moving gnutls_DN structures out of gnutls_cert and auth_info structures.

Now they are generated upon request.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2001-12-04 10:57:03 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2001-12-04 10:57:03 +0000
commit: f4fcde5c4eb58ea592cf5e3f0cc41534a7e73b46 (patch)
tree: 86a97683c106d60fea2c07653fb5ccdf29415110
parent: c488ad631dfb3f719334d5fa41ff1d2b41ad2e19 (diff)
download: gnutls-f4fcde5c4eb58ea592cf5e3f0cc41534a7e73b46.tar.gz
14 files changed, 310 insertions, 259 deletions
diff --git a/lib/auth_x509.c b/lib/auth_x509.c
index 4c134dadf3..cf3e22c292 100644
--- a/lib/auth_x509.c
+++ b/lib/auth_x509.c
@@ -45,10 +45,6 @@ int _gnutls_copy_x509_client_auth_info( X509PKI_AUTH_INFO info, gnutls_cert* cer
   */
 int ret;
 
-  	memcpy( &info->peer_dn, &cert->cert_info, sizeof(gnutls_DN));
-  	memcpy( &info->issuer_dn, &cert->issuer_info, sizeof(gnutls_DN));
-  	
-
 	info->peer_certificate_status = verify;
 
 	info->peer_certificate_version = cert->version;
@@ -312,7 +308,7 @@ int data_size = _data_size;
 		 * choose of certificate, otherwise (-1), he
 		 * will be prompted to choose one.
 		 */
-		try = cred->client_cert_callback( NULL, NULL, 0, NULL, 0);
+		try = cred->client_cert_callback( NULL, 0, NULL, 0);
 	}
 	
 	if (try>=0)
@@ -357,18 +353,13 @@ int data_size = _data_size;
 	} while (1);
 
 	if (indx==-1 && cred->client_cert_callback!=NULL && cred->ncerts > 0) {/* use a callback to get certificate */
-		gnutls_DN *cdn=NULL;
-		gnutls_DN *idn=NULL;
-		gnutls_DN *req_dn=NULL;
-		gnutls_datum tmp;
+		gnutls_datum *my_certs=NULL;
+		gnutls_datum *issuers_dn=NULL;
 		int count;
 		
-		cdn = gnutls_malloc( cred->ncerts* sizeof(gnutls_DN));
-		if (cdn==NULL) goto clear;
+		my_certs = gnutls_malloc( cred->ncerts* sizeof(gnutls_datum));
+		if (my_certs==NULL) goto clear;
 		
-		idn = gnutls_malloc( cred->ncerts* sizeof(gnutls_DN));
-		if (idn==NULL) goto clear;
-
 		/* put the requested DNs to req_dn
 		 */		
 		data = _data;
@@ -384,13 +375,14 @@ int data_size = _data_size;
 			
 			data += 2;
 			
-			req_dn = gnutls_realloc_fast( req_dn, (count+1)*sizeof(gnutls_DN));
-			if (req_dn==NULL) goto clear;
+			issuers_dn = gnutls_realloc_fast( issuers_dn, (count+1)*sizeof(gnutls_datum));
+			if (issuers_dn==NULL) goto clear;
+			
+			issuers_dn->data = data;
+			issuers_dn->size = size;
+			
+			count++; /* otherwise we have failed */
 			
-			tmp.data = data;
-			tmp.size = size;
-			if (_gnutls_dn2gnutlsdn( &req_dn[count], &tmp)==0)
-				count++; /* otherwise we have failed */
 			data+=size;
 
 			if (data_size==0) break;
@@ -400,15 +392,13 @@ int data_size = _data_size;
 		/* put our certificate's issuer and dn into cdn, idn
 		 */
 		for(i=0;i<cred->ncerts;i++) {
-			memcpy( &cdn[i], &cred->cert_list[i][0].cert_info, sizeof(gnutls_DN));
-			memcpy( &idn[i], &cred->cert_list[i][0].issuer_info, sizeof(gnutls_DN));
+			my_certs[i] = cred->cert_list[i][0].raw;
 		}
-		indx = cred->client_cert_callback( cdn, idn, cred->ncerts, req_dn, count);
+		indx = cred->client_cert_callback( my_certs, cred->ncerts, issuers_dn, count);
 
 		clear:
-			gnutls_free(cdn);
-			gnutls_free(req_dn);
-			gnutls_free(idn);
+			gnutls_free(my_certs);
+			gnutls_free(issuers_dn);
 	}
 	*ind = indx;
 	return 0;
@@ -906,13 +896,10 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
 			*apr_cert_list_length = 0;
 			*apr_pkey = NULL;
 		} else {
-			const char* dnsname = gnutls_ext_get_name_ind( state, GNUTLS_DNSNAME);
-			if (dnsname==NULL) dnsname="";
 			
 			ind =
-			    _gnutls_find_cert_list_index(cred->cert_list,
-							 cred->ncerts,
-							 dnsname);
+			    _gnutls_find_cert_list_index(state, cred->cert_list,
+							 cred->ncerts);
 
 			if (ind < 0) {
 				*apr_cert_list = NULL;
@@ -947,3 +934,123 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
 	
 	return 0;
 }
+
+#define CHECK_AUTH(auth, ret) if (gnutls_get_auth_type(state) != auth) { \
+	gnutls_assert(); \
+	return ret; \
+	}
+
+/**
+  * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name
+  * @state: is a gnutls state
+  * @ret: a pointer to a structure to hold the peer's name
+  *
+  * This function will return the name of the peer. The name is gnutls_DN structure and 
+  * is a obtained by the peer's certificate. If the certificate send by the
+  * peer is invalid, or in any other failure this function returns error.
+  * Returns a negative error code in case of an error.
+  *
+  **/
+int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+{
+	X509PKI_AUTH_INFO info;
+	node_asn *c2;
+	int result;
+
+	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
+
+	memset( ret, 0, sizeof(gnutls_DN));
+
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_E_INVALID_REQUEST;
+
+	if (asn1_create_structure
+	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
+	     "certificate2")
+	    != ASN_OK) {
+		gnutls_assert();
+		return GNUTLS_E_ASN1_ERROR;
+	}
+
+
+	result = asn1_get_der(c2, info->raw_certificate.data, info->raw_certificate.size);
+	if (result != ASN_OK) {
+		/* couldn't decode DER */
+#ifdef DEBUG
+		_gnutls_log("Decoding error %d\n", result);
+#endif
+		gnutls_assert();
+		asn1_delete_structure(c2);
+		return GNUTLS_E_ASN1_PARSING_ERROR;
+	}
+	if ((result =
+	     _gnutls_get_name_type(c2,
+				   "certificate2.tbsCertificate.subject",
+				   ret)) < 0) {
+		gnutls_assert();
+		asn1_delete_structure(c2);
+		return result;
+	}
+
+	asn1_delete_structure(c2);
+
+	return 0;
+}
+
+/**
+  * gnutls_x509pki_get_issuer_dn - This function returns the peer's issuer distinguished name
+  * @state: is a gnutls state
+  * @ret: a pointer to a structure to hold the issuer's name
+  *
+  * This function will return the name of the issuer of peer. The name is a gnutls_DN structure and 
+  * is a obtained by the peer's certificate. If the certificate send by the
+  * peer is invalid, or in any other failure this function returns error.
+  * Returns a negative error code in case of an error.
+  *
+  **/
+int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+{
+	X509PKI_AUTH_INFO info;
+	node_asn *c2;
+	int result;
+
+	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
+
+	memset( ret, 0, sizeof(gnutls_DN));
+
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_E_INVALID_REQUEST;
+
+	if (asn1_create_structure
+	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
+	     "certificate2")
+	    != ASN_OK) {
+		gnutls_assert();
+		return GNUTLS_E_ASN1_ERROR;
+	}
+
+	result = asn1_get_der(c2, info->raw_certificate.data, info->raw_certificate.size);
+	if (result != ASN_OK) {
+		/* couldn't decode DER */
+#ifdef DEBUG
+		_gnutls_log("Decoding error %d\n", result);
+#endif
+		gnutls_assert();
+		asn1_delete_structure(c2);
+		return GNUTLS_E_ASN1_PARSING_ERROR;
+	}
+	if ((result =
+	     _gnutls_get_name_type(c2,
+				   "certificate2.tbsCertificate.issuer",
+				   ret)) < 0) {
+		gnutls_assert();
+		asn1_delete_structure(c2);
+		return result;
+	}
+
+	asn1_delete_structure(c2);
+
+	return 0;
+}
diff --git a/lib/auth_x509.h b/lib/auth_x509.h
index 25a831fd8b..27385a5705 100644
--- a/lib/auth_x509.h
+++ b/lib/auth_x509.h
@@ -44,8 +44,6 @@ typedef struct {
 #define X509PKI_CREDENTIALS X509PKI_CREDENTIALS_INT*
 
 typedef struct X509PKI_AUTH_INFO_INT {
-	gnutls_DN	  peer_dn;
-	gnutls_DN	  issuer_dn;
 	CertificateStatus peer_certificate_status;
 	int		  peer_certificate_version;
 	time_t		  peer_certificate_activation_time;
diff --git a/lib/debug.c b/lib/debug.c
index 3a20501955..bcaccf7d6a 100644
--- a/lib/debug.c
+++ b/lib/debug.c
@@ -218,4 +218,9 @@ static char str[512];
 	return str;	
 	
 }
+
+const char* GET_CN( gnutls_datum cert) {
+	return NULL; /* FIXME */
+}
+
 #endif
diff --git a/lib/debug.h b/lib/debug.h
index 85ad14b261..f95145d84d 100644
--- a/lib/debug.h
+++ b/lib/debug.h
@@ -25,4 +25,5 @@ void _gnutls_dump_mpi(char* prefix,MPI a);
 char* _gnutls_packet2str( int packet);
 char* _gnutls_alert2str( int alert);
 char* _gnutls_handshake2str( int handshake);
+char* GET_CN( gnutls_datum);
 #endif
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 86c7b572cb..789b54b7f8 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -820,7 +820,9 @@ static int _gnutls_get_version(node_asn * c2, char *root)
 #endif
 
 /* This function will convert a der certificate, to a format
- * (structure) that gnutls can understand and use.
+ * (structure) that gnutls can understand and use. Actually the
+ * important thing on this function is that it extracts the 
+ * certificate's (public key) parameters.
  */
 int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
 {
@@ -924,18 +926,6 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
 	gCert->signature_size = len;
 
 
-	memset(&gCert->cert_info, 0, sizeof(gCert->cert_info));
-	memset(&gCert->issuer_info, 0, sizeof(gCert->issuer_info));
-
-	if ((result =
-	     _gnutls_get_name_type(c2,
-				   "certificate2.tbsCertificate.subject",
-				   &gCert->cert_info)) < 0) {
-		gnutls_assert();
-		asn1_delete_structure(c2);
-		return result;
-	}
-
 	memset(&gCert->subjectAltDNSName, 0,
 	       sizeof(gCert->subjectAltDNSName));
 	if ((result =
@@ -947,16 +937,6 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
 		return result;
 	}
 
-	if ((result =
-	     _gnutls_get_name_type(c2,
-				   "certificate2.tbsCertificate.issuer",
-				   &gCert->issuer_info)) < 0) {
-		gnutls_assert();
-		asn1_delete_structure(c2);
-		return result;
-	}
-
-
 	gCert->expiration_time =
 	    _gnutls_get_time(c2, "certificate2", "notAfter");
 	gCert->activation_time =
@@ -982,7 +962,7 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert)
 /* Returns 0 if it's ok to use the KXAlgorithm with this cert
  * (using KeyUsage field). 
  */
-int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg)
+int _gnutls_check_x509_key_usage(const gnutls_cert * cert, KXAlgorithm alg)
 {
 	if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) {
 		switch (alg) {
@@ -1022,7 +1002,7 @@ int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg)
  * This function also uses the KeyUsage field of the certificate
  * extensions in order to disable unneded algorithms.
  */
-int _gnutls_cert_supported_kx(gnutls_cert * cert, KXAlgorithm ** alg,
+int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg,
 			      int *alg_size)
 {
 	KXAlgorithm kx;
@@ -1052,53 +1032,30 @@ int _gnutls_cert_supported_kx(gnutls_cert * cert, KXAlgorithm ** alg,
 	return 0;
 }
 
-/* finds a certificate in the cert lists that contains
- * common_name (or subjectAltDNSName) field similar to name
+/* finds the most appropriate certificate in the cert list.
+ * The 'appropriate' is defined by the user.
+ * FIXME: provide user callback.
  */
-gnutls_cert *_gnutls_find_cert(gnutls_cert ** cert_list,
-			       int cert_list_length, const char *name)
+const gnutls_cert *_gnutls_find_cert( GNUTLS_STATE state, gnutls_cert ** cert_list,
+			       int cert_list_length)
 {
-	gnutls_cert *cert = NULL;
 	int i;
 
-	for (i = 0; i < cert_list_length; i++) {
-		if (cert_list[i][0].cert_info.common_name[0] != 0
-		    || cert_list[i][0].subjectAltDNSName[0] != 0) {
-			if (strcasecmp
-			    (cert_list[i][0].cert_info.common_name,
-			     name) == 0
-			    || strcasecmp(cert_list[i][0].
-					  subjectAltDNSName, name) == 0) {
-				cert = &cert_list[i][0];
-				break;
-			}
-		}
-	}
-	return cert;
+	i = _gnutls_find_cert_list_index( state, cert_list, cert_list_length);
+	if (i<0) return NULL;
+	
+	return &cert_list[i][0];
 }
 
-/* finds the index of a certificate in the cert lists that contains
- * common_name (or subjectAltDNSName) field similar to name
+/* finds the most appropriate certificate in the cert list.
+ * The 'appropriate' is defined by the user.
+ * FIXME: provide user callback.
  */
-int _gnutls_find_cert_list_index(gnutls_cert ** cert_list,
-				 int cert_list_length, const char *name)
+int _gnutls_find_cert_list_index( GNUTLS_STATE state, gnutls_cert ** cert_list,
+				 int cert_list_length)
 {
 	int index = 0;
-	int i;
 
-	for (i = 0; i < cert_list_length; i++) {
-		if (cert_list[i][0].cert_info.common_name[0] != 0
-		    || cert_list[i][0].subjectAltDNSName[0] != 0) {
-			if (strcasecmp
-			    (cert_list[i][0].cert_info.common_name,
-			     name) == 0
-			    || strcasecmp(cert_list[i][0].
-					  subjectAltDNSName, name) == 0) {
-				index = i;
-				break;
-			}
-		}
-	}
 	return index;
 }
 
@@ -1127,16 +1084,15 @@ int gnutls_x509pki_set_cert_request(GNUTLS_STATE state,
   * @func: is the callback function
   *
   * The callback's function form is:
-  * int (*callback)(gnutls_DN *client_cert, gnutls_DN *issuer_cert, int ncerts, gnutls_DN* req_ca_cert, int nreqs);
+  * int (*callback)(gnutls_datum *client_cert, int ncerts, gnutls_datum* req_ca_cert, int nreqs);
   *
-  * 'client_cert' contains 'ncerts' gnutls_DN structures which hold
-  * DN data from the client certificate. 'issuer_cert' holds DN data
-  * for the issuer of the certificate. Ie. issuer_cert[i] is the issuer of
-  * client_cert[i]. (i < ncerts)
+  * 'client_cert' contains 'ncerts' gnutls_datum structures which hold
+  * the DER encoded X.509 certificates of the client. 
   *
-  * 'req_ca_cert' contains a list with the CA certificates that the server
+  * 'req_ca_cert' contains a list with the CA names that the server
   * considers trusted. Normaly we should send a certificate that is signed
-  * by one of these CAs.
+  * by one of these CAs. These names are DER encoded. To get a more
+  * meaningful value use the function _gnutls_dn2gnutlsdn().
   *
   * This function specifies what we (in case of a client) are going
   * to do when we have to send a certificate. If this callback
diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h
index b9743ad9fc..2b9365e02b 100644
--- a/lib/gnutls_cert.h
+++ b/lib/gnutls_cert.h
@@ -12,8 +12,6 @@ typedef struct gnutls_cert {
 				 */
 	PKAlgorithm subject_pk_algorithm;
 
-	gnutls_DN  cert_info;
-	gnutls_DN  issuer_info;
 	opaque	   subjectAltDNSName[X509_CN_SIZE]; 
 	int 	   subjectAltDNSName_size;
 	
@@ -47,18 +45,18 @@ typedef struct {
 	gnutls_datum raw; /* the raw key */
 } gnutls_private_key;
 
+struct GNUTLS_STATE_INT; /* because GNUTLS_STATE is not defined when this file is included */
 
-int _gnutls_cert_supported_kx(gnutls_cert* cert, KXAlgorithm **alg, int *alg_size);
+int _gnutls_cert_supported_kx( const gnutls_cert* cert, KXAlgorithm **alg, int *alg_size);
 PKAlgorithm _gnutls_map_pk_get_pk(KXAlgorithm kx_algorithm);
 int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert);
-gnutls_cert* _gnutls_find_cert( gnutls_cert** cert_list, int cert_list_length, const char* name);
-int _gnutls_find_cert_list_index(gnutls_cert ** cert_list,
-			       int cert_list_length, const char *name);
+const gnutls_cert* _gnutls_find_cert( struct GNUTLS_STATE_INT*, gnutls_cert** cert_list, int cert_list_length);
+int _gnutls_find_cert_list_index( struct GNUTLS_STATE_INT*, gnutls_cert ** cert_list, int cert_list_length);
 
 #define MAX_INT_DIGITS 4
 void _gnutls_int2str(int k, char* data);
 int _gnutls_get_name_type( node_asn *rasn, char *root, gnutls_DN * dn);
 void gnutls_free_cert(gnutls_cert cert);
-int _gnutls_check_x509_key_usage(gnutls_cert * cert, KXAlgorithm alg);
+int _gnutls_check_x509_key_usage( const gnutls_cert * cert, KXAlgorithm alg);
 
 #endif
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index ef9e339d0e..3557b5dec0 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1870,11 +1870,10 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
 	GNUTLS_CipherSuite *newSuite;
 	int newSuiteSize = 0, i, j, keep;
 	const X509PKI_CREDENTIALS x509_cred;
-	gnutls_cert *cert = NULL;
+	const gnutls_cert *cert = NULL;
 	KXAlgorithm *alg;
 	int alg_size;
 	KXAlgorithm kx;
-	const char *dnsname;
 
 	if (state->security_parameters.entity == GNUTLS_CLIENT)
 		return 0;
@@ -1891,23 +1890,18 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
 	/* if x509_cred==NULL we should remove all X509 ciphersuites
 	 */
 
-	/* find the certificate that has dnsname in the subject
-	 * name or subject Alternative name.
-	 */
-
 	cert = NULL;
-	dnsname = gnutls_ext_get_name_ind(state, GNUTLS_DNSNAME);
 
-	if (dnsname != NULL && dnsname[0] != 0) {
-		cert =
-		    (gnutls_cert *) _gnutls_find_cert(x509_cred->cert_list,
-						      x509_cred->ncerts,
-						      dnsname);
-	}
-	if (cert == NULL && x509_cred->cert_list != NULL) {	/* if no such cert, use the first in the list 
-								 */
-		cert = &x509_cred->cert_list[0][0];
+	cert =
+	    _gnutls_find_cert(state, x509_cred->cert_list,
+						      x509_cred->ncerts);
 
+	if (cert == NULL) {
+		/* No certificate was found 
+		 */
+		alg_size = 0;
+		alg = NULL;
+	} else {
 		/* get all the key exchange algorithms that are 
 		 * supported by the X509 certificate parameters.
 		 */
@@ -1917,14 +1911,8 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state,
 			gnutls_assert();
 			return ret;
 		}
-	} else {
-		/* No certificate was found 
-		 */
-		alg_size = 0;
-		alg = NULL;
 	}
 
-
 	newSuite =
 	    gnutls_malloc(numCipherSuites * sizeof(GNUTLS_CipherSuite));
 	if (newSuite==NULL) {
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index dd133b29ea..1aacd4058f 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -31,9 +31,9 @@
 #define WRITE_DEBUG
 #define READ_DEBUG
 #define HANDSHAKE_DEBUG // Prints some information on handshake 
-#define RECORD_DEBUG
+#define RECORD_DEBUG*/
 #define DEBUG
-*/
+
 
 /* It might be a good idea to replace int with void*
  * here.
@@ -338,6 +338,8 @@ typedef struct {
 #define CompressionMethod_Priority GNUTLS_Priority
 #define Protocol_Priority GNUTLS_Priority
 
+typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int);
+
 typedef struct {
 	opaque				header[HANDSHAKE_HEADER_SIZE];
 	/* this holds the number of bytes in the handshake_header[] */
@@ -449,7 +451,7 @@ typedef struct {
 	/* this is a callback function to call if no appropriate
 	 * client certificates were found.
 	 */
-	int				(*x509_client_cert_callback)(void*,void*,int, void*, int);
+	x509_cert_callback_func*	x509_client_cert_callback;
 	gnutls_cert			peer_cert;
 	int				max_handshake_data_buffer_size;
 
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 1875e5d322..573fe79677 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -432,6 +432,15 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE;
 		case GNUTLS_E_ILLEGAL_PARAMETER:
                         ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_ILLEGAL_PARAMETER);
                         break;
+		case GNUTLS_E_ASN1_PARSING_ERROR:
+                        ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_BAD_CERTIFICATE);
+                        break;
+		case GNUTLS_E_UNKNOWN_CIPHER_SUITE:
+                        ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_HANDSHAKE_FAILURE);
+                        break;
+		case GNUTLS_E_UNEXPECTED_PACKET:
+                        ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_UNEXPECTED_MESSAGE);
+                        break;
                                                               
 	}
 	return ret;
@@ -448,10 +457,10 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE;
   *
   * in case of GNUTLS_SHUT_RDWR then the connection gets terminated and
   * further receives and sends will be disallowed. If the return
-  * value is zero you may continue using the TCP connection.
+  * value is zero you may continue using the connection.
   *
   * in case of GNUTLS_SHUT_WR then the connection gets terminated and
-  * further sends will be disallowed. In order to reuse the TCP connection
+  * further sends will be disallowed. In order to reuse the connection
   * you should wait for an EOF from the peer.
   *
   * This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED.
@@ -1111,7 +1120,8 @@ AlertDescription gnutls_get_last_alert( GNUTLS_STATE state) {
   * @sizeofdata: is the length of the data
   *
   * This function has the same semantics as write() has. The only
-  * difference is that is accepts a GNUTLS state.
+  * difference is that is accepts a GNUTLS state, and uses different
+  * error codes.
   *
   * If the EINTR is returned by the internal push function (write())
   * then GNUTLS_E_INTERRUPTED, will be returned. If GNUTLS_E_INTERRUPTED or
@@ -1132,10 +1142,10 @@ ssize_t gnutls_write( GNUTLS_STATE state, const void *data, size_t sizeofdata) {
   * @data: contains the data to send
   * @sizeofdata: is the length of the data
   *
-  * This function has the same semantics as read() has. The only
-  * difference is that is accepts a GNUTLS state. 
-  * Returns the number of bytes received, zero on EOF, or
-  * a negative error code.
+  * This function has the same semantics as write() has. The only
+  * difference is that is accepts a GNUTLS state.
+  * Also returns the number of bytes received, zero on EOF, but
+  * a negative error code in case of an error.
   *
   * If this function returns GNUTLS_E_REHANDSHAKE, then you must
   * either send an alert containing NO_RENEGOTIATION, or perform a
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 7bb796b275..fb8fce623e 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -40,13 +40,15 @@
   * Returns NULL in case of an error.
   *
   **/
-const char* gnutls_srp_server_get_username(  GNUTLS_STATE state) {
-SRP_SERVER_AUTH_INFO info;
+const char *gnutls_srp_server_get_username(GNUTLS_STATE state)
+{
+	SRP_SERVER_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_SRP, NULL);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return NULL;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return NULL;
 	return info->username;
 }
 
@@ -61,13 +63,15 @@ SRP_SERVER_AUTH_INFO info;
   * Returns a negative value in case of an error.
   *
   **/
-int gnutls_anon_server_get_dh_bits( GNUTLS_STATE state) {
-ANON_SERVER_AUTH_INFO info;
+int gnutls_anon_server_get_dh_bits(GNUTLS_STATE state)
+{
+	ANON_SERVER_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_E_UNKNOWN_ERROR;
 	return info->dh_bits;
 }
 
@@ -80,57 +84,20 @@ ANON_SERVER_AUTH_INFO info;
   * Returns a negative value in case of an error.
   *
   **/
-int gnutls_anon_client_get_dh_bits(  GNUTLS_STATE state) {
-ANON_CLIENT_AUTH_INFO info;
+int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state)
+{
+	ANON_CLIENT_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_ANON, GNUTLS_E_INVALID_REQUEST);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_E_UNKNOWN_ERROR;
 	return info->dh_bits;
 }
 
 
 /* X509PKI */
-/**
-  * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name
-  * @state: is a gnutls state
-  *
-  * This function will return the name of the peer. The name is gnutls_DN structure and 
-  * is a obtained by the peer's certificate. If the certificate send by the
-  * peer is invalid, or in any other failure this function returns NULL.
-  * Returns NULL in case of an error.
-  *
-  **/
-const gnutls_DN* gnutls_x509pki_get_peer_dn(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
-
-	CHECK_AUTH(GNUTLS_X509PKI, NULL);
-
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return NULL;
-	return &info->peer_dn;
-}
-
-/**
-  * gnutls_x509pki_get_issuer_dn - This function returns the peer's certificate issuer distinguished name
-  * @state: is a gnutls state
-  *
-  * This function will return the name of the peer's certificate issuer. The name is gnutls_DN structure and 
-  * is a obtained by the peer's certificate. If the certificate send by the
-  * peer is invalid, or in any other failure this function returns NULL.
-  * Returns NULL in case of an error.
-  *
-  **/
-const gnutls_DN* gnutls_x509pki_get_issuer_dn(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
-
-	CHECK_AUTH(GNUTLS_X509PKI, NULL);
-
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return NULL;
-	return &info->issuer_dn;
-}
 
 /**
   * gnutls_x509pki_get_peer_certificate_status - This function returns the peer's certificate status
@@ -142,13 +109,16 @@ X509PKI_AUTH_INFO info;
   * Returns GNUTLS_CERT_NONE in case of an error, or if no certificate was sent.
   *
   **/
-CertificateStatus gnutls_x509pki_get_peer_certificate_status(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+CertificateStatus gnutls_x509pki_get_peer_certificate_status(GNUTLS_STATE
+							     state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_CERT_NONE);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return GNUTLS_CERT_NONE;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_CERT_NONE;
 	return info->peer_certificate_status;
 }
 
@@ -161,13 +131,15 @@ X509PKI_AUTH_INFO info;
   * Returns NULL in case of an error, or if no certificate was sent.
   *
   **/
-const gnutls_datum * gnutls_x509pki_get_peer_certificate(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+const gnutls_datum *gnutls_x509pki_get_peer_certificate(GNUTLS_STATE state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, NULL);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return NULL;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return NULL;
 	return &info->raw_certificate;
 }
 
@@ -180,13 +152,15 @@ X509PKI_AUTH_INFO info;
   * Returns a negative value in case of an error.
   *
   **/
-int gnutls_x509pki_get_peer_certificate_version(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_E_UNKNOWN_ERROR;
 	return info->peer_certificate_version;
 }
 
@@ -200,13 +174,15 @@ X509PKI_AUTH_INFO info;
   * Returns a negative value in case of an error.
   *
   **/
-int gnutls_x509pki_get_dh_bits(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+int gnutls_x509pki_get_dh_bits(GNUTLS_STATE state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_E_UNKNOWN_ERROR;
 	return info->dh_bits;
 }
 
@@ -219,13 +195,16 @@ X509PKI_AUTH_INFO info;
   * Returns a (time_t) -1 in case of an error.
   *
   **/
-time_t gnutls_x509pki_get_peer_certificate_activation_time(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
+							   state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, -1);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return -1;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return -1;
 	return info->peer_certificate_activation_time;
 }
 
@@ -238,13 +217,16 @@ X509PKI_AUTH_INFO info;
   * Returns a (time_t) -1 in case of an error.
   *
   **/
-time_t gnutls_x509pki_get_peer_certificate_expiration_time(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
+							   state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, -1);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return -1;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return -1;
 	return info->peer_certificate_expiration_time;
 }
 
@@ -258,13 +240,15 @@ X509PKI_AUTH_INFO info;
   * Returns zero in case of an error.
   *
   **/
-unsigned char gnutls_x509pki_get_key_usage(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+unsigned char gnutls_x509pki_get_key_usage(GNUTLS_STATE state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, 0);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return 0;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return 0;
 	return info->keyUsage;
 }
 
@@ -277,13 +261,15 @@ X509PKI_AUTH_INFO info;
   * Returns a negative value in case of an error.
   *
   **/
-int gnutls_x509pki_get_certificate_request_status(  GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+int gnutls_x509pki_get_certificate_request_status(GNUTLS_STATE state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, 0);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return GNUTLS_E_UNKNOWN_ERROR;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return GNUTLS_E_UNKNOWN_ERROR;
 	return info->certificate_requested;
 }
 
@@ -299,13 +285,14 @@ X509PKI_AUTH_INFO info;
   * Returns NULL in case of an error.
   *
   **/
-const char* gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE state) {
-X509PKI_AUTH_INFO info;
+const char *gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state)
+{
+	X509PKI_AUTH_INFO info;
 
 	CHECK_AUTH(GNUTLS_X509PKI, NULL);
 
-	info = _gnutls_get_auth_info(state);	
-	if (info==NULL) return NULL;
+	info = _gnutls_get_auth_info(state);
+	if (info == NULL)
+		return NULL;
 	return info->subjectAltDNSName;
 }
-
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 27784f24d4..ce7b6f9651 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -35,11 +35,11 @@ typedef struct {
 #define X509KEY_ENCIPHER_ONLY		2
 #define X509KEY_DECIPHER_ONLY		1
 
-typedef int x509_cert_callback_func(gnutls_DN *, gnutls_DN *, int, gnutls_DN *, int);
-
 
 # ifdef LIBGNUTLS_VERSION /* defined only in gnutls.h */
 
+typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int);
+
 /* Functions that allow AUTH_INFO structures handling
  */
 
@@ -60,9 +60,9 @@ int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func
 int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest);
 
 int gnutls_x509pki_get_certificate_request_status(  GNUTLS_STATE);
-const gnutls_DN* gnutls_x509pki_get_peer_dn( GNUTLS_STATE);
+int gnutls_x509pki_get_peer_dn( GNUTLS_STATE, gnutls_DN*);
 const gnutls_datum* gnutls_x509pki_get_peer_certificate( GNUTLS_STATE);
-const gnutls_DN* gnutls_x509pki_get_issuer_dn(  GNUTLS_STATE);
+int gnutls_x509pki_get_issuer_dn(  GNUTLS_STATE, gnutls_DN *);
 CertificateStatus gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE);
 int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE);
 time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE);
diff --git a/lib/x509_extensions.c b/lib/x509_extensions.c
index 3e2922dca0..702410e4b8 100644
--- a/lib/x509_extensions.c
+++ b/lib/x509_extensions.c
@@ -191,7 +191,7 @@ static int _parse_extension( gnutls_cert* cert, char* extnID, char* critical, ch
 	}
 
 #ifdef DEBUG
-	_gnutls_log("CERT[%s]: Unsupported Extension: %s, %s\n", cert->cert_info.common_name, extnID, critical);
+	_gnutls_log("CERT[%s]: Unsupported Extension: %s, %s\n", GET_CN(cert->raw), extnID, critical);
 #endif
 	
 	if (strcmp( critical, "TRUE")==0) {
diff --git a/src/cli.c b/src/cli.c
index f973e6feac..19b1ad4b2e 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -53,19 +53,19 @@
 #define CLICERTFILE "x509/clicert.pem"
 
 #define PRINTX(x,y) if (y[0]!=0) printf(" -   %s %s\n", x, y)
-#define PRINT_DN(X) PRINTX( "CN:", X->common_name); \
-	PRINTX( "OU:", X->organizational_unit_name); \
-	PRINTX( "O:", X->organization); \
-	PRINTX( "L:", X->locality_name); \
-	PRINTX( "S:", X->state_or_province_name); \
-	PRINTX( "C:", X->country); \
-	PRINTX( "E:", X->email); \
+#define PRINT_DN(X) PRINTX( "CN:", X.common_name); \
+	PRINTX( "OU:", X.organizational_unit_name); \
+	PRINTX( "O:", X.organization); \
+	PRINTX( "L:", X.locality_name); \
+	PRINTX( "S:", X.state_or_province_name); \
+	PRINTX( "C:", X.country); \
+	PRINTX( "E:", X.email); \
 	PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(state))
 
 static int print_info( GNUTLS_STATE state) {
 const char *tmp;
 CredType cred;
-const gnutls_DN* dn;
+gnutls_DN dn;
 CertificateStatus status;
 
 
@@ -102,10 +102,10 @@ CertificateStatus status;
 				printf(" - Certificate info:\n");
 				printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state));
 
-				dn = gnutls_x509pki_client_get_peer_dn( state);
+				gnutls_x509pki_client_get_peer_dn( state, &dn);
 				PRINT_DN( dn);
 
-				dn = gnutls_x509pki_client_get_issuer_dn( state);
+				gnutls_x509pki_client_get_issuer_dn( state, &dn);
 				printf(" - Certificate Issuer's info:\n");
 				PRINT_DN( dn);
 			}
@@ -126,9 +126,9 @@ CertificateStatus status;
 	return 0;
 }
 
-int cert_callback( gnutls_DN *client_cert, gnutls_DN *issuer_cert, int ncerts, gnutls_DN* req_ca_cert, int nreqs) {
+int cert_callback( const gnutls_datum *client_certs, int ncerts, const gnutls_datum* req_ca_cert, int nreqs) {
 
-	if (client_cert==NULL) {
+	if (client_certs==NULL) {
 		return 0; /* means the we will only be called again
 		           * if the library cannot determine which
 		           * certificate to send
diff --git a/src/serv.c b/src/serv.c
index 2daf33613a..8bf777f159 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -101,13 +101,13 @@ GNUTLS_STATE initialize_state()
 }
 
 #define PRINTX(x,y) if (y[0]!=0) printf(" -   %s %s\n", x, y)
-#define PRINT_DN(X) PRINTX( "CN:", X->common_name); \
-	PRINTX( "OU:", X->organizational_unit_name); \
-	PRINTX( "O:", X->organization); \
-	PRINTX( "L:", X->locality_name); \
-	PRINTX( "S:", X->state_or_province_name); \
-	PRINTX( "C:", X->country); \
-	PRINTX( "E:", X->email); \
+#define PRINT_DN(X) PRINTX( "CN:", X.common_name); \
+	PRINTX( "OU:", X.organizational_unit_name); \
+	PRINTX( "O:", X.organization); \
+	PRINTX( "L:", X.locality_name); \
+	PRINTX( "S:", X.state_or_province_name); \
+	PRINTX( "C:", X.country); \
+	PRINTX( "E:", X.email); \
 	PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name(state))
 
 void print_info(GNUTLS_STATE state)
@@ -115,7 +115,7 @@ void print_info(GNUTLS_STATE state)
 	const char *tmp;
 	unsigned char sesid[32];
 	int sesid_size, i;
-	const gnutls_DN* dn;
+	gnutls_DN dn;
 	CredType cred;
 	CertificateStatus status;
 	
@@ -176,12 +176,11 @@ void print_info(GNUTLS_STATE state)
 				printf(" - Certificate info:\n");
 				printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(state));
 
-				dn = gnutls_x509pki_client_get_peer_dn( state);
-				if (dn!=NULL)
+				if (gnutls_x509pki_client_get_peer_dn( state, &dn) > 0) {
 					PRINT_DN( dn);
-
-				dn = gnutls_x509pki_client_get_issuer_dn( state);
-				if (dn!=NULL) {
+				}
+				
+				if (gnutls_x509pki_client_get_issuer_dn( state, &dn) > 0) {
 					printf(" - Certificate Issuer's info:\n");
 					PRINT_DN( dn);
 				}
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2001-12-04 10:57:03 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2001-12-04 10:57:03 +0000
commit	f4fcde5c4eb58ea592cf5e3f0cc41534a7e73b46 (patch)
tree	86a97683c106d60fea2c07653fb5ccdf29415110
parent	c488ad631dfb3f719334d5fa41ff1d2b41ad2e19 (diff)
download	gnutls-f4fcde5c4eb58ea592cf5e3f0cc41534a7e73b46.tar.gz