better handling of set/get credentials.

12 files changed, 102 insertions, 46 deletions

diff --git a/lib/.cvsignore b/lib/.cvsignore
index 3bdc11d17e..b370f32c5c 100644
--- a/lib/.cvsignore
+++ b/lib/.cvsignore
@@ -12,3 +12,4 @@ Makefile
 *.bbg
 libgnutls-config
 gnutls.h
+cert_ASN.c
diff --git a/lib/auth_anon.c b/lib/auth_anon.c
index 2af8ca6e29..315fc9980b 100644
--- a/lib/auth_anon.c
+++ b/lib/auth_anon.c
@@ -56,21 +56,21 @@ int gen_anon_server_kx( GNUTLS_KEY key, opaque** data) {
 	uint8 *data_p;
 	uint8 *data_g;
 	uint8 *data_X;
-	DH_ANON_SERVER_CREDENTIALS * cred;
+	const ANON_SERVER_CREDENTIALS * cred;
 
-	cred = _gnutls_get_kx_cred( key, GNUTLS_KX_DH_ANON, NULL);
+	cred = _gnutls_get_cred( key, GNUTLS_ANON, NULL);
 	if (cred==NULL) {
 		bits = DEFAULT_BITS; /* default */
 	} else {
-		bits = cred->bits;
+		bits = cred->dh_bits;
 	}
 
 	g = gnutls_get_dh_params(&p, bits);
 
-	key->auth_info = gnutls_malloc(sizeof(DH_ANON_AUTH_INFO));
+	key->auth_info = gnutls_malloc(sizeof(ANON_AUTH_INFO));
 	if (key->auth_info==NULL) return GNUTLS_E_MEMORY_ERROR;
-	((DH_ANON_AUTH_INFO*)key->auth_info)->bits = gcry_mpi_get_nbits(p);
-	key->auth_info_size = sizeof(DH_ANON_AUTH_INFO);
+	((ANON_AUTH_INFO*)key->auth_info)->dh_bits = gcry_mpi_get_nbits(p);
+	key->auth_info_size = sizeof(ANON_AUTH_INFO);
 
 	X = gnutls_calc_dh_secret(&x, g, p);
 	key->dh_secret = x;
@@ -190,10 +190,10 @@ int proc_anon_server_kx( GNUTLS_KEY key, opaque* data, int data_size) {
 	}
 
 	/* set auth_info */
-	key->auth_info = gnutls_malloc(sizeof(DH_ANON_AUTH_INFO));
+	key->auth_info = gnutls_malloc(sizeof(ANON_AUTH_INFO));
 	if (key->auth_info==NULL) return GNUTLS_E_MEMORY_ERROR;
-	((DH_ANON_AUTH_INFO*)key->auth_info)->bits = gcry_mpi_get_nbits(key->client_p);
-	key->auth_info_size = sizeof(DH_ANON_AUTH_INFO);
+	((ANON_AUTH_INFO*)key->auth_info)->dh_bits = gcry_mpi_get_nbits(key->client_p);
+	key->auth_info_size = sizeof(ANON_AUTH_INFO);
 
 	/* We should check signature in non-anonymous KX 
 	 * this is anonymous however
@@ -207,13 +207,13 @@ int proc_anon_client_kx( GNUTLS_KEY key, opaque* data, int data_size) {
 	size_t _n_Y;
 	MPI g, p;
 	int bits;
-	DH_ANON_SERVER_CREDENTIALS * cred;
+	const ANON_SERVER_CREDENTIALS * cred;
 
-	cred = _gnutls_get_kx_cred( key, GNUTLS_KX_DH_ANON, NULL);
+	cred = _gnutls_get_cred( key, GNUTLS_ANON, NULL);
 	if (cred==NULL) {
 		bits = DEFAULT_BITS; /* default */
 	} else {
-		bits = cred->bits;
+		bits = cred->dh_bits;
 	}
 
 #if 0 /* removed. I do not know why - maybe I didn't get the protocol,
diff --git a/lib/auth_anon.h b/lib/auth_anon.h
index 11c96913ef..c3b253d7e1 100644
--- a/lib/auth_anon.h
+++ b/lib/auth_anon.h
@@ -2,9 +2,9 @@
 extern MOD_AUTH_STRUCT anon_auth_struct;
 
 typedef struct {
-	int bits;
-} DH_ANON_SERVER_CREDENTIALS;
+	int dh_bits;
+} ANON_SERVER_CREDENTIALS;
 
 typedef struct {
-	int bits;
-} DH_ANON_AUTH_INFO;
+	int dh_bits;
+} ANON_AUTH_INFO;
diff --git a/lib/auth_srp.c b/lib/auth_srp.c
index ba513f5e49..fe3e03fe16 100644
--- a/lib/auth_srp.c
+++ b/lib/auth_srp.c
@@ -189,8 +189,8 @@ int gen_srp_client_kx0(GNUTLS_KEY key, opaque ** data)
 	uint8 *data_a;
 	char *username;
 	char *password;
-	SRP_CLIENT_CREDENTIALS *cred =
-	    _gnutls_get_kx_cred(key, GNUTLS_KX_SRP, NULL);
+	const SRP_CLIENT_CREDENTIALS *cred =
+	    _gnutls_get_cred(key, GNUTLS_SRP, NULL);
 
 	if (cred == NULL)
 		return GNUTLS_E_INSUFICIENT_CRED;
@@ -231,8 +231,8 @@ int proc_srp_server_kx(GNUTLS_KEY key, opaque * data, int data_size)
 	opaque *hd;
 	char *username;
 	char *password;
-	SRP_CLIENT_CREDENTIALS *cred =
-	    _gnutls_get_kx_cred(key, GNUTLS_KX_SRP, NULL);
+	const SRP_CLIENT_CREDENTIALS *cred =
+	    _gnutls_get_cred(key, GNUTLS_SRP, NULL);
 
 	if (cred == NULL)
 		return GNUTLS_E_INSUFICIENT_CRED;
diff --git a/lib/auth_srp_passwd.c b/lib/auth_srp_passwd.c
index e7bf585cb0..78483043ff 100644
--- a/lib/auth_srp_passwd.c
+++ b/lib/auth_srp_passwd.c
@@ -194,7 +194,7 @@ int tmp_size;
 
 /* this function opens the tpasswd.conf file
  */
-static int pwd_read_conf( SRP_SERVER_CREDENTIALS* cred, GNUTLS_SRP_PWD_ENTRY* entry, int index) {
+static int pwd_read_conf( const SRP_SERVER_CREDENTIALS* cred, GNUTLS_SRP_PWD_ENTRY* entry, int index) {
 	FILE * fd;
 	char line[5*1024];
 	int i;
@@ -229,7 +229,7 @@ static int pwd_read_conf( SRP_SERVER_CREDENTIALS* cred, GNUTLS_SRP_PWD_ENTRY* en
 
 
 GNUTLS_SRP_PWD_ENTRY *_gnutls_srp_pwd_read_entry( GNUTLS_KEY key, char* username, int *err) {
-	SRP_SERVER_CREDENTIALS* cred;
+	const SRP_SERVER_CREDENTIALS* cred;
 	FILE * fd;
 	char line[5*1024];
 	int i, len;
@@ -238,7 +238,7 @@ GNUTLS_SRP_PWD_ENTRY *_gnutls_srp_pwd_read_entry( GNUTLS_KEY key, char* username
 
 	*err = 0; /* normal exit */
 	
-	cred = _gnutls_get_kx_cred( key, GNUTLS_KX_SRP, NULL);
+	cred = _gnutls_get_cred( key, GNUTLS_SRP, NULL);
 	if (cred==NULL) {
 		*err = 1;
 		gnutls_assert();
diff --git a/lib/ext_srp.c b/lib/ext_srp.c
index 8d57ca8571..065cbf1a85 100644
--- a/lib/ext_srp.c
+++ b/lib/ext_srp.c
@@ -59,7 +59,7 @@ int _gnutls_srp_send_params( GNUTLS_STATE state, opaque** data) {
 	uint8 len;
 	/* this function sends the client extension data (username) */
 	if (state->security_parameters.entity == GNUTLS_CLIENT) {
-		SRP_CLIENT_CREDENTIALS* cred = _gnutls_get_kx_cred( state->gnutls_key, GNUTLS_KX_SRP, NULL);
+		const SRP_CLIENT_CREDENTIALS* cred = _gnutls_get_cred( state->gnutls_key, GNUTLS_SRP, NULL);
 
 		(*data) = NULL;
 
diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in
index 739eb78b4b..e3d1a4759c 100644
--- a/lib/gnutls.h.in
+++ b/lib/gnutls.h.in
@@ -24,6 +24,7 @@
 
 typedef enum BulkCipherAlgorithm { GNUTLS_NULL_CIPHER=1, GNUTLS_ARCFOUR, GNUTLS_3DES, GNUTLS_RIJNDAEL, GNUTLS_TWOFISH, GNUTLS_RIJNDAEL256 } BulkCipherAlgorithm;
 typedef enum KXAlgorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DH_DSS, GNUTLS_KX_DH_RSA, GNUTLS_KX_DH_ANON, GNUTLS_KX_SRP } KXAlgorithm;
+typedef enum CredType { GNUTLS_X509PKI=1, GNUTLS_ANON, GNUTLS_SRP } CredType;
 typedef enum MACAlgorithm { GNUTLS_NULL_MAC=1, GNUTLS_MAC_MD5, GNUTLS_MAC_SHA } MACAlgorithm;
 typedef enum CompressionMethod { GNUTLS_NULL_COMPRESSION=1, GNUTLS_ZLIB } CompressionMethod;
 typedef enum ConnectionEnd { GNUTLS_SERVER, GNUTLS_CLIENT } ConnectionEnd;
@@ -107,7 +108,7 @@ const char* gnutls_check_version();
 /* Functions for setting/clearing credentials */
 int gnutls_clear_creds( GNUTLS_STATE state);
 /* cred is a structure defined by the kx algorithm */
-int gnutls_set_kx_cred( GNUTLS_STATE, KXAlgorithm kx, void* cred);
+int gnutls_set_cred( GNUTLS_STATE, CredType type, void* cred);
 const void* gnutls_get_auth_info( GNUTLS_STATE);
 
 /* Credential structures for SRP - used in gnutls_set_cred(); */
@@ -125,15 +126,15 @@ typedef struct {
 	char username[256];
 } SRP_AUTH_INFO;
 
-/* Credential structures for DH_ANON */
+/* Credential structures for ANON */
 
 typedef struct {
-	int bits;
-} DH_ANON_SERVER_CREDENTIALS;
+	int dh_bits;
+} ANON_SERVER_CREDENTIALS;
 
 typedef struct {
-	int bits;
-} DH_ANON_AUTH_INFO;
+	int dh_bits;
+} ANON_AUTH_INFO;
 
 
 /* error codes appended here */
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 78ac1be9a7..e7c60fcf57 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -34,6 +34,31 @@
 #define MAX_CIPHERSUITE 256
 #define MAX_COMPRESSION 256
 
+
+/* Cred type mappings to KX algorithms */
+typedef struct {
+	KXAlgorithm algorithm;
+	CredType type;
+} gnutls_cred_map;
+
+static const gnutls_cred_map cred_mappings[] = {
+	{ GNUTLS_KX_DH_ANON, GNUTLS_ANON    },
+	{ GNUTLS_KX_RSA,     GNUTLS_X509PKI },
+	{ GNUTLS_KX_DHE_DSS, GNUTLS_X509PKI },
+	{ GNUTLS_KX_DHE_RSA, GNUTLS_X509PKI },
+	{ GNUTLS_KX_DH_DSS,  GNUTLS_X509PKI },
+	{ GNUTLS_KX_DH_RSA,  GNUTLS_X509PKI },
+	{ GNUTLS_KX_SRP,     GNUTLS_SRP     },
+	{ 0 }
+};
+
+#define GNUTLS_KX_MAP_LOOP(b) \
+        const gnutls_cred_map *p; \
+                for(p = cred_mappings; p->type != 0; p++) { b ; }
+
+#define GNUTLS_KX_MAP_ALG_LOOP(a) \
+                        GNUTLS_KX_MAP_LOOP( if(p->type == type) { a; break; })
+
 /* TLS Versions */
 
 typedef struct {
@@ -906,6 +931,23 @@ _gnutls_version_is_supported(GNUTLS_STATE state,
 	return ret;
 }
 
+/* Type to KX mappings */
+KXAlgorithm _gnutls_map_kx_get_kx(CredType type)
+{
+	KXAlgorithm ret = -1;
+
+	GNUTLS_KX_MAP_ALG_LOOP(ret = p->algorithm);
+	return ret;
+}
+
+CredType _gnutls_map_kx_get_cred(KXAlgorithm algorithm)
+{
+	CredType ret = -1;
+	GNUTLS_KX_MAP_LOOP(if (p->algorithm==algorithm) ret = p->type);
+
+	return ret;
+}
+
 
 /* Cipher Suite's functions */
 BulkCipherAlgorithm
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index 7844776ee6..e2e0f36473 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -86,3 +86,7 @@ int _gnutls_compression_count();
 int _gnutls_compression_get_num(CompressionMethod algorithm);
 CompressionMethod _gnutls_compression_get_id(int num);
 char *_gnutls_compression_get_name(CompressionMethod algorithm);
+
+/* Type to KX mappings */
+KXAlgorithm _gnutls_map_kx_get_kx(CredType type);
+CredType _gnutls_map_kx_get_cred(KXAlgorithm algorithm);
diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c
index 69c31b932b..a9768c3870 100644
--- a/lib/gnutls_auth.c
+++ b/lib/gnutls_auth.c
@@ -22,6 +22,8 @@
 #include "gnutls_int.h"
 #include "gnutls_errors.h"
 #include "gnutls_auth.h"
+#include "gnutls_auth_int.h"
+#include "gnutls_algorithms.h"
 
 #include "auth_anon.h"
 /* The functions here are used in order for authentication algorithms
@@ -51,28 +53,28 @@ int gnutls_clear_creds( GNUTLS_STATE state) {
  * { algorithm, credentials, pointer to next }
  */
 /**
-  * gnutls_set_kx_cred - Sets the needed credentials for the specified (in kx) authentication algorithm.
+  * gnutls_set_cred - Sets the needed credentials for the specified authentication algorithm.
   * @state: is a &GNUTLS_STATE structure.
-  * @kx: is a key exchange algorithm
+  * @type: is the type of the credentials
   * @cred: is a pointer to a structure.
   *
-  * Sets the needed credentials for the specified (in kx) authentication
-  * algorithm. Eg username, password - or public and private keys etc.  
+  * Sets the needed credentials for the specified type.
+  * Eg username, password - or public and private keys etc.  
   * The (void* cred) parameter is a structure that depends on the
-  * specified kx algorithm and on the current state (client or server).
+  * specified type and on the current state (client or server).
   * [ In order to minimize memory usage, and share credentials between 
   * several threads gnutls keeps a pointer to cred, and not the whole cred
   * structure. Thus you will have to keep the structure allocated until   
   * you call gnutls_deinit(). ]
   *
-  * For %GNUTLS_KX_DH_ANON cred should be NULL in case of a client.
-  * In case of a server it should be &DH_ANON_SERVER_CREDENTIALS.   
+  * For %GNUTLS_ANON cred should be NULL in case of a client.
+  * In case of a server it should be &ANON_SERVER_CREDENTIALS.   
   * 
-  * For %GNUTLS_KX_SRP cred should be &SRP_CLIENT_CREDENTIALS
+  * For %GNUTLS_SRP cred should be &SRP_CLIENT_CREDENTIALS
   * in case of a client, and &SRP_SERVER_CREDENTIALS, in case
   * of a server.
   **/
-int gnutls_set_kx_cred( GNUTLS_STATE state, KXAlgorithm kx, void* cred) {
+int gnutls_set_cred( GNUTLS_STATE state, CredType type, void* cred) {
 	AUTH_CRED * ccred, *pcred;
 	int exists=0;	
 	
@@ -85,11 +87,11 @@ int gnutls_set_kx_cred( GNUTLS_STATE state, KXAlgorithm kx, void* cred) {
 		state->gnutls_key->cred->credentials = cred;
 		
 		state->gnutls_key->cred->next = NULL;
-		state->gnutls_key->cred->algorithm = kx;
+		state->gnutls_key->cred->algorithm = type;
 	} else {
 		ccred = state->gnutls_key->cred;
 		while(ccred!=NULL) {
-			if (ccred->algorithm==kx) {
+			if (ccred->algorithm==type) {
 				exists=1;
 				break;
 			}
@@ -107,7 +109,7 @@ int gnutls_set_kx_cred( GNUTLS_STATE state, KXAlgorithm kx, void* cred) {
 			ccred->credentials = cred;
 
 			ccred->next = NULL;
-			ccred->algorithm = kx;
+			ccred->algorithm = type;
 		} else { /* modify existing entry */
 			gnutls_free(ccred->credentials);
 			ccred->credentials = cred;
@@ -121,12 +123,15 @@ int gnutls_set_kx_cred( GNUTLS_STATE state, KXAlgorithm kx, void* cred) {
  * This returns an pointer to the linked list. Don't
  * free that!!!
  */
-void *_gnutls_get_kx_cred( GNUTLS_KEY key, int kx, int *err) {
+const void *_gnutls_get_kx_cred( GNUTLS_KEY key, KXAlgorithm algo, int *err) {
+	return _gnutls_get_cred( key, _gnutls_map_kx_get_cred(algo), err);
+}
+const void *_gnutls_get_cred( GNUTLS_KEY key, CredType type, int *err) {
 	AUTH_CRED * ccred;
 	
 	ccred = key->cred;
 	while(ccred!=NULL) {
-		if (ccred->algorithm==kx) {
+		if (ccred->algorithm==type) {
 			break;
 		}
 		ccred = ccred->next;
diff --git a/lib/gnutls_auth_int.h b/lib/gnutls_auth_int.h
index 46d0c1ab2a..2b34b6160c 100644
--- a/lib/gnutls_auth_int.h
+++ b/lib/gnutls_auth_int.h
@@ -1,3 +1,5 @@
 int gnutls_clear_creds( GNUTLS_STATE state);
-int gnutls_set_kx_cred( GNUTLS_STATE state, KXAlgorithm kx, void* cred);
-const void *_gnutls_get_kx_cred( GNUTLS_KEY key, int kx, int* err);
+int gnutls_set_cred( GNUTLS_STATE state, CredType type, void* cred);
+const void *_gnutls_get_cred( GNUTLS_KEY key, CredType kx, int* err);
+const void *_gnutls_get_kx_cred( GNUTLS_KEY key, KXAlgorithm algo, int *err);
+
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index d79cb60910..84cef16a69 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -108,6 +108,7 @@ typedef enum ConnectionEnd { GNUTLS_SERVER, GNUTLS_CLIENT } ConnectionEnd;
 typedef enum BulkCipherAlgorithm { GNUTLS_NULL_CIPHER=1, GNUTLS_ARCFOUR, GNUTLS_3DES, GNUTLS_RIJNDAEL, GNUTLS_TWOFISH, GNUTLS_RIJNDAEL256 } BulkCipherAlgorithm;
 typedef enum Extensions { GNUTLS_EXTENSION_SRP=7 } Extensions;
 typedef enum KXAlgorithm { GNUTLS_KX_RSA=1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DH_DSS, GNUTLS_KX_DH_RSA, GNUTLS_KX_DH_ANON, GNUTLS_KX_SRP } KXAlgorithm;
+typedef enum CredType { GNUTLS_X509PKI=1, GNUTLS_ANON, GNUTLS_SRP } CredType;
 typedef enum CipherType { CIPHER_STREAM, CIPHER_BLOCK } CipherType;
 typedef enum MACAlgorithm { GNUTLS_NULL_MAC=1, GNUTLS_MAC_MD5, GNUTLS_MAC_SHA } MACAlgorithm;
 typedef enum CompressionMethod { GNUTLS_NULL_COMPRESSION=1, GNUTLS_ZLIB } CompressionMethod;