GothenburgBitFactory/taskwarrior
1
0
Fork 0
mirror of https://github.com/GothenburgBitFactory/taskwarrior.git synced 2025-07-07 20:06:36 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

TLSClient: Labelled GnuTLS calls with version numbers

Browse source
This commit is contained in:
Paul Beckingham 2016-12-19 11:56:47 -05:00
parent c300cff00f
commit e717d13802
1 changed files with 52 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

103
src/TLSClient.cpp
View file

@ -62,17 +62,17 @@ static void gnutls_log_function (int level, const char* message)
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
static int verify_certificate_callback (gnutls_session_t session) static int verify_certificate_callback (gnutls_session_t session)
{ {
const TLSClient* client = (TLSClient*) gnutls_session_get_ptr (session); const TLSClient* client = (TLSClient*) gnutls_session_get_ptr (session); // All
return client->verify_certificate (); return client->verify_certificate ();
} }
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
TLSClient::~TLSClient () TLSClient::~TLSClient ()
{ {
gnutls_deinit (_session); gnutls_deinit (_session); // All
gnutls_certificate_free_credentials (_credentials); gnutls_certificate_free_credentials (_credentials); // All
#if GNUTLS_VERSION_NUMBER < 0x030300 #if GNUTLS_VERSION_NUMBER < 0x030300
gnutls_global_deinit (); gnutls_global_deinit (); // All
#endif #endif
if (_socket) if (_socket)
@ -96,8 +96,8 @@ void TLSClient::debug (int level)
if (level) if (level)
_debug = true; _debug = true;
gnutls_global_set_log_function (gnutls_log_function); gnutls_global_set_log_function (gnutls_log_function); // All
gnutls_global_set_log_level (level); gnutls_global_set_log_level (level); // All
} }
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
@ -133,23 +133,23 @@ void TLSClient::init (
int ret; int ret;
#if GNUTLS_VERSION_NUMBER < 0x030300 #if GNUTLS_VERSION_NUMBER < 0x030300
ret = gnutls_global_init (); ret = gnutls_global_init (); // All
if (ret < 0) if (ret < 0)
throw format ("TLS init error. {1}", gnutls_strerror (ret)); throw format ("TLS init error. {1}", gnutls_strerror (ret)); // All
#endif #endif
ret = gnutls_certificate_allocate_credentials (&_credentials); ret = gnutls_certificate_allocate_credentials (&_credentials); // All
if (ret < 0) if (ret < 0)
throw format ("TLS allocation error. {1}", gnutls_strerror (ret)); throw format ("TLS allocation error. {1}", gnutls_strerror (ret)); // All
if (_ca != "" && if (_ca != "" &&
(ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) // All
throw format ("Bad CA file. {1}", gnutls_strerror (ret)); throw format ("Bad CA file. {1}", gnutls_strerror (ret)); // All
if (_cert != "" && if (_cert != "" &&
_key != "" && _key != "" &&
(ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0) (ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0) // 3.1.11
throw format ("Bad CERT file. {1}", gnutls_strerror (ret)); throw format ("Bad CERT file. {1}", gnutls_strerror (ret)); // All
#if GNUTLS_VERSION_NUMBER >= 0x02090a #if GNUTLS_VERSION_NUMBER >= 0x02090a
// The automatic verification for the server certificate with // The automatic verification for the server certificate with
@ -158,28 +158,28 @@ void TLSClient::init (
// manually after the gnutls handshake. // manually after the gnutls handshake.
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback); gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
#endif #endif
ret = gnutls_init (&_session, GNUTLS_CLIENT); ret = gnutls_init (&_session, GNUTLS_CLIENT); // All
if (ret < 0) if (ret < 0)
throw format ("TLS client init error. {1}", gnutls_strerror (ret)); throw format ("TLS client init error. {1}", gnutls_strerror (ret)); // All
// Use default priorities unless overridden. // Use default priorities unless overridden.
if (_ciphers == "") if (_ciphers == "")
_ciphers = "NORMAL"; _ciphers = "NORMAL";
const char *err; const char *err;
ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err); ret = gnutls_priority_set_direct (_session, _ciphers.c_str (), &err); // All
if (ret < 0) if (ret < 0)
{ {
if (_debug && ret == GNUTLS_E_INVALID_REQUEST) if (_debug && ret == GNUTLS_E_INVALID_REQUEST)
std::cout << "c: ERROR Priority error at: " << err << '\n'; std::cout << "c: ERROR Priority error at: " << err << '\n';
throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret)); throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret)); // All
} }
// Apply the x509 credentials to the current session. // Apply the x509 credentials to the current session.
ret = gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials); ret = gnutls_credentials_set (_session, GNUTLS_CRD_CERTIFICATE, _credentials); // All
if (ret < 0) if (ret < 0)
throw format ("TLS credentials error. {1}", gnutls_strerror (ret)); throw format ("TLS credentials error. {1}", gnutls_strerror (ret)); // All
} }
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
@ -190,7 +190,7 @@ void TLSClient::connect (const std::string& host, const std::string& port)
// Store the TLSClient instance, so that the verification callback can access // Store the TLSClient instance, so that the verification callback can access
// it during the handshake below and call the verifcation method. // it during the handshake below and call the verifcation method.
gnutls_session_set_ptr (_session, (void*) this); gnutls_session_set_ptr (_session, (void*) this); // All
// use IPv4 or IPv6, does not matter. // use IPv4 or IPv6, does not matter.
struct addrinfo hints {}; struct addrinfo hints {};
@ -233,17 +233,18 @@ void TLSClient::connect (const std::string& host, const std::string& port)
throw format (STRING_CMD_SYNC_CONNECT, host, port); throw format (STRING_CMD_SYNC_CONNECT, host, port);
#if GNUTLS_VERSION_NUMBER >= 0x030109 #if GNUTLS_VERSION_NUMBER >= 0x030109
gnutls_transport_set_int (_session, _socket); gnutls_transport_set_int (_session, _socket); // 3.1.9
#else #else
gnutls_transport_set_ptr (_session, (gnutls_transport_ptr_t) (intptr_t) _socket); gnutls_transport_set_ptr (_session, (gnutls_transport_ptr_t) (intptr_t) _socket); // All
#endif #endif
// Perform the TLS handshake // Perform the TLS handshake
do do
{ {
ret = gnutls_handshake (_session); ret = gnutls_handshake (_session); // All
} }
while (ret < 0 && gnutls_error_is_fatal (ret) == 0); while (ret < 0 && gnutls_error_is_fatal (ret) == 0); // All
if (ret < 0) if (ret < 0)
throw format (STRING_CMD_SYNC_HANDSHAKE, gnutls_strerror (ret)); throw format (STRING_CMD_SYNC_HANDSHAKE, gnutls_strerror (ret));
@ -257,14 +258,14 @@ void TLSClient::connect (const std::string& host, const std::string& port)
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR Certificate verification failed.\n"; std::cout << "c: ERROR Certificate verification failed.\n";
throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret)); throw format (STRING_TLS_INIT_FAIL, gnutls_strerror (ret)); // All
} }
#endif #endif
if (_debug) if (_debug)
{ {
#if GNUTLS_VERSION_NUMBER >= 0x03010a #if GNUTLS_VERSION_NUMBER >= 0x03010a
char* desc = gnutls_session_get_desc (_session); char* desc = gnutls_session_get_desc (_session); // 3.1.10
std::cout << "c: INFO Handshake was completed: " << desc << '\n'; std::cout << "c: INFO Handshake was completed: " << desc << '\n';
gnutls_free (desc); gnutls_free (desc);
#else #else
@ -276,7 +277,7 @@ void TLSClient::connect (const std::string& host, const std::string& port)
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
void TLSClient::bye () void TLSClient::bye ()
{ {
gnutls_bye (_session, GNUTLS_SHUT_RDWR); gnutls_bye (_session, GNUTLS_SHUT_RDWR); // All
} }
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
@ -296,11 +297,11 @@ int TLSClient::verify_certificate () const
if (_trust == TLSClient::ignore_hostname) if (_trust == TLSClient::ignore_hostname)
hostname = NULL; hostname = NULL;
int ret = gnutls_certificate_verify_peers3 (_session, hostname, &status); int ret = gnutls_certificate_verify_peers3 (_session, hostname, &status); // 3.1.4
if (ret < 0) if (ret < 0)
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR Certificate verification peers3 failed. " << gnutls_strerror (ret) << '\n'; std::cout << "c: ERROR Certificate verification peers3 failed. " << gnutls_strerror (ret) << '\n'; // All
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
@ -312,11 +313,11 @@ int TLSClient::verify_certificate () const
if (_debug && status) if (_debug && status)
std::cout << "c: ERROR Certificate status=" << status << '\n'; std::cout << "c: ERROR Certificate status=" << status << '\n';
#else #else
int ret = gnutls_certificate_verify_peers2 (_session, &status); int ret = gnutls_certificate_verify_peers2 (_session, &status); // All
if (ret < 0) if (ret < 0)
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR Certificate verification peers2 failed. " << gnutls_strerror (ret) << '\n'; std::cout << "c: ERROR Certificate verification peers2 failed. " << gnutls_strerror (ret) << '\n'; // All
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
@ -325,41 +326,41 @@ int TLSClient::verify_certificate () const
if ((status == 0) && (_trust != TLSClient::ignore_hostname)) if ((status == 0) && (_trust != TLSClient::ignore_hostname))
{ {
if (gnutls_certificate_type_get (_session) == GNUTLS_CRT_X509) if (gnutls_certificate_type_get (_session) == GNUTLS_CRT_X509) // All
{ {
const gnutls_datum* cert_list; const gnutls_datum* cert_list;
unsigned int cert_list_size; unsigned int cert_list_size;
gnutls_x509_crt cert; gnutls_x509_crt cert;
cert_list = gnutls_certificate_get_peers (_session, &cert_list_size); cert_list = gnutls_certificate_get_peers (_session, &cert_list_size); // All
if (cert_list_size == 0) if (cert_list_size == 0)
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR Certificate get peers failed. " << gnutls_strerror (ret) << '\n'; std::cout << "c: ERROR Certificate get peers failed. " << gnutls_strerror (ret) << '\n'; // All
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
ret = gnutls_x509_crt_init (&cert); ret = gnutls_x509_crt_init (&cert); // All
if (ret < 0) if (ret < 0)
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR x509 init failed. " << gnutls_strerror (ret) << '\n'; std::cout << "c: ERROR x509 init failed. " << gnutls_strerror (ret) << '\n'; // All
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
ret = gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER); ret = gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER); // All
if (ret < 0) if (ret < 0)
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR x509 cert import. " << gnutls_strerror (ret) << '\n'; std::cout << "c: ERROR x509 cert import. " << gnutls_strerror (ret) << '\n'; // All
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert); // All
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
if (gnutls_x509_crt_check_hostname (cert, hostname) == 0) if (gnutls_x509_crt_check_hostname (cert, hostname) == 0) // All
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR x509 cert check hostname. " << gnutls_strerror (ret) << '\n'; std::cout << "c: ERROR x509 cert check hostname. " << gnutls_strerror (ret) << '\n'; // All
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert);
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
@ -370,13 +371,13 @@ int TLSClient::verify_certificate () const
#endif #endif
#if GNUTLS_VERSION_NUMBER >= 0x030104 #if GNUTLS_VERSION_NUMBER >= 0x030104
gnutls_certificate_type_t type = gnutls_certificate_type_get (_session); gnutls_certificate_type_t type = gnutls_certificate_type_get (_session); // All
gnutls_datum_t out; gnutls_datum_t out;
ret = gnutls_certificate_verification_status_print (status, type, &out, 0); ret = gnutls_certificate_verification_status_print (status, type, &out, 0); // 3.1.4
if (ret < 0) if (ret < 0)
{ {
if (_debug) if (_debug)
std::cout << "c: ERROR certificate verification status. " << gnutls_strerror (ret) << '\n'; std::cout << "c: ERROR certificate verification status. " << gnutls_strerror (ret) << '\n'; // All
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
@ -412,7 +413,7 @@ void TLSClient::send (const std::string& data)
int status; int status;
do do
{ {
status = gnutls_record_send (_session, packet.c_str () + total, remaining); status = gnutls_record_send (_session, packet.c_str () + total, remaining); // All
} }
while (errno == GNUTLS_E_INTERRUPTED || while (errno == GNUTLS_E_INTERRUPTED ||
errno == GNUTLS_E_AGAIN); errno == GNUTLS_E_AGAIN);
@ -441,7 +442,7 @@ void TLSClient::recv (std::string& data)
unsigned char header[4] {}; unsigned char header[4] {};
do do
{ {
received = gnutls_record_recv (_session, header, 4); received = gnutls_record_recv (_session, header, 4); // All
} }
while (received > 0 && while (received > 0 &&
(errno == GNUTLS_E_INTERRUPTED || (errno == GNUTLS_E_INTERRUPTED ||
@ -469,7 +470,7 @@ void TLSClient::recv (std::string& data)
{ {
do do
{ {
received = gnutls_record_recv (_session, buffer, MAX_BUF - 1); received = gnutls_record_recv (_session, buffer, MAX_BUF - 1); // All
} }
while (received > 0 && while (received > 0 &&
(errno == GNUTLS_E_INTERRUPTED || (errno == GNUTLS_E_INTERRUPTED ||
@ -484,13 +485,13 @@ void TLSClient::recv (std::string& data)
} }
// Something happened. // Something happened.
if (received < 0 && gnutls_error_is_fatal (received) == 0) if (received < 0 && gnutls_error_is_fatal (received) == 0) // All
{ {
if (_debug) if (_debug)
std::cout << "c: WARNING " << gnutls_strerror (received) << '\n'; std::cout << "c: WARNING " << gnutls_strerror (received) << '\n'; // All
} }
else if (received < 0) else if (received < 0)
throw std::string (gnutls_strerror (received)); throw std::string (gnutls_strerror (received)); // All
buffer [received] = '\0'; buffer [received] = '\0';
data += buffer; data += buffer;