Added client certificates options (--cert and --key) to spdycat.

Added --verify-client option to spdyd.
This commit is contained in:
Tatsuhiro Tsujikawa 2012-04-22 23:04:55 +09:00
parent 9638dc8b0a
commit b8d485d3a2
4 changed files with 64 additions and 5 deletions

View File

@ -57,7 +57,7 @@ const std::string SPDYD_SERVER = "spdyd spdylay/"SPDYLAY_VERSION;
} // namespace
Config::Config(): verbose(false), daemon(false), port(0), data_ptr(0),
spdy3_only(false)
spdy3_only(false), verify_client(false)
{}
Request::Request(int32_t stream_id)
@ -874,6 +874,15 @@ int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
}
} // namespace
namespace {
int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
// We don't verify the client certificate. Just request it for the
// testing purpose.
return 1;
}
} // namespace
int SpdyServer::run()
{
SSL_CTX *ssl_ctx;
@ -900,7 +909,12 @@ int SpdyServer::run()
std::cerr << "SSL_CTX_check_private_key failed." << std::endl;
return -1;
}
if(config_->verify_client) {
SSL_CTX_set_verify(ssl_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
}
// We speaks "spdy/2" and "spdy/3".
std::pair<unsigned char*, size_t> next_proto;
unsigned char proto_list[14];

View File

@ -51,6 +51,7 @@ struct Config {
spdylay_on_request_recv_callback on_request_recv_callback;
void *data_ptr;
bool spdy3_only;
bool verify_client;
Config();
};

View File

@ -63,6 +63,8 @@ struct Config {
bool verbose;
bool spdy3_only;
int timeout;
std::string certfile;
std::string keyfile;
Config():null_out(false), remote_name(false), verbose(false),
spdy3_only(false), timeout(-1) {}
};
@ -152,6 +154,20 @@ int communicate(const std::string& host, uint16_t port,
next_proto = "spdy/3";
}
setup_ssl_ctx(ssl_ctx, &next_proto);
if(!config.keyfile.empty()) {
if(SSL_CTX_use_PrivateKey_file(ssl_ctx, config.keyfile.c_str(),
SSL_FILETYPE_PEM) != 1) {
std::cerr << ERR_error_string(ERR_get_error(), 0) << std::endl;
return -1;
}
}
if(!config.certfile.empty()) {
if(SSL_CTX_use_certificate_chain_file(ssl_ctx,
config.certfile.c_str()) != 1) {
std::cerr << ERR_error_string(ERR_get_error(), 0) << std::endl;
return -1;
}
}
SSL *ssl = SSL_new(ssl_ctx);
if(!ssl) {
std::cerr << ERR_error_string(ERR_get_error(), 0) << std::endl;
@ -282,7 +298,7 @@ int run(char **uris, int n)
void print_usage(std::ostream& out)
{
out << "Usage: spdycat [-Onv3] [--timeout=seconds] [URI...]" << std::endl;
out << "Usage: spdycat [-Onv3] [-t=seconds] [--cert=CERT] [--key=KEY] [URI...]" << std::endl;
}
void print_help(std::ostream& out)
@ -299,19 +315,25 @@ void print_help(std::ostream& out)
<< " filename. Not implemented yet.\n"
<< " -3, --spdy3 Only use SPDY/3.\n"
<< " -t, --timeout=N Timeout each request after N seconds.\n"
<< "\n"
<< " --cert=CERT Use the specified client certificate file.\n"
<< " The file must be in PEM format.\n"
<< " --key=KEY Use the client private key file. The file\n"
<< " must be in PEM format.\n"
<< std::endl;
}
int main(int argc, char **argv)
{
while(1) {
int flag;
static option long_options[] = {
{"verbose", no_argument, 0, 'v' },
{"null-out", no_argument, 0, 'n' },
{"remote-name", no_argument, 0, 'O' },
{"spdy3", no_argument, 0, '3' },
{"timeout", required_argument, 0, 't' },
{"cert", required_argument, &flag, 1 },
{"key", required_argument, &flag, 2 },
{"help", no_argument, 0, 'h' },
{0, 0, 0, 0 }
};
@ -341,6 +363,18 @@ int main(int argc, char **argv)
break;
case '?':
exit(EXIT_FAILURE);
case 0:
switch(flag) {
case 1:
// cert option
config.certfile = optarg;
break;
case 2:
// key option
config.keyfile = optarg;
break;
}
break;
default:
break;
}

View File

@ -61,6 +61,12 @@ void print_help(std::ostream& out)
<< " current working directory is changed to '/'.\n"
<< " Therefore if this option is used, -d option\n"
<< " must be specified.\n"
<< " -V, --verify-client\n"
<< " The server sends a client certificate\n"
<< " request. If the client did not return a\n"
<< " certificate, the handshake is terminated.\n"
<< " Currently, this option just requests a\n"
<< " client certificate and does not verify it.\n"
<< "\n"
<< " -d, --htdocs=PATH Specify document root. If this option is not\n"
<< " specified, the document root is the current\n"
@ -86,10 +92,11 @@ int main(int argc, char **argv)
{"help", no_argument, 0, 'h' },
{"verbose", no_argument, 0, 'v' },
{"spdy3", no_argument, 0, '3' },
{"verify-client", no_argument, 0, 'V' },
{0, 0, 0, 0 }
};
int option_index = 0;
int c = getopt_long(argc, argv, "Dd:hv3", long_options, &option_index);
int c = getopt_long(argc, argv, "DVd:hv3", long_options, &option_index);
if(c == -1) {
break;
}
@ -97,6 +104,9 @@ int main(int argc, char **argv)
case 'D':
config.daemon = true;
break;
case 'V':
config.verify_client = true;
break;
case 'd':
config.htdocs = optarg;
break;