|
 |
aa6d84 |
From c11cc83d9ee9230f090c2400a57bbd562905d782 Mon Sep 17 00:00:00 2001
|
|
|
aa6d84 |
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
aa6d84 |
Date: Mon, 8 Oct 2018 10:42:22 +0200
|
|
|
aa6d84 |
Subject: [PATCH] Enable post-handshake auth under gnutls on TLS1.3
|
|
|
aa6d84 |
|
|
|
aa6d84 |
---
|
|
|
aa6d84 |
src/gnutls.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
aa6d84 |
1 file changed, 96 insertions(+)
|
|
|
aa6d84 |
|
|
|
aa6d84 |
diff --git a/src/gnutls.c b/src/gnutls.c
|
|
|
aa6d84 |
index 206d0b09..a2c9d1c1 100644
|
|
|
aa6d84 |
--- a/src/gnutls.c
|
|
|
aa6d84 |
+++ b/src/gnutls.c
|
|
|
aa6d84 |
@@ -60,6 +60,11 @@ as that of the covered work. */
|
|
|
aa6d84 |
static int
|
|
|
aa6d84 |
_do_handshake (gnutls_session_t session, int fd, double timeout);
|
|
|
aa6d84 |
|
|
|
aa6d84 |
+#if GNUTLS_VERSION_NUMBER >= 0x030604
|
|
|
aa6d84 |
+static int
|
|
|
aa6d84 |
+_do_reauth (gnutls_session_t session, int fd, double timeout);
|
|
|
aa6d84 |
+#endif
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
static int
|
|
|
aa6d84 |
key_type_to_gnutls_type (enum keyfile_type type)
|
|
|
aa6d84 |
{
|
|
|
aa6d84 |
@@ -287,6 +292,14 @@ wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout)
|
|
|
aa6d84 |
if ((ret = _do_handshake (ctx->session, fd, timeout)) == 0)
|
|
|
aa6d84 |
ret = GNUTLS_E_AGAIN; /* restart reading */
|
|
|
aa6d84 |
}
|
|
|
aa6d84 |
+#if GNUTLS_VERSION_NUMBER >= 0x030604
|
|
|
aa6d84 |
+ if (!timed_out && ret == GNUTLS_E_REAUTH_REQUEST)
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ DEBUGP (("GnuTLS: *** re-authentication while reading\n"));
|
|
|
aa6d84 |
+ if ((ret = _do_reauth (ctx->session, fd, timeout)) == 0)
|
|
|
aa6d84 |
+ ret = GNUTLS_E_AGAIN; /* restart reading */
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+#endif
|
|
|
aa6d84 |
}
|
|
|
aa6d84 |
}
|
|
|
aa6d84 |
while (ret == GNUTLS_E_INTERRUPTED || (ret == GNUTLS_E_AGAIN && !timed_out));
|
|
|
aa6d84 |
@@ -519,6 +532,84 @@ _do_handshake (gnutls_session_t session, int fd, double timeout)
|
|
|
aa6d84 |
return err;
|
|
|
aa6d84 |
}
|
|
|
aa6d84 |
|
|
|
aa6d84 |
+#if GNUTLS_VERSION_NUMBER >= 0x030604
|
|
|
aa6d84 |
+static int
|
|
|
aa6d84 |
+_do_reauth (gnutls_session_t session, int fd, double timeout)
|
|
|
aa6d84 |
+{
|
|
|
aa6d84 |
+#ifdef F_GETFL
|
|
|
aa6d84 |
+ int flags = 0;
|
|
|
aa6d84 |
+#endif
|
|
|
aa6d84 |
+ int err;
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
+ if (timeout)
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+#ifdef F_GETFL
|
|
|
aa6d84 |
+ flags = fcntl (fd, F_GETFL, 0);
|
|
|
aa6d84 |
+ if (flags < 0)
|
|
|
aa6d84 |
+ return flags;
|
|
|
aa6d84 |
+ if (fcntl (fd, F_SETFL, flags | O_NONBLOCK))
|
|
|
aa6d84 |
+ return -1;
|
|
|
aa6d84 |
+#else
|
|
|
aa6d84 |
+ /* XXX: Assume it was blocking before. */
|
|
|
aa6d84 |
+ const int one = 1;
|
|
|
aa6d84 |
+ if (ioctl (fd, FIONBIO, &one) < 0)
|
|
|
aa6d84 |
+ return -1;
|
|
|
aa6d84 |
+#endif
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
+ /* We don't stop the handshake process for non-fatal errors */
|
|
|
aa6d84 |
+ do
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ err = gnutls_reauth (session, 0);
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
+ if (timeout && err == GNUTLS_E_AGAIN)
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ if (gnutls_record_get_direction (session))
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ /* wait for writeability */
|
|
|
aa6d84 |
+ err = select_fd (fd, timeout, WAIT_FOR_WRITE);
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+ else
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ /* wait for readability */
|
|
|
aa6d84 |
+ err = select_fd (fd, timeout, WAIT_FOR_READ);
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
+ if (err <= 0)
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ if (err == 0)
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ errno = ETIMEDOUT;
|
|
|
aa6d84 |
+ err = -1;
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+ break;
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
+ err = GNUTLS_E_AGAIN;
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+ else if (err < 0)
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+ logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+ while (err && gnutls_error_is_fatal (err) == 0);
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
+ if (timeout)
|
|
|
aa6d84 |
+ {
|
|
|
aa6d84 |
+#ifdef F_GETFL
|
|
|
aa6d84 |
+ if (fcntl (fd, F_SETFL, flags) < 0)
|
|
|
aa6d84 |
+ return -1;
|
|
|
aa6d84 |
+#else
|
|
|
aa6d84 |
+ const int zero = 0;
|
|
|
aa6d84 |
+ if (ioctl (fd, FIONBIO, &zero) < 0)
|
|
|
aa6d84 |
+ return -1;
|
|
|
aa6d84 |
+#endif
|
|
|
aa6d84 |
+ }
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
+ return err;
|
|
|
aa6d84 |
+}
|
|
|
aa6d84 |
+#endif
|
|
|
aa6d84 |
+
|
|
|
aa6d84 |
static const char *
|
|
|
aa6d84 |
_sni_hostname(const char *hostname)
|
|
|
aa6d84 |
{
|
|
|
aa6d84 |
@@ -655,7 +746,12 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session)
|
|
|
aa6d84 |
gnutls_session_t session;
|
|
|
aa6d84 |
int err;
|
|
|
aa6d84 |
|
|
|
aa6d84 |
+#if GNUTLS_VERSION_NUMBER >= 0x030604
|
|
|
aa6d84 |
+ // enable support of TLS1.3 post-handshake authentication
|
|
|
aa6d84 |
+ gnutls_init (&session, GNUTLS_CLIENT | GNUTLS_POST_HANDSHAKE_AUTH);
|
|
|
aa6d84 |
+#else
|
|
|
aa6d84 |
gnutls_init (&session, GNUTLS_CLIENT);
|
|
|
aa6d84 |
+#endif
|
|
|
aa6d84 |
|
|
|
aa6d84 |
/* We set the server name but only if it's not an IP address. */
|
|
|
aa6d84 |
if (! is_valid_ip_address (hostname))
|
|
|
aa6d84 |
--
|
|
|
aa6d84 |
2.17.2
|
|
|
aa6d84 |
|