diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-08-04 12:01:58 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-08-04 12:01:58 +0000 |
| commit | a0d4edd24e26883edba083f07cf1fb4cbaaf36c2 (patch) | |
| tree | e6cb3f4ad58b2d9fc2dec73b2869bb7e48322bc2 | |
| parent | 1e32c5bffd69edc51d93ab6bd4871823c4024deb (diff) | |
| download | gnutls-a0d4edd24e26883edba083f07cf1fb4cbaaf36c2.tar.gz | |
minor fixes
| -rw-r--r-- | lib/gnutls_cert.c | 5 | ||||
| -rw-r--r-- | lib/gnutls_cert.h | 16 | ||||
| -rw-r--r-- | lib/gnutls_errors.c | 5 | ||||
| -rw-r--r-- | lib/gnutls_handshake.c | 35 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 4 |
5 files changed, 49 insertions, 16 deletions
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index e2886e05e9..6fa1522504 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -599,6 +599,11 @@ static int _parse_extension( gnutls_cert* cert, char* extnID, char* critical, ch return 0; } + if (strcmp( extnID, "2 5 29 15")==0) { /* Key Usage */ + cert->KeyUsage = extnValue[0]; + return 0; + } + if (strcmp( extnID, "2 5 29 19")==0) { /* Basic Constraints */ /* we don't use it */ return 0; diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h index fc7eb34bed..38fb21bdfb 100644 --- a/lib/gnutls_cert.h +++ b/lib/gnutls_cert.h @@ -12,6 +12,16 @@ typedef struct { char state_or_province_name[X509_S_SIZE]; } gnutls_DN; +#define X509KEY_DIGITAL_SIGNATURE 256 +#define X509KEY_NON_REPUDIATION 128 +#define X509KEY_KEY_ENCIPHERMENT 64 +#define X509KEY_DATA_ENCIPHERMENT 32 +#define X509KEY_KEY_AGREEMENT 16 +#define X509KEY_KEY_CERT_SIGN 8 +#define X509KEY_CRL_SIGN 4 +#define X509KEY_ENCIPHER_ONLY 2 +#define X509KEY_DECIPHER_ONLY 1 + typedef struct { MPI *params; /* the size of params depends on the public @@ -30,7 +40,11 @@ typedef struct { time_t activation_time; int version; /* 1,2,3 - */ + */ + + int KeyUsage; /* bits from X509KEY_* + */ + int valid; /* 0 if the certificate looks good. */ gnutls_datum raw; /* the raw certificate */ diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 5d5324559e..09e4d0ba8b 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -129,7 +129,7 @@ void gnutls_perror(int error) _gnutls_log( "GNUTLS ERROR: %s\n", ret); - free( ret); + gnutls_free( ret); } @@ -138,8 +138,7 @@ void gnutls_perror(int error) * @error: is an error returned by a gnutls function. Error is always a negative value. * * This function is like strerror(). However it accepts an error returned by a gnutls - * function. gnutls_strerror() returns a malloc'ed value thus - * it should be free'd. + * function. **/ const char* gnutls_strerror(int error) { diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index d40457955c..1eb0522a7c 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1713,13 +1713,20 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state, GNUTLS_CipherSuite *newSuite; int newSuiteSize = 0, i, j, keep; const X509PKI_CREDENTIALS x509_cred; - gnutls_cert *cert; + gnutls_cert *cert=NULL; KXAlgorithm *alg; int alg_size; KXAlgorithm kx; + /* FIXME: remove algorithms depending on the KeyUsage bits + * eg. + * if (cert.KeyUsage & X509KEY_DIGITAL_SIGNATURE) + * we've got a sign-only key... (ok we need to check + * it more than that). + */ + if (state->security_parameters.entity == GNUTLS_CLIENT) - return 0; /* currently does nothing */ + return 0; /* if we should use a specific certificate, * we should remove all algorithms that are not supported @@ -1745,19 +1752,27 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state, extensions.dnsname); } - if (cert == NULL) { /* if no such cert, use the first in the list + + if (cert == NULL && x509_cred->cert_list!=NULL) { /* if no such cert, use the first in the list */ cert = &x509_cred->cert_list[0][0]; - } - /* get all the key exchange algorithms that are - * supported by the certificate parameters. - */ - if ((ret = _gnutls_cert_supported_kx(cert, &alg, &alg_size)) < 0) { - gnutls_assert(); - return ret; + /* get all the key exchange algorithms that are + * supported by the X509 certificate parameters. + */ + if ((ret = _gnutls_cert_supported_kx(cert, &alg, &alg_size)) < 0) { + gnutls_assert(); + return ret; + } + + } else { + /* No certificate was found + */ + alg_size = 0; + alg = NULL; } + newSuite = gnutls_malloc(numCipherSuites * sizeof(GNUTLS_CipherSuite)); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 6f70e261c1..3bf52d0727 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -29,10 +29,10 @@ #define WRITE_DEBUG #define HARD_DEBUG #define BUFFERS_DEBUG +#define RECORD_DEBUG*/ #define HANDSHAKE_DEBUG -#define RECORD_DEBUG #define DEBUG -*/ + #define SOCKET int #define LIST ... |