server_pidfilename($proto, $ipvnum, $idnum);
|
||||||
|
my $pid = 0;
|
||||||
|
my $bonus="";
|
||||||
|
|
||||||
|
my $verifyout = "$LOGDIR/".
|
||||||
|
servername_canon($proto, $ipvnum, $idnum) .'_verify.out';
|
||||||
|
unlink($verifyout) if(-f $verifyout);
|
||||||
|
|
||||||
|
my $verifylog = "$LOGDIR/".
|
||||||
|
servername_canon($proto, $ipvnum, $idnum) .'_verify.log';
|
||||||
|
unlink($verifylog) if(-f $verifylog);
|
||||||
|
|
||||||
|
my $flags = "--max-time $server_response_maxtime ";
|
||||||
|
$flags .= "--output $verifyout ";
|
||||||
|
$flags .= "--verbose ";
|
||||||
|
$flags .= "--globoff ";
|
||||||
|
$flags .= "--insecure ";
|
||||||
|
$flags .= "--tlsauthtype SRP --tlsuser jsmith --tlspassword abc ";
|
||||||
|
$flags .= "\"https://$ip:$port/verifiedserver\"";
|
||||||
|
|
||||||
|
my $cmd = "$VCURL $flags 2>$verifylog";
|
||||||
|
|
||||||
|
# verify if our/any server is running on this port
|
||||||
|
logmsg "RUN: $cmd\n" if($verbose);
|
||||||
|
my $res = runclient($cmd);
|
||||||
|
|
||||||
|
$res >>= 8; # rotate the result
|
||||||
|
if($res & 128) {
|
||||||
|
logmsg "RUN: curl command died with a coredump\n";
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if($res && $verbose) {
|
||||||
|
logmsg "RUN: curl command returned $res\n";
|
||||||
|
if(open(FILE, "<$verifylog")) {
|
||||||
|
while(my $string = <FILE>) {
|
||||||
|
logmsg "RUN: $string" if($string !~ /^([ \t]*)$/);
|
||||||
|
}
|
||||||
|
close(FILE);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
my $data;
|
||||||
|
if(open(FILE, "<$verifyout")) {
|
||||||
|
while(my $string = <FILE>) {
|
||||||
|
$data .= $string;
|
||||||
|
}
|
||||||
|
close(FILE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if($data && ($data =~ /GNUTLS/) && open(FILE, "<$pidfile")) {
|
||||||
|
$pid=0+<FILE>;
|
||||||
|
close(FILE);
|
||||||
|
return $pid;
|
||||||
|
}
|
||||||
|
elsif($res == 6) {
|
||||||
|
# curl: (6) Couldn't resolve host '::1'
|
||||||
|
logmsg "RUN: failed to resolve host (https://$ip:$port/verifiedserver)\n";
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
elsif($data || ($res && ($res != 7))) {
|
||||||
|
logmsg "RUN: Unknown server on our $server port: $port ($res)\n";
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return $pid;
|
||||||
|
}
|
||||||
|
|
||||||
#######################################################################
|
#######################################################################
|
||||||
# STUB for verifying socks
|
# STUB for verifying socks
|
||||||
@ -1001,7 +1079,8 @@ my %protofunc = ('http' => \&verifyhttp,
|
|||||||
'tftp' => \&verifyftp,
|
'tftp' => \&verifyftp,
|
||||||
'ssh' => \&verifyssh,
|
'ssh' => \&verifyssh,
|
||||||
'socks' => \&verifysocks,
|
'socks' => \&verifysocks,
|
||||||
'gopher' => \&verifyhttp);
|
'gopher' => \&verifyhttp,
|
||||||
|
'http+tls-srp' => \&verifyhttptlssrp);
|
||||||
|
|
||||||
sub verifyserver {
|
sub verifyserver {
|
||||||
my ($proto, $ipvnum, $idnum, $ip, $port) = @_;
|
my ($proto, $ipvnum, $idnum, $ip, $port) = @_;
|
||||||
@ -1191,6 +1270,87 @@ sub runhttpsserver {
|
|||||||
return ($httpspid, $pid2);
|
return ($httpspid, $pid2);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
# start the TLS-SRP HTTP server
|
||||||
|
#
|
||||||
|
sub runhttptlssrpserver {
|
||||||
|
my ($verbose) = @_;
|
||||||
|
my $proto = "http+tls-srp";
|
||||||
|
my $ip = $HOSTIP;
|
||||||
|
my $port = $HTTPTLSSRPPORT;
|
||||||
|
my $ipvnum = 4;
|
||||||
|
my $idnum = 1;
|
||||||
|
my $server;
|
||||||
|
my $srvrname;
|
||||||
|
my $pidfile;
|
||||||
|
my $logfile;
|
||||||
|
my $flags = "";
|
||||||
|
|
||||||
|
$server = servername_id($proto, $ipvnum, $idnum);
|
||||||
|
|
||||||
|
$pidfile = $serverpidfile{$server};
|
||||||
|
|
||||||
|
# don't retry if the server doesn't work
|
||||||
|
if ($doesntrun{$pidfile}) {
|
||||||
|
return (0,0);
|
||||||
|
}
|
||||||
|
|
||||||
|
my $pid = processexists($pidfile);
|
||||||
|
if($pid > 0) {
|
||||||
|
stopserver($server, "$pid");
|
||||||
|
}
|
||||||
|
unlink($pidfile) if(-f $pidfile);
|
||||||
|
|
||||||
|
$srvrname = servername_str($proto, $ipvnum, $idnum);
|
||||||
|
|
||||||
|
$logfile = server_logfilename($LOGDIR, $proto, $ipvnum, $idnum);
|
||||||
|
|
||||||
|
$flags .= "--fork " if($forkserver);
|
||||||
|
$flags .= "--http ";
|
||||||
|
$flags .= "-d 1 " if($debugprotocol);
|
||||||
|
$flags .= "--port $port ";
|
||||||
|
$flags .= "--srppasswd certs/srp-verifier-db --srppasswdconf certs/srp-verifier-conf ";
|
||||||
|
$flags .=" >log/gnutls.out 2>&1";
|
||||||
|
|
||||||
|
# Find gnutls-serv
|
||||||
|
my $gnutlsserv = find_gnutls_serv();
|
||||||
|
if(!$gnutlsserv) {
|
||||||
|
logmsg "RUN: cannot find gnutls-serv\n";
|
||||||
|
return (0,0);
|
||||||
|
}
|
||||||
|
my $cmd = "$gnutlsserv $flags";
|
||||||
|
my ($httptlssrppid, $pid2) = startnew($cmd, $pidfile, 1, 1);
|
||||||
|
|
||||||
|
if($httptlssrppid <= 0 || !kill(0, $httptlssrppid)) {
|
||||||
|
# it is NOT alive
|
||||||
|
logmsg "RUN: failed to start the $srvrname server\n";
|
||||||
|
stopserver($server, "$pid2");
|
||||||
|
displaylogs($testnumcheck);
|
||||||
|
$doesntrun{$pidfile} = 1;
|
||||||
|
return (0,0);
|
||||||
|
}
|
||||||
|
|
||||||
|
# Server is up. Verify that we can speak to it.
|
||||||
|
my $pid3 = verifyserver($proto, $ipvnum, $idnum, $ip, $port);
|
||||||
|
if(!$pid3) {
|
||||||
|
logmsg "RUN: $srvrname server failed verification\n";
|
||||||
|
# failed to talk to it properly. Kill the server and return failure
|
||||||
|
stopserver($server, "$httptlssrppid $pid2");
|
||||||
|
displaylogs($testnumcheck);
|
||||||
|
$doesntrun{$pidfile} = 1;
|
||||||
|
return (0,0);
|
||||||
|
}
|
||||||
|
$pid2 = $pid3;
|
||||||
|
|
||||||
|
if($verbose) {
|
||||||
|
logmsg "RUN: $srvrname server is now running PID $httptlssrppid\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
sleep(1);
|
||||||
|
|
||||||
|
return ($httptlssrppid, $pid2);
|
||||||
|
}
|
||||||
|
|
||||||
#######################################################################
|
#######################################################################
|
||||||
# start the pingpong server (FTP, POP3, IMAP, SMTP)
|
# start the pingpong server (FTP, POP3, IMAP, SMTP)
|
||||||
#
|
#
|
||||||
@ -1967,6 +2127,13 @@ sub checksystem {
|
|||||||
# compiled in because the <features> test will fail.
|
# compiled in because the <features> test will fail.
|
||||||
push @protocols, map($_ . "-ipv6", @protocols);
|
push @protocols, map($_ . "-ipv6", @protocols);
|
||||||
|
|
||||||
|
# Hack - we need a different, non-stunnel server to test HTTP
|
||||||
|
# TLS-SRP, but we don't want to add HTTP+TLS-SRP as a protocol
|
||||||
|
# throughout curl
|
||||||
|
if ($has_gnutls) {
|
||||||
|
push @protocols, ('http+tls-srp');
|
||||||
|
}
|
||||||
|
|
||||||
# 'none' is used in test cases to mean no server
|
# 'none' is used in test cases to mean no server
|
||||||
push @protocols, ('none');
|
push @protocols, ('none');
|
||||||
}
|
}
|
||||||
@ -2008,6 +2175,10 @@ sub checksystem {
|
|||||||
# CharConv enabled
|
# CharConv enabled
|
||||||
$has_charconv=1;
|
$has_charconv=1;
|
||||||
}
|
}
|
||||||
|
if($feat =~ /TLS-SRP/i) {
|
||||||
|
# TLS-SRP enabled
|
||||||
|
$has_tls_srp=1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(!$curl) {
|
if(!$curl) {
|
||||||
@ -2171,6 +2342,7 @@ sub subVariables {
|
|||||||
$$thing =~ s/%RTSP6PORT/$RTSP6PORT/g;
|
$$thing =~ s/%RTSP6PORT/$RTSP6PORT/g;
|
||||||
$$thing =~ s/%GOPHERPORT/$GOPHERPORT/g;
|
$$thing =~ s/%GOPHERPORT/$GOPHERPORT/g;
|
||||||
$$thing =~ s/%GOPHER6PORT/$GOPHER6PORT/g;
|
$$thing =~ s/%GOPHER6PORT/$GOPHER6PORT/g;
|
||||||
|
$$thing =~ s/%HTTPTLSSRPPORT/$HTTPTLSSRPPORT/g;
|
||||||
|
|
||||||
# The purpose of FTPTIME2 and FTPTIME3 is to provide times that can be
|
# The purpose of FTPTIME2 and FTPTIME3 is to provide times that can be
|
||||||
# used for time-out tests and that whould work on most hosts as these
|
# used for time-out tests and that whould work on most hosts as these
|
||||||
@ -2354,6 +2526,11 @@ sub singletest {
|
|||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
elsif($f eq "TLS-SRP") {
|
||||||
|
if($has_tls_srp) {
|
||||||
|
next;
|
||||||
|
}
|
||||||
|
}
|
||||||
elsif($f eq "socks") {
|
elsif($f eq "socks") {
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
@ -3257,7 +3434,7 @@ sub startservers {
|
|||||||
for(@what) {
|
for(@what) {
|
||||||
my (@whatlist) = split(/\s+/,$_);
|
my (@whatlist) = split(/\s+/,$_);
|
||||||
my $what = lc($whatlist[0]);
|
my $what = lc($whatlist[0]);
|
||||||
$what =~ s/[^a-z0-9-]//g;
|
$what =~ s/[^a-z0-9-+]//g;
|
||||||
|
|
||||||
my $certfile;
|
my $certfile;
|
||||||
if($what =~ /^(ftp|http|imap|pop3|smtp)s(.*)$/) {
|
if($what =~ /^(ftp|http|imap|pop3|smtp)s(.*)$/) {
|
||||||
@ -3432,6 +3609,20 @@ sub startservers {
|
|||||||
$run{'https'}="$pid $pid2";
|
$run{'https'}="$pid $pid2";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
elsif($what eq "http+tls-srp") {
|
||||||
|
if(!$has_gnutls) {
|
||||||
|
return "no GnuTLS";
|
||||||
|
}
|
||||||
|
if(!$run{'http+tls-srp'}) {
|
||||||
|
($pid, $pid2) = runhttptlssrpserver($verbose);
|
||||||
|
if($pid <= 0) {
|
||||||
|
return "failed starting HTTP+TLS-SRP server (gnutls-serv)";
|
||||||
|
}
|
||||||
|
logmsg sprintf("* pid http+tls-srp => %d %d\n", $pid, $pid2)
|
||||||
|
if($verbose);
|
||||||
|
$run{'http+tls-srp'}="$pid $pid2";
|
||||||
|
}
|
||||||
|
}
|
||||||
elsif($what eq "tftp") {
|
elsif($what eq "tftp") {
|
||||||
if(!$run{'tftp'}) {
|
if(!$run{'tftp'}) {
|
||||||
($pid, $pid2) = runtftpserver("", $verbose);
|
($pid, $pid2) = runtftpserver("", $verbose);
|
||||||
@ -3522,7 +3713,7 @@ sub serverfortest {
|
|||||||
my $proto = lc($_);
|
my $proto = lc($_);
|
||||||
chomp $proto;
|
chomp $proto;
|
||||||
$proto =~ s/\s.*//g; # take first word
|
$proto =~ s/\s.*//g; # take first word
|
||||||
if (! grep /^$proto$/, @protocols) {
|
if (! grep /^\Q$proto\E$/, @protocols) {
|
||||||
if (substr($proto,0,5) ne "socks") {
|
if (substr($proto,0,5) ne "socks") {
|
||||||
return "curl lacks $proto support";
|
return "curl lacks $proto support";
|
||||||
}
|
}
|
||||||
@ -3905,6 +4096,7 @@ $RTSPPORT = $base++;
|
|||||||
$RTSP6PORT = $base++;
|
$RTSP6PORT = $base++;
|
||||||
$GOPHERPORT =$base++;
|
$GOPHERPORT =$base++;
|
||||||
$GOPHER6PORT=$base++;
|
$GOPHER6PORT=$base++;
|
||||||
|
$HTTPTLSSRPPORT=$base++;
|
||||||
|
|
||||||
#######################################################################
|
#######################################################################
|
||||||
# clear and create logging directory:
|
# clear and create logging directory:
|
||||||
|
@ -96,7 +96,7 @@ sub servername_str {
|
|||||||
|
|
||||||
$proto = uc($proto) if($proto);
|
$proto = uc($proto) if($proto);
|
||||||
die "unsupported protocol: $proto" unless($proto &&
|
die "unsupported protocol: $proto" unless($proto &&
|
||||||
($proto =~ /^(((FTP|HTTP|IMAP|POP3|SMTP)S?)|(TFTP|SFTP|SOCKS|SSH|RTSP|GOPHER))$/));
|
($proto =~ /^(((FTP|HTTP|IMAP|POP3|SMTP)S?)|(TFTP|SFTP|SOCKS|SSH|RTSP|GOPHER|HTTP\+TLS-SRP))$/));
|
||||||
|
|
||||||
$ipver = (not $ipver) ? 'ipv4' : lc($ipver);
|
$ipver = (not $ipver) ? 'ipv4' : lc($ipver);
|
||||||
die "unsupported IP version: $ipver" unless($ipver &&
|
die "unsupported IP version: $ipver" unless($ipver &&
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
# | (__| |_| | _ <| |___
|
# | (__| |_| | _ <| |___
|
||||||
# \___|\___/|_| \_\_____|
|
# \___|\___/|_| \_\_____|
|
||||||
#
|
#
|
||||||
# Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
|
# Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
#
|
#
|
||||||
# This software is licensed as described in the file COPYING, which
|
# This software is licensed as described in the file COPYING, which
|
||||||
# you should have received as part of this distribution. The terms
|
# you should have received as part of this distribution. The terms
|
||||||
@ -95,6 +95,7 @@ use vars qw(
|
|||||||
find_sftpsrv
|
find_sftpsrv
|
||||||
find_sftp
|
find_sftp
|
||||||
find_sshkeygen
|
find_sshkeygen
|
||||||
|
find_gnutls_serv
|
||||||
logmsg
|
logmsg
|
||||||
sshversioninfo
|
sshversioninfo
|
||||||
);
|
);
|
||||||
@ -290,6 +291,12 @@ sub find_sfile {
|
|||||||
return find_file($filename, @spath);
|
return find_file($filename, @spath);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#***************************************************************************
|
||||||
|
# Find gnutls-serv and return canonical filename
|
||||||
|
#
|
||||||
|
sub find_gnutls_serv {
|
||||||
|
return find_file("gnutls-serv", split(':', $ENV{PATH}));
|
||||||
|
}
|
||||||
|
|
||||||
#***************************************************************************
|
#***************************************************************************
|
||||||
# Find ssh daemon and return canonical filename
|
# Find ssh daemon and return canonical filename
|
||||||
|
Loading…
Reference in New Issue
Block a user