diff --git a/common/http.c b/common/http.c index e5516e81e..590893db8 100644 --- a/common/http.c +++ b/common/http.c @@ -161,7 +161,9 @@ typedef void * gnutls_session_t; #endif static gpg_err_code_t do_parse_uri (parsed_uri_t uri, int only_local_part, - int no_scheme_check); + int no_scheme_check, int force_tls); +static gpg_error_t parse_uri (parsed_uri_t *ret_uri, const char *uri, + int no_scheme_check, int force_tls); static int remove_escapes (char *string); static int insert_escapes (char *buffer, const char *string, const char *special); @@ -463,7 +465,9 @@ make_header_line (const char *prefix, const char *suffix, -/* Register the global TLS callback fucntion. */ +/* Register a non-standard global TLS callback function. If no + verification is desired a callback needs to be registered which + always returns NULL. */ void http_register_tls_callback (gpg_error_t (*cb)(http_t, http_session_t, int)) { @@ -473,15 +477,24 @@ http_register_tls_callback (gpg_error_t (*cb)(http_t, http_session_t, int)) /* Register a CA certificate for future use. The certificate is expected to be in FNAME. PEM format is assume if FNAME has a - suffix of ".pem" */ + suffix of ".pem". If FNAME is NULL the list of CA files is + removed. */ void http_register_tls_ca (const char *fname) { strlist_t sl; - sl = add_to_strlist (&tls_ca_certlist, fname); - if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem")) - sl->flags = 1; + if (!fname) + { + free_strlist (tls_ca_certlist); + tls_ca_certlist = NULL; + } + else + { + sl = add_to_strlist (&tls_ca_certlist, fname); + if (*sl->d && !strcmp (sl->d + strlen (sl->d) - 4, ".pem")) + sl->flags = 1; + } } @@ -614,7 +627,7 @@ http_open (http_t *r_hd, http_req_t reqtype, const char *url, hd->flags = flags; hd->session = session; - err = http_parse_uri (&hd->uri, url, 0); + err = parse_uri (&hd->uri, url, 0, !!(flags & HTTP_FLAG_FORCE_TLS)); if (!err) err = send_request (hd, auth, proxy, srvtag, headers); @@ -875,8 +888,46 @@ http_get_status_code (http_t hd) return hd?hd->status_code:0; } +/* Return information pertaining to TLS. If TLS is not in use for HD, + NULL is returned. WHAT is used ask for specific information: + + (NULL) := Only check whether TLS is is use. Returns an + unspecified string if TLS is in use. That string may + even be the empty string. + */ +const char * +http_get_tls_info (http_t hd, const char *what) +{ + (void)what; + + if (!hd) + return NULL; + + return hd->uri->use_tls? "":NULL; +} + +static gpg_error_t +parse_uri (parsed_uri_t *ret_uri, const char *uri, + int no_scheme_check, int force_tls) +{ + gpg_err_code_t ec; + + *ret_uri = xtrycalloc (1, sizeof **ret_uri + strlen (uri)); + if (!*ret_uri) + return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); + strcpy ((*ret_uri)->buffer, uri); + ec = do_parse_uri (*ret_uri, 0, no_scheme_check, force_tls); + if (ec) + { + xfree (*ret_uri); + *ret_uri = NULL; + } + return gpg_err_make (default_errsource, ec); +} + + /* * Parse an URI and put the result into the newly allocated RET_URI. * On success the caller must use release_parsed_uri() to releases the @@ -887,21 +938,10 @@ gpg_error_t http_parse_uri (parsed_uri_t *ret_uri, const char *uri, int no_scheme_check) { - gpg_err_code_t ec; - - *ret_uri = xtrycalloc (1, sizeof **ret_uri + strlen (uri)); - if (!*ret_uri) - return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); - strcpy ((*ret_uri)->buffer, uri); - ec = do_parse_uri (*ret_uri, 0, no_scheme_check); - if (ec) - { - xfree (*ret_uri); - *ret_uri = NULL; - } - return gpg_err_make (default_errsource, ec); + return parse_uri (ret_uri, uri, no_scheme_check, 0); } + void http_release_parsed_uri (parsed_uri_t uri) { @@ -920,7 +960,8 @@ http_release_parsed_uri (parsed_uri_t uri) static gpg_err_code_t -do_parse_uri (parsed_uri_t uri, int only_local_part, int no_scheme_check) +do_parse_uri (parsed_uri_t uri, int only_local_part, + int no_scheme_check, int force_tls) { uri_tuple_t *tail; char *p, *p2, *p3, *pp; @@ -951,18 +992,20 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, int no_scheme_check) for (pp=p; *pp; pp++) *pp = tolower (*(unsigned char*)pp); uri->scheme = p; - if (!strcmp (uri->scheme, "http")) + if (!strcmp (uri->scheme, "http") && !force_tls) { uri->port = 80; uri->is_http = 1; } - else if (!strcmp (uri->scheme, "hkp")) + else if (!strcmp (uri->scheme, "hkp") && !force_tls) { uri->port = 11371; uri->is_http = 1; } #ifdef HTTP_USE_GNUTLS - else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps")) + else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps") + || (force_tls && (!strcmp (uri->scheme, "http") + || !strcmp (uri->scheme,"hkp")))) { uri->port = 443; uri->is_http = 1; @@ -1329,7 +1372,8 @@ send_request (http_t hd, const char *auth, if (proxy) http_proxy = proxy; - err = http_parse_uri (&uri, http_proxy, 0); + err = parse_uri (&uri, http_proxy, 0, + !!(hd->flags & HTTP_FLAG_FORCE_TLS)); if (err) { log_error ("invalid HTTP proxy (%s): %s\n", @@ -1412,17 +1456,17 @@ send_request (http_t hd, const char *auth, return gpg_err_make (default_errsource, GPG_ERR_NETWORK); } + hd->session->verify.done = 0; if (tls_callback) + err = tls_callback (hd, hd->session, 0); + else + err = http_verify_server_credentials (hd->session); + if (err) { - hd->session->verify.done = 0; - err = tls_callback (hd, hd->session, 0); - if (err) - { - log_info ("TLS connection authentication failed: %s\n", - gpg_strerror (err)); - xfree (proxy_authstr); - return err; - } + log_info ("TLS connection authentication failed: %s\n", + gpg_strerror (err)); + xfree (proxy_authstr); + return err; } } #endif /*HTTP_USE_GNUTLS*/ diff --git a/common/http.h b/common/http.h index e38fadcf4..fa73b6e59 100644 --- a/common/http.h +++ b/common/http.h @@ -77,6 +77,7 @@ enum HTTP_FLAG_TRY_PROXY = 1, /* Try to use a proxy. */ HTTP_FLAG_SHUTDOWN = 2, /* Close sending end after the request. */ HTTP_FLAG_LOG_RESP = 8, /* Log the server respone. */ + HTTP_FLAG_FORCE_TLS = 16, /* Force the use opf TLS. */ HTTP_FLAG_IGNORE_CL = 32, /* Ignore content-length. */ HTTP_FLAG_IGNORE_IPv4 = 64, /* Do not use IPv4. */ HTTP_FLAG_IGNORE_IPv6 = 128 /* Do not use IPv6. */ @@ -133,6 +134,7 @@ gpg_error_t http_open_document (http_t *r_hd, estream_t http_get_read_ptr (http_t hd); estream_t http_get_write_ptr (http_t hd); unsigned int http_get_status_code (http_t hd); +const char *http_get_tls_info (http_t hd, const char *what); const char *http_get_header (http_t hd, const char *name); const char **http_get_header_names (http_t hd); gpg_error_t http_verify_server_credentials (http_session_t sess); diff --git a/common/t-http.c b/common/t-http.c index f515287a1..0191e8519 100644 --- a/common/t-http.c +++ b/common/t-http.c @@ -46,7 +46,11 @@ # include /* For init, logging, and deinit. */ #endif /*HTTP_USE_GNUTLS*/ +#define PGM "t-http" +static int verbose; +static int debug; +static int no_verify; /* static void */ /* read_dh_params (const char *fname) */ @@ -98,7 +102,7 @@ verify_callback (http_t hd, http_session_t session, int reserved) { (void)hd; (void)reserved; - return http_verify_server_credentials (session); + return no_verify? 0 : http_verify_server_credentials (session); } @@ -131,23 +135,92 @@ prepend_srcdir (const char *fname) int main (int argc, char **argv) { + int last_argc = -1; gpg_error_t err; int rc; parsed_uri_t uri; uri_tuple_t r; http_t hd; int c; + unsigned int my_http_flags = 0; + int no_out = 0; + const char *cafile = NULL; http_session_t session = NULL; es_init (); - log_set_prefix ("t-http", 1 | 4); - if (argc != 2) + log_set_prefix (PGM, 1 | 4); + if (argc) + { argc--; argv++; } + while (argc && last_argc != argc ) { - fprintf (stderr, "usage: t-http uri\n"); - return 1; + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--help")) + { + fputs ("usage: " PGM " URL\n" + "Options:\n" + " --verbose print timings etc.\n" + " --debug flyswatter\n" + " --cacert FNAME expect CA certificate in file FNAME\n" + " --no-verify do not verify the certificate\n" + " --force-tls use HTTP_FLAG_FORCE_TLS\n" + " --no-out do not print the content\n", + stdout); + exit (0); + } + else if (!strcmp (*argv, "--verbose")) + { + verbose++; + argc--; argv++; + } + else if (!strcmp (*argv, "--debug")) + { + verbose += 2; + debug++; + argc--; argv++; + } + else if (!strcmp (*argv, "--cacert")) + { + argc--; argv++; + if (argc) + { + cafile = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "--no-verify")) + { + no_verify = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--force-tls")) + { + my_http_flags |= HTTP_FLAG_FORCE_TLS; + argc--; argv++; + } + else if (!strcmp (*argv, "--no-out")) + { + no_out = 1; + argc--; argv++; + } + else if (!strncmp (*argv, "--", 2)) + { + fprintf (stderr, PGM ": unknown option '%s'\n", *argv); + exit (1); + } } - argc--; - argv++; + if (argc != 1) + { + fprintf (stderr, PGM ": no or roo many URLS given\n"); + exit (1); + } + + if (!cafile) + cafile = prepend_srcdir ("tls-ca.pem"); #ifdef HTTP_USE_GNUTLS rc = gnutls_global_init (); @@ -155,7 +228,7 @@ main (int argc, char **argv) log_error ("gnutls_global_init failed: %s\n", gnutls_strerror (rc)); http_register_tls_callback (verify_callback); - http_register_tls_ca (prepend_srcdir ("tls-ca.pem")); + http_register_tls_ca (cafile); err = http_session_new (&session, NULL); if (err) @@ -217,11 +290,17 @@ main (int argc, char **argv) } putchar ('\n'); } + printf ("TLS : %s\n", + uri->use_tls? "yes": + (my_http_flags&HTTP_FLAG_FORCE_TLS)? "forced" : "no"); + } + fflush (stdout); http_release_parsed_uri (uri); uri = NULL; - rc = http_open_document (&hd, *argv, NULL, 0, NULL, session, NULL, NULL); + rc = http_open_document (&hd, *argv, NULL, my_http_flags, + NULL, session, NULL, NULL); if (rc) { log_error ("can't get '%s': %s\n", *argv, gpg_strerror (rc)); @@ -242,6 +321,7 @@ main (int argc, char **argv) printf ("HDR: %s: %s\n", names[i], http_get_header (hd, names[i])); xfree (names); } + fflush (stdout); switch (http_get_status_code (hd)) { @@ -250,12 +330,21 @@ main (int argc, char **argv) case 401: case 403: case 404: - while ((c = es_getc (http_get_read_ptr (hd))) != EOF) - putchar (c); + { + unsigned long count = 0; + while ((c = es_getc (http_get_read_ptr (hd))) != EOF) + { + count++; + if (!no_out) + putchar (c); + } + log_info ("Received bytes: %lu\n", count); + } break; case 301: case 302: - printf ("Redirected to '%s'\n", http_get_header (hd, "Location")); + case 307: + log_info ("Redirected to: %s\n", http_get_header (hd, "Location")); break; } http_close (hd, 0);