gnutls-serv: when post-handshake auth is asked; require a certificate

This allows testing post-handshake authentication using gnutls-serv.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/src/common.c b/src/common.c
index fb98100677be2f64b666bf4cec9bf19a1db38aeb..24b8aa21e0f07160e83c685dee60937801c8d322 100644 (file)
--- a/src/common.c
+++ b/src/common.c
@@ -914,7 +914,7 @@ void print_list(const char *priorities, int verbose)
        }
 }
 
-int check_command(gnutls_session_t session, const char *str)
+int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cert)
 {
        size_t len = strnlen(str, 128);
        int ret;
@@ -932,6 +932,10 @@ int check_command(gnutls_session_t session, const char *str)
                } else if (strncmp
                    (str, "**REAUTH**",
                     sizeof("**REAUTH**") - 1) == 0) {
+                       /* in case we have a re-auth cmd prepare for it */
+                       if (no_cli_cert)
+                               gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE);
+
                        fprintf(stderr,
                                "*** Sending re-auth request\n");
                        do {

diff --git a/src/common.h b/src/common.h
index 20faf7d521c7abd3ea7d449fb1bb9b8d2cd7bf7e..61227a5af079bf5d2dc5c574bff4996a99c70803 100644 (file)
--- a/src/common.h
+++ b/src/common.h
@@ -69,7 +69,7 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp
 const char *raw_to_string(const unsigned char *raw, size_t raw_size);
 const char *raw_to_hex(const unsigned char *raw, size_t raw_size);
 const char *raw_to_base64(const unsigned char *raw, size_t raw_size);
-int check_command(gnutls_session_t session, const char *str);
+int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cert);
 
 int
 pin_callback(void *user, int attempt, const char *token_url,

diff --git a/src/serv.c b/src/serv.c
index 34996d17920ec5435472e93faaf9a36f499ffb1f..42b4887bdc44814db8370e9b3cc3cf136f2b0897 100644 (file)
--- a/src/serv.c
+++ b/src/serv.c
@@ -939,9 +939,12 @@ get_response(gnutls_session_t session, char *request,
        if (http != 0) {
                *response = peer_print_info(session, response_length, h);
        } else {
+               int ret;
                strip(request);
-               fprintf(stderr, "received: %s\n", request);
-               if (check_command(session, request)) {
+               fprintf(stderr, "received cmd: %s\n", request);
+
+               ret = check_command(session, request, disable_client_cert);
+               if (ret > 0) {
                        *response = strdup("Successfully executed command\n");
                        if (*response == NULL) {
                                fprintf(stderr, "Memory error\n");
@@ -949,9 +952,14 @@ get_response(gnutls_session_t session, char *request,
                        }
                        *response_length = strlen(*response);
                        return;
+               } else if (ret == 0) {
+                       *response = strdup(request);
+                       *response_length = ((*response) ? strlen(*response) : 0);
+               } else {
+                       do {
+                               ret = gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_UNEXPECTED_MESSAGE);
+                       } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
                }
-               *response = strdup(request);
-               *response_length = ((*response) ? strlen(*response) : 0);
        }
 
        return;

diff --git a/src/udp-serv.c b/src/udp-serv.c
index 46e1e70878f41c3fa234d76617bf347fce45f356..fdaa0fb886d44b6c4baedf88c995d8c5c76b3379 100644 (file)
--- a/src/udp-serv.c
+++ b/src/udp-serv.c
@@ -39,6 +39,8 @@
 #include "serv-args.h"
 #include "list.h"
 
+extern int disable_client_cert;
+
 typedef struct {
        gnutls_session_t session;
        int fd;
@@ -207,7 +209,7 @@ void udp_server(const char *name, int port, int mtu)
                             sequence[3], sequence[4], sequence[5],
                             sequence[6], sequence[7], buffer);
 
-                       if (check_command(session, buffer) == 0) {
+                       if (check_command(session, buffer, disable_client_cert) == 0) {
                                /* reply back */
                                ret =
                                    gnutls_record_send(session, buffer,