diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-12-05 17:03:52 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-12-05 17:03:52 +0000 |
commit | c3bb0dca4238ef75893b00d73a883a8b3f2c7ce3 (patch) | |
tree | 4eb0cac0b0da38a8b0812b86481f0f682dcc6d42 | |
parent | 3566f540c2ea57ef3fced95b06f6ba52f4f24ab8 (diff) | |
download | gnutls-c3bb0dca4238ef75893b00d73a883a8b3f2c7ce3.tar.gz |
Added callback to select the server certificate.
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/TODO | 5 | ||||
-rw-r--r-- | doc/tex/ex1.tex | 6 | ||||
-rw-r--r-- | doc/tex/ex2.tex | 6 | ||||
-rw-r--r-- | doc/tex/ex3.tex | 6 | ||||
-rw-r--r-- | doc/tex/serv1.tex | 16 | ||||
-rw-r--r-- | lib/auth_dhe_rsa.c | 18 | ||||
-rw-r--r-- | lib/auth_x509.c | 598 | ||||
-rw-r--r-- | lib/auth_x509.h | 17 | ||||
-rw-r--r-- | lib/gnutls.h.in | 46 | ||||
-rw-r--r-- | lib/gnutls_anon_cred.c | 8 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 167 | ||||
-rw-r--r-- | lib/gnutls_cert.h | 6 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 5 | ||||
-rw-r--r-- | lib/gnutls_int.h | 10 | ||||
-rw-r--r-- | lib/gnutls_srp.c | 24 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 26 | ||||
-rw-r--r-- | src/cli.c | 23 | ||||
-rw-r--r-- | src/serv.c | 28 |
19 files changed, 597 insertions, 420 deletions
@@ -4,7 +4,9 @@ Version ?.?.? gnutls_set_transport_ptr(). - introduced gnutls_x509pki_get_peer_certificate_list(). This function returns a list containing peer's certificate and issuers DER encoded. +- Added callback to select the server certificate - Updated X.509 certificate handling API +- More consistent function naming (changes in several function names) - Buffer overflow checking in ASN.1 structures parser Version 0.2.11 (16/11/2001) @@ -3,12 +3,9 @@ anything), contact the developer's mailing list (gnutls-dev@lists.gnupg.org), in order to avoid having people working on the same thing. Current list: -+ Make gnutls independent of the Certificate Manager (in order to support - other x.509 certificate managers) + Trace memory leaks in libgcrypt -+ Audit the code (we need help. Contact nmav@gnutls.org) ++ Audit the code * Add callbacks to get SRP parameters (instead of a reading password file) -* Drop dnsname extension * Minimize footprint. * Add support for certificates with DSS parameters * Add more TLS extensions diff --git a/doc/tex/ex1.tex b/doc/tex/ex1.tex index 957bcc78a5..2744a65b56 100644 --- a/doc/tex/ex1.tex +++ b/doc/tex/ex1.tex @@ -40,11 +40,11 @@ int main() exit(1); } /* X509 stuff */ - if (gnutls_allocate_x509_client_sc(&xcred, 0) < 0) { /* no client private key */ + if (gnutls_x509pki_allocate_client_sc(&xcred, 0) < 0) { /* no client private key */ fprintf(stderr, "memory error\n"); exit(1); } - gnutls_set_x509_client_trust(xcred, CAFILE, CRLFILE); + gnutls_x509pki_set_client_trust(xcred, CAFILE, CRLFILE); for (t = 0; t < 2; t++) { /* connect 2 times to the server */ @@ -163,7 +163,7 @@ int main() } /* for() */ - gnutls_free_x509_client_sc(xcred); + gnutls_x509pki_free_client_sc(xcred); gnutls_global_deinit(); diff --git a/doc/tex/ex2.tex b/doc/tex/ex2.tex index 96f9bbb5fe..d68d49f758 100644 --- a/doc/tex/ex2.tex +++ b/doc/tex/ex2.tex @@ -30,13 +30,13 @@ int main() exit(1); } /* X509 stuff */ - if (gnutls_allocate_x509_client_sc(&xcred, 0) < 0) { /* no client private key */ + if (gnutls_x509pki_allocate_client_sc(&xcred, 0) < 0) { /* no client private key */ fprintf(stderr, "memory error\n"); exit(1); } /* set's the trusted cas file */ - gnutls_set_x509_client_trust(xcred, CAFILE, CRLFILE); + gnutls_x509pki_set_client_trust(xcred, CAFILE, CRLFILE); /* connects to server */ @@ -132,7 +132,7 @@ int main() gnutls_deinit(state); - gnutls_free_x509_client_sc(xcred); + gnutls_x509pki_free_client_sc(xcred); gnutls_global_deinit(); diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index 2a6b3229c2..939fe55f5f 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -61,12 +61,12 @@ int print_info(GNUTLS_STATE state) if ( cert_list_size > 0) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_extract_certificate_version( &cert_list[0])); + printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0])); - gnutls_x509pki_client_extract_dn( &cert_list[0], &dn); + gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn); PRINT_DN( dn); - gnutls_x509pki_client_extract_issuer_dn( &cert_list[0], &dn); + gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn); printf(" - Certificate Issuer's info:\n"); PRINT_DN(dn); } diff --git a/doc/tex/serv1.tex b/doc/tex/serv1.tex index 78b5b667de..d8aed908bd 100644 --- a/doc/tex/serv1.tex +++ b/doc/tex/serv1.tex @@ -56,7 +56,7 @@ GNUTLS_STATE initialize_state() /* request client certificate if any. */ - gnutls_x509pki_set_cert_request( state, GNUTLS_CERT_REQUEST); + gnutls_x509pki_server_set_cert_request( state, GNUTLS_CERT_REQUEST); return state; } @@ -124,23 +124,23 @@ int main() fprintf(stderr, "global state initialization error\n"); exit(1); } - if (gnutls_allocate_x509_server_sc(&x509_cred, 1) < 0) { + if (gnutls_x509pki_allocate_server_sc(&x509_cred, 1) < 0) { fprintf(stderr, "memory error\n"); exit(1); } - if (gnutls_set_x509_server_trust(x509_cred, CAFILE, CRLFILE) < 0) { + if (gnutls_x509pki_set_server_trust(x509_cred, CAFILE, CRLFILE) < 0) { fprintf(stderr, "X509 PARSE ERROR\nDid you have ca.pem?\n"); exit(1); } - if (gnutls_set_x509_server_key(x509_cred, CERTFILE, KEYFILE) < 0) { + if (gnutls_x509pki_set_server_key(x509_cred, CERTFILE, KEYFILE) < 0) { fprintf(stderr, "X509 PARSE ERROR\nDid you have key.pem and cert.pem?\n"); exit(1); } /* SRP_PASSWD a password file (created with the included crypt utility) * Read README.crypt prior to using SRP. */ - gnutls_allocate_srp_server_sc(&srp_cred); - gnutls_set_srp_server_cred(srp_cred, SRP_PASSWD, SRP_PASSWD_CONF); + gnutls_srp_allocateserver_sc(&srp_cred); + gnutls_srp_set_server_cred(srp_cred, SRP_PASSWD, SRP_PASSWD_CONF); /* Socket operations @@ -225,8 +225,8 @@ int main() } close(listen_sd); - gnutls_free_x509_server_sc(x509_cred); - gnutls_free_srp_server_sc(srp_cred); + gnutls_x509pki_free_server_sc(x509_cred); + gnutls_srp_free_server_sc(srp_cred); gnutls_global_deinit(); diff --git a/lib/auth_dhe_rsa.c b/lib/auth_dhe_rsa.c index ea219ef6d8..4a18872394 100644 --- a/lib/auth_dhe_rsa.c +++ b/lib/auth_dhe_rsa.c @@ -62,7 +62,6 @@ static int gen_dhe_rsa_server_kx(GNUTLS_STATE state, opaque ** data) uint8 *data_g; uint8 *data_X; int ret = 0, data_size; - const X509PKI_CREDENTIALS cred; int bits; gnutls_cert *apr_cert_list; gnutls_private_key *apr_pkey; @@ -70,13 +69,9 @@ static int gen_dhe_rsa_server_kx(GNUTLS_STATE state, opaque ** data) gnutls_datum signature, ddata; X509PKI_AUTH_INFO info; - cred = - _gnutls_get_kx_cred(state->gnutls_key, GNUTLS_X509PKI, NULL); - if (cred == NULL) { + bits = state->gnutls_internals.x509pki_dhe_bits; + if (bits < MIN_BITS) bits = DEFAULT_BITS; /* default */ - } else { - bits = cred->dh_bits; - } /* find the appropriate certificate */ if ((ret = @@ -357,16 +352,11 @@ static int proc_dhe_rsa_client_kx(GNUTLS_STATE state, opaque * data, uint16 n_Y; size_t _n_Y; MPI g, p; - const X509PKI_CREDENTIALS cred; int bits, ret; - cred = - _gnutls_get_kx_cred(state->gnutls_key, GNUTLS_X509PKI, NULL); - if (cred == NULL) { + bits = state->gnutls_internals.x509pki_dhe_bits; + if (bits < MIN_BITS) bits = DEFAULT_BITS; /* default */ - } else { - bits = cred->dh_bits; - } n_Y = READuint16(&data[0]); diff --git a/lib/auth_x509.c b/lib/auth_x509.c index 054fc30a91..f7ce5acc15 100644 --- a/lib/auth_x509.c +++ b/lib/auth_x509.c @@ -41,44 +41,51 @@ /* Copies data from a internal certificate struct (gnutls_cert) to * exported certificate struct (X509PKI_AUTH_INFO) */ -int _gnutls_copy_x509_auth_info( X509PKI_AUTH_INFO info, gnutls_cert* cert, int ncerts) { - /* Copy peer's information to AUTH_INFO - */ -int ret, i, j; +int _gnutls_copy_x509_auth_info(X509PKI_AUTH_INFO info, gnutls_cert * cert, + int ncerts) +{ + /* Copy peer's information to AUTH_INFO + */ + int ret, i, j; - if (ncerts==0) { + if (ncerts == 0) { info->raw_certificate_list = NULL; info->ncerts = 0; return 0; } - - info->raw_certificate_list = gnutls_calloc( 1, sizeof(gnutls_datum)*ncerts); - if (info->raw_certificate_list==NULL) { + + info->raw_certificate_list = + gnutls_calloc(1, sizeof(gnutls_datum) * ncerts); + if (info->raw_certificate_list == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - for (i=0;i<ncerts;i++) { + for (i = 0; i < ncerts; i++) { if (cert->raw.size > 0) { - ret = gnutls_set_datum( &info->raw_certificate_list[i], cert[i].raw.data, cert[i].raw.size); - if ( ret < 0) { + ret = + gnutls_set_datum(&info-> + raw_certificate_list[i], + cert[i].raw.data, + cert[i].raw.size); + if (ret < 0) { gnutls_assert(); goto clear; } } } info->ncerts = ncerts; - + return 0; - - clear: - - for (j=0;j<i;j++) - gnutls_free_datum( &info->raw_certificate_list[j]); - gnutls_free( info->raw_certificate_list); + clear: + + for (j = 0; j < i; j++) + gnutls_free_datum(&info->raw_certificate_list[j]); + + gnutls_free(info->raw_certificate_list); info->raw_certificate_list = NULL; - + return ret; } @@ -100,34 +107,38 @@ static int _gnutls_get_private_rsa_params(GNUTLS_KEY key, /* Returns the issuer's Distinguished name in odn, of the certificate specified in cert. */ -int _gnutls_find_dn( gnutls_datum* odn, gnutls_cert* cert) { -node_asn* dn; -int len, result; -int start, end; +int _gnutls_find_dn(gnutls_datum * odn, gnutls_cert * cert) +{ + node_asn *dn; + int len, result; + int start, end; - if (asn1_create_structure(_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &dn, "dn") != ASN_OK) { + if (asn1_create_structure + (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &dn, + "dn") != ASN_OK) { gnutls_assert(); return GNUTLS_E_ASN1_ERROR; } - result = asn1_get_der( dn, cert->raw.data, cert->raw.size); + result = asn1_get_der(dn, cert->raw.data, cert->raw.size); if (result != ASN_OK) { /* couldn't decode DER */ gnutls_assert(); - asn1_delete_structure( dn); + asn1_delete_structure(dn); return GNUTLS_E_ASN1_PARSING_ERROR; } - - result = asn1_get_start_end_der( dn, cert->raw.data, cert->raw.size, - "dn.tbsCertificate.issuer", &start, &end); - + + result = asn1_get_start_end_der(dn, cert->raw.data, cert->raw.size, + "dn.tbsCertificate.issuer", &start, + &end); + if (result != ASN_OK) { /* couldn't decode DER */ gnutls_assert(); - asn1_delete_structure( dn); + asn1_delete_structure(dn); return GNUTLS_E_ASN1_PARSING_ERROR; } - asn1_delete_structure( dn); + asn1_delete_structure(dn); len = end - start + 1; @@ -137,27 +148,39 @@ int start, end; return 0; } -/* Gets the Distinguished name in idn, and returns a gnutls_DN structure. - */ -int _gnutls_dn2gnutlsdn( gnutls_DN* rdn, gnutls_datum* idn) { -node_asn* dn; -int result; +/** + * gnutls_x509pki_extract_dn - This function parses an RDN sequence + * @idn: should contain a DER encoded RDN sequence + * @rdn: a pointer to a structure to hold the name + * + * This function will return the name of the given RDN sequence. + * The name will be returned as a gnutls_DN structure. + * Returns a negative error code in case of an error. + * + **/ +int gnutls_x509pki_extract_dn(const gnutls_datum * idn, gnutls_DN * rdn) +{ + node_asn *dn; + int result; - if ((result=asn1_create_structure(_gnutls_get_pkix(), "PKIX1Implicit88.Name", &dn, "dn")) != ASN_OK) { + if ((result = + asn1_create_structure(_gnutls_get_pkix(), + "PKIX1Implicit88.Name", &dn, + "dn")) != ASN_OK) { gnutls_assert(); return GNUTLS_E_ASN1_ERROR; } - result = asn1_get_der( dn, idn->data, idn->size); + result = asn1_get_der(dn, idn->data, idn->size); if (result != ASN_OK) { /* couldn't decode DER */ gnutls_assert(); - asn1_delete_structure( dn); + asn1_delete_structure(dn); return GNUTLS_E_ASN1_PARSING_ERROR; } - result = _gnutls_get_name_type( dn, "dn", rdn); - asn1_delete_structure( dn); + result = _gnutls_get_name_type(dn, "dn", rdn); + asn1_delete_structure(dn); if (result < 0) { /* couldn't decode DER */ @@ -174,111 +197,144 @@ int result; /* Finds the appropriate certificate depending on the cA Distinguished name * advertized by the server. If none matches then returns -1 as index. */ -static int _gnutls_find_acceptable_client_cert( const X509PKI_CREDENTIALS cred, opaque* _data, - int _data_size, int *ind) { -int result, size; -int indx = -1; -int i, j, try=0; -gnutls_datum odn; -opaque* data = _data; -int data_size = _data_size; - - if (cred->client_cert_callback!=NULL) { +static int _gnutls_find_acceptable_client_cert(GNUTLS_STATE state, + opaque * _data, + int _data_size, int *ind) +{ + int result, size; + int indx = -1; + int i, j, try = 0; + gnutls_datum odn; + opaque *data = _data; + int data_size = _data_size; + const X509PKI_CREDENTIALS cred; + + + cred = _gnutls_get_cred(state->gnutls_key, GNUTLS_X509PKI, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFICIENT_CRED; + } + + + if (state->gnutls_internals.client_cert_callback != NULL) { /* if try>=0 then the client wants automatic * choose of certificate, otherwise (-1), he * will be prompted to choose one. */ - try = cred->client_cert_callback( NULL, 0, NULL, 0); - } - - if (try>=0) - do { - - DECR_LEN(data_size, 2); - size = READuint16(data); - DECR_LEN(data_size, size); - data += 2; - - for(i=0;i<cred->ncerts;i++) { - - for (j=0;j<cred->cert_list_length[i];j++) { - if ( (result=_gnutls_find_dn( &odn, &cred->cert_list[i][j])) < 0) { - gnutls_assert(); - return result; - } - - if ( odn.size != size) continue; + try = + state->gnutls_internals.client_cert_callback(NULL, 0, + NULL, 0); + } - if (memcmp( - odn.data, - data, size) == 0 ) { - indx = i; - break; + if (try >= 0) + do { + + DECR_LEN(data_size, 2); + size = READuint16(data); + DECR_LEN(data_size, size); + data += 2; + + for (i = 0; i < cred->ncerts; i++) { + + for (j = 0; j < cred->cert_list_length[i]; + j++) { + if ((result = + _gnutls_find_dn(&odn, + &cred-> + cert_list[i] + [j])) < 0) { + gnutls_assert(); + return result; + } + + if (odn.size != size) + continue; + + if (memcmp(odn.data, + data, size) == 0) { + indx = i; + break; + } } + if (indx != -1) + break; } + if (indx != -1) break; - } - - if (indx != -1) - break; - /* move to next record */ - data_size -= size; - if (data_size <= 0) - break; + /* move to next record */ + data_size -= size; + if (data_size <= 0) + break; - data += size; + data += size; - } while (1); + } while (1); - if (indx==-1 && cred->client_cert_callback!=NULL && cred->ncerts > 0) {/* use a callback to get certificate */ - gnutls_datum *my_certs=NULL; - gnutls_datum *issuers_dn=NULL; + if (indx == -1 && state->gnutls_internals.client_cert_callback != NULL && cred->ncerts > 0) { /* use a callback to get certificate */ + gnutls_datum *my_certs = NULL; + gnutls_datum *issuers_dn = NULL; int count; - - my_certs = gnutls_malloc( cred->ncerts* sizeof(gnutls_datum)); - if (my_certs==NULL) goto clear; - + + my_certs = + gnutls_malloc(cred->ncerts * sizeof(gnutls_datum)); + if (my_certs == NULL) + goto clear; + /* put the requested DNs to req_dn - */ + */ data = _data; data_size = _data_size; - count = 0; /* holds the number of given CA's DN */ + count = 0; /* holds the number of given CA's DN */ do { - data_size-=2; - if (data_size<=0) goto clear; + data_size -= 2; + if (data_size <= 0) + goto clear; size = READuint16(data); - data_size-=size; - if (data_size<0) goto clear; - - + data_size -= size; + if (data_size < 0) + goto clear; + + data += 2; - - issuers_dn = gnutls_realloc_fast( issuers_dn, (count+1)*sizeof(gnutls_datum)); - if (issuers_dn==NULL) goto clear; - + + issuers_dn = + gnutls_realloc_fast(issuers_dn, + (count + + 1) * + sizeof(gnutls_datum)); + if (issuers_dn == NULL) + goto clear; + issuers_dn->data = data; issuers_dn->size = size; - - count++; /* otherwise we have failed */ - - data+=size; - if (data_size==0) break; + count++; /* otherwise we have failed */ - } while(1); + data += size; + + if (data_size == 0) + break; + + } while (1); /* put our certificate's issuer and dn into cdn, idn */ - for(i=0;i<cred->ncerts;i++) { + for (i = 0; i < cred->ncerts; i++) { my_certs[i] = cred->cert_list[i][0].raw; } - indx = cred->client_cert_callback( my_certs, cred->ncerts, issuers_dn, count); + indx = + state->gnutls_internals.client_cert_callback(my_certs, + cred-> + ncerts, + issuers_dn, + count); - clear: - gnutls_free(my_certs); - gnutls_free(issuers_dn); + clear: + gnutls_free(my_certs); + gnutls_free(issuers_dn); } *ind = indx; return 0; @@ -295,7 +351,10 @@ int _gnutls_gen_x509_client_certificate(GNUTLS_STATE state, opaque ** data) int apr_cert_list_length; /* find the appropriate certificate */ - if ((ret=_gnutls_find_apr_cert( state, &apr_cert_list, &apr_cert_list_length, &apr_pkey))<0) { + if ((ret = + _gnutls_find_apr_cert(state, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { gnutls_assert(); return ret; } @@ -306,12 +365,12 @@ int _gnutls_gen_x509_client_certificate(GNUTLS_STATE state, opaque ** data) /* hold size * for uint24 */ } - + /* if no certificates were found then send: * 0B 00 00 03 00 00 00 // Certificate with no certs * instead of: - * 0B 00 00 00 // empty certificate handshake - * + * 0B 00 00 00 // empty certificate handshake + * * ( the above is the whole handshake message, not * the one produced here ) */ @@ -334,8 +393,10 @@ int _gnutls_gen_x509_client_certificate(GNUTLS_STATE state, opaque ** data) /* read the rsa parameters now, since later we will * not know which certificate we used! */ - if (i != 0) /* if we parsed at least one certificate */ - ret = _gnutls_get_private_rsa_params(state->gnutls_key, apr_pkey); + if (i != 0) /* if we parsed at least one certificate */ + ret = + _gnutls_get_private_rsa_params(state->gnutls_key, + apr_pkey); else ret = 0; @@ -354,7 +415,10 @@ int _gnutls_gen_x509_server_certificate(GNUTLS_STATE state, opaque ** data) gnutls_private_key *apr_pkey; int apr_cert_list_length; - if ((ret=_gnutls_find_apr_cert( state, &apr_cert_list, &apr_cert_list_length, &apr_pkey))<0) { + if ((ret = + _gnutls_find_apr_cert(state, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { gnutls_assert(); return ret; } @@ -385,7 +449,9 @@ int _gnutls_gen_x509_server_certificate(GNUTLS_STATE state, opaque ** data) * not know which certificate we used! */ if (i != 0) /* if we parsed at least one certificate */ - ret = _gnutls_get_private_rsa_params(state->gnutls_key, apr_pkey); + ret = + _gnutls_get_private_rsa_params(state->gnutls_key, + apr_pkey); else ret = 0; @@ -398,7 +464,8 @@ int _gnutls_gen_x509_server_certificate(GNUTLS_STATE state, opaque ** data) #define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) gnutls_free_cert(peer_certificate_list[x]) -int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int data_size) +int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, + int data_size) { int size, len, ret; opaque *p = data; @@ -415,24 +482,27 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int gnutls_assert(); return GNUTLS_E_INSUFICIENT_CRED; } - - + + if (state->gnutls_key->auth_info == NULL) { - state->gnutls_key->auth_info = gnutls_calloc(1, sizeof(X509PKI_AUTH_INFO_INT)); + state->gnutls_key->auth_info = + gnutls_calloc(1, sizeof(X509PKI_AUTH_INFO_INT)); if (state->gnutls_key->auth_info == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - state->gnutls_key->auth_info_size = sizeof(X509PKI_AUTH_INFO_INT); + state->gnutls_key->auth_info_size = + sizeof(X509PKI_AUTH_INFO_INT); info = state->gnutls_key->auth_info; state->gnutls_key->auth_info_type = GNUTLS_X509PKI; } else - if (gnutls_get_auth_type( state) != state->gnutls_key->auth_info_type) { - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } + if (gnutls_get_auth_type(state) != + state->gnutls_key->auth_info_type) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } info = state->gnutls_key->auth_info; @@ -486,13 +556,15 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int tmp.size = len; tmp.data = p; - if ((ret = _gnutls_cert2gnutlsCert(&peer_certificate_list[j], tmp)) < 0) { + if ((ret = + _gnutls_cert2gnutlsCert(&peer_certificate_list[j], + tmp)) < 0) { gnutls_assert(); CLEAR_CERTS; gnutls_free(peer_certificate_list); return ret; } - + p += len; i -= len + 3; j++; @@ -500,12 +572,14 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int /* move RSA parameters to gnutls_key (state). */ - state->gnutls_key->a = gcry_mpi_copy(peer_certificate_list[0].params[0]); - state->gnutls_key->x = gcry_mpi_copy(peer_certificate_list[0].params[1]); - - if (state->gnutls_key->a==NULL || state->gnutls_key->x==NULL) { - _gnutls_mpi_release( &state->gnutls_key->a); - _gnutls_mpi_release( &state->gnutls_key->x); + state->gnutls_key->a = + gcry_mpi_copy(peer_certificate_list[0].params[0]); + state->gnutls_key->x = + gcry_mpi_copy(peer_certificate_list[0].params[1]); + + if (state->gnutls_key->a == NULL || state->gnutls_key->x == NULL) { + _gnutls_mpi_release(&state->gnutls_key->a); + _gnutls_mpi_release(&state->gnutls_key->x); gnutls_assert(); CLEAR_CERTS; gnutls_free(peer_certificate_list); @@ -513,16 +587,23 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int } /* keep the PK algorithm */ - state->gnutls_internals.peer_pk_algorithm = peer_certificate_list[0].subject_pk_algorithm; + state->gnutls_internals.peer_pk_algorithm = + peer_certificate_list[0].subject_pk_algorithm; - if ( (ret = _gnutls_copy_x509_auth_info(info, peer_certificate_list, peer_certificate_list_size)) < 0) { + if ((ret = + _gnutls_copy_x509_auth_info(info, peer_certificate_list, + peer_certificate_list_size)) < + 0) { gnutls_assert(); CLEAR_CERTS; gnutls_free(peer_certificate_list); return ret; } - if ( (ret=_gnutls_check_x509_key_usage( &peer_certificate_list[0], gnutls_get_current_kx( state))) < 0) { + if ((ret = + _gnutls_check_x509pki_key_usage(&peer_certificate_list[0], + gnutls_get_current_kx(state))) + < 0) { gnutls_assert(); CLEAR_CERTS; gnutls_free(peer_certificate_list); @@ -541,16 +622,18 @@ int _gnutls_proc_x509_server_certificate(GNUTLS_STATE state, opaque * data, int #endif #define RSA_SIGN 1 -int _gnutls_check_supported_sign_algo( uint8 algo) { - switch(algo) { - case RSA_SIGN: - return 0; +int _gnutls_check_supported_sign_algo(uint8 algo) +{ + switch (algo) { + case RSA_SIGN: + return 0; } - + return -1; } -int _gnutls_proc_x509_cert_req(GNUTLS_STATE state, opaque * data, int data_size) +int _gnutls_proc_x509_cert_req(GNUTLS_STATE state, opaque * data, + int data_size) { int size, ret; opaque *p = data; @@ -569,17 +652,19 @@ int _gnutls_proc_x509_cert_req(GNUTLS_STATE state, opaque * data, int data_size) state->gnutls_key->certificate_requested = 1; if (state->gnutls_key->auth_info == NULL) { - state->gnutls_key->auth_info = gnutls_calloc(1, sizeof(X509PKI_AUTH_INFO_INT)); + state->gnutls_key->auth_info = + gnutls_calloc(1, sizeof(X509PKI_AUTH_INFO_INT)); if (state->gnutls_key->auth_info == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - state->gnutls_key->auth_info_size = sizeof(X509PKI_AUTH_INFO_INT); + state->gnutls_key->auth_info_size = + sizeof(X509PKI_AUTH_INFO_INT); info = state->gnutls_key->auth_info; } info = state->gnutls_key->auth_info; - + DECR_LEN(dsize, 1); size = p[0]; p += 1; @@ -589,7 +674,7 @@ int _gnutls_proc_x509_cert_req(GNUTLS_STATE state, opaque * data, int data_size) found = 0; for (i = 0; i < size; i++, p++) { DECR_LEN(dsize, 1); - if ( _gnutls_check_supported_sign_algo(*p)==0) + if (_gnutls_check_supported_sign_algo(*p) == 0) found = 1; } @@ -605,7 +690,9 @@ int _gnutls_proc_x509_cert_req(GNUTLS_STATE state, opaque * data, int data_size) return 0; } - if ( (ret = _gnutls_find_acceptable_client_cert( cred, p, size, &ind)) < 0) { + if ((ret = + _gnutls_find_acceptable_client_cert(state, p, size, + &ind)) < 0) { gnutls_assert(); return ret; } @@ -626,15 +713,22 @@ int _gnutls_gen_x509_client_cert_vrfy(GNUTLS_STATE state, opaque ** data) gnutls_datum signature; *data = NULL; - + /* find the appropriate certificate */ - if ((ret=_gnutls_find_apr_cert( state, &apr_cert_list, &apr_cert_list_length, &apr_pkey))<0) { + if ((ret = + _gnutls_find_apr_cert(state, &apr_cert_list, + &apr_cert_list_length, + &apr_pkey)) < 0) { gnutls_assert(); return ret; } - + if (apr_pkey != NULL) { - if ( (ret=_gnutls_generate_sig_from_hdata( state, &apr_cert_list[0], apr_pkey, &signature)) < 0) { + if ((ret = + _gnutls_generate_sig_from_hdata(state, + &apr_cert_list[0], + apr_pkey, + &signature)) < 0) { gnutls_assert(); return ret; } @@ -643,41 +737,42 @@ int _gnutls_gen_x509_client_cert_vrfy(GNUTLS_STATE state, opaque ** data) return 0; } - *data = gnutls_malloc(signature.size+2); - if (*data==NULL) { - gnutls_free_datum( &signature); + *data = gnutls_malloc(signature.size + 2); + if (*data == NULL) { + gnutls_free_datum(&signature); return GNUTLS_E_MEMORY_ERROR; } size = signature.size; - WRITEuint16( size, *data); + WRITEuint16(size, *data); - memcpy( &(*data)[2], signature.data, size); + memcpy(&(*data)[2], signature.data, size); - gnutls_free_datum( &signature); + gnutls_free_datum(&signature); - return size+2; + return size + 2; } -int _gnutls_proc_x509_client_cert_vrfy(GNUTLS_STATE state, opaque * data, int data_size) +int _gnutls_proc_x509_client_cert_vrfy(GNUTLS_STATE state, opaque * data, + int data_size) { -int size, ret; -int dsize = data_size; -opaque* pdata = data; -gnutls_datum sig; -X509PKI_AUTH_INFO info = state->gnutls_key->auth_info; -gnutls_cert peer_cert; - - if (info == NULL || info->ncerts==0) { + int size, ret; + int dsize = data_size; + opaque *pdata = data; + gnutls_datum sig; + X509PKI_AUTH_INFO info = state->gnutls_key->auth_info; + gnutls_cert peer_cert; + + if (info == NULL || info->ncerts == 0) { gnutls_assert(); /* we need this in order to get peer's certificate */ return GNUTLS_E_UNKNOWN_ERROR; } DECR_LEN(dsize, 2); - size = READuint16( pdata); + size = READuint16(pdata); pdata += 2; - if ( size < data_size - 2) { + if (size < data_size - 2) { gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; } @@ -686,18 +781,21 @@ gnutls_cert peer_cert; sig.size = size; if ((ret = - _gnutls_cert2gnutlsCert( &peer_cert, + _gnutls_cert2gnutlsCert(&peer_cert, info->raw_certificate_list[0])) < 0) { gnutls_assert(); return ret; } - if ( (ret=_gnutls_verify_sig_hdata( state, &peer_cert, &sig, data_size+HANDSHAKE_HEADER_SIZE))<0) { + if ((ret = + _gnutls_verify_sig_hdata(state, &peer_cert, &sig, + data_size + HANDSHAKE_HEADER_SIZE)) < + 0) { gnutls_assert(); - gnutls_free_cert( peer_cert); + gnutls_free_cert(peer_cert); return ret; } - gnutls_free_cert( peer_cert); + gnutls_free_cert(peer_cert); return 0; } @@ -719,13 +817,13 @@ int _gnutls_gen_x509_server_cert_req(GNUTLS_STATE state, opaque ** data) gnutls_assert(); return GNUTLS_E_INSUFICIENT_CRED; } - - size = CERTTYPE_SIZE + 2; /* 2 for CertType + 2 for size of rdn_seq - */ + + size = CERTTYPE_SIZE + 2; /* 2 for CertType + 2 for size of rdn_seq + */ size += cred->rdn_sequence.size; - (*data) = gnutls_malloc( size); + (*data) = gnutls_malloc(size); pdata = (*data); if (pdata == NULL) { @@ -737,10 +835,10 @@ int _gnutls_gen_x509_server_cert_req(GNUTLS_STATE state, opaque ** data) #ifdef DEBUG # warning CHECK HERE FOR DSS #endif - pdata[1] = RSA_SIGN; /* only this for now */ + pdata[1] = RSA_SIGN; /* only this for now */ pdata += CERTTYPE_SIZE; - WRITEdatum16( pdata, cred->rdn_sequence); + WRITEdatum16(pdata, cred->rdn_sequence); pdata += cred->rdn_sequence.size + 2; return size; @@ -750,51 +848,65 @@ int _gnutls_gen_x509_server_cert_req(GNUTLS_STATE state, opaque ** data) /* This function will return the appropriate certificate to use. The return * value depends on the side (client or server). */ -int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int *apr_cert_list_length, gnutls_private_key** apr_pkey) +int _gnutls_find_apr_cert(GNUTLS_STATE state, gnutls_cert ** apr_cert_list, + int *apr_cert_list_length, + gnutls_private_key ** apr_pkey) { const X509PKI_CREDENTIALS cred; int ind; cred = _gnutls_get_kx_cred(state->gnutls_key, GNUTLS_X509PKI, NULL); - - if (cred==NULL) { + + if (cred == NULL) { gnutls_assert(); *apr_cert_list = NULL; - *apr_pkey= NULL; + *apr_pkey = NULL; *apr_cert_list_length = 0; return GNUTLS_E_INSUFICIENT_CRED; } - + if (state->security_parameters.entity == GNUTLS_SERVER) { - + if (cred->ncerts == 0) { *apr_cert_list = NULL; *apr_cert_list_length = 0; *apr_pkey = NULL; + gnutls_assert(); /* this is not allowed */ + return GNUTLS_E_INSUFICIENT_CRED; } else { - + ind = - _gnutls_find_cert_list_index(state, cred->cert_list, - cred->ncerts); + _gnutls_server_find_cert_list_index(state, + cred-> + cert_list, + cred-> + ncerts); if (ind < 0) { *apr_cert_list = NULL; *apr_cert_list_length = 0; *apr_pkey = NULL; + gnutls_assert(); + return GNUTLS_E_INSUFICIENT_CRED; } else { *apr_cert_list = cred->cert_list[ind]; - *apr_cert_list_length = cred->cert_list_length[ind]; + *apr_cert_list_length = + cred->cert_list_length[ind]; *apr_pkey = &cred->pkey[ind]; } } - } else { /* CLIENT SIDE */ + } else { /* CLIENT SIDE */ if (cred->ncerts == 0) { *apr_cert_list = NULL; *apr_cert_list_length = 0; *apr_pkey = NULL; + /* it is allowed not to have a certificate + */ } else { - ind = state->gnutls_internals.client_certificate_index; + ind = + state->gnutls_internals. + client_certificate_index; if (ind < 0) { *apr_cert_list = NULL; @@ -802,13 +914,14 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int *apr_pkey = NULL; } else { *apr_cert_list = cred->cert_list[ind]; - *apr_cert_list_length = cred->cert_list_length[ind]; + *apr_cert_list_length = + cred->cert_list_length[ind]; *apr_pkey = &cred->pkey[ind]; } } - + } - + return 0; } @@ -818,22 +931,23 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int } /** - * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name + * gnutls_x509pki_extract_certificate_dn - This function returns the certificate's distinguished name * @cert: should contain an X.509 DER encoded certificate * @ret: a pointer to a structure to hold the peer's name * - * This function will return the name of the peer. The name is gnutls_DN structure and + * This function will return the name of the certificate holder. The name is gnutls_DN structure and * is a obtained by the peer's certificate. If the certificate send by the * peer is invalid, or in any other failure this function returns error. * Returns a negative error code in case of an error. * **/ -int gnutls_x509pki_extract_dn(const gnutls_datum* cert, gnutls_DN * ret) +int gnutls_x509pki_extract_certificate_dn(const gnutls_datum * cert, + gnutls_DN * ret) { node_asn *c2; int result; - memset( ret, 0, sizeof(gnutls_DN)); + memset(ret, 0, sizeof(gnutls_DN)); if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, @@ -869,7 +983,7 @@ int gnutls_x509pki_extract_dn(const gnutls_datum* cert, gnutls_DN * ret) } /** - * gnutls_x509pki_extract_issuer_dn - This function returns the certificate's issuer distinguished name + * gnutls_x509pki_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name * @cert: should contain an X.509 DER encoded certificate * @ret: a pointer to a structure to hold the issuer's name * @@ -879,12 +993,13 @@ int gnutls_x509pki_extract_dn(const gnutls_datum* cert, gnutls_DN * ret) * Returns a negative error code in case of an error. * **/ -int gnutls_x509pki_extract_issuer_dn(const gnutls_datum* cert, gnutls_DN * ret) +int gnutls_x509pki_extract_certificate_issuer_dn(const gnutls_datum * cert, + gnutls_DN * ret) { node_asn *c2; int result; - memset( ret, 0, sizeof(gnutls_DN)); + memset(ret, 0, sizeof(gnutls_DN)); if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, @@ -936,7 +1051,8 @@ int gnutls_x509pki_extract_issuer_dn(const gnutls_datum* cert, gnutls_DN * ret) * If the certificate does not have a DNS name then returns GNUTLS_E_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum* cert, char* ret, int *ret_size) +int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum * cert, + char *ret, int *ret_size) { int result; gnutls_datum dnsname; @@ -944,21 +1060,21 @@ int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum* cert, char* ret, memset(ret, 0, *ret_size); if ((result = - _gnutls_get_extension( cert, "2 5 29 17", &dnsname)) < 0) { + _gnutls_get_extension(cert, "2 5 29 17", &dnsname)) < 0) { return result; } - if (dnsname.size==0) { + if (dnsname.size == 0) { return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } - - if ( *ret_size > dnsname.size) { + + if (*ret_size > dnsname.size) { *ret_size = dnsname.size; - strcpy( ret, dnsname.data); - gnutls_free_datum( &dnsname); + strcpy(ret, dnsname.data); + gnutls_free_datum(&dnsname); } else { *ret_size = dnsname.size; - gnutls_free_datum( &dnsname); + gnutls_free_datum(&dnsname); return GNUTLS_E_MEMORY_ERROR; } @@ -974,7 +1090,9 @@ int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum* cert, char* ret, * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_extract_certificate_activation_time(const gnutls_datum * cert) +time_t gnutls_x509pki_extract_certificate_activation_time(const + gnutls_datum * + cert) { node_asn *c2; int result; @@ -1002,7 +1120,7 @@ time_t gnutls_x509pki_extract_certificate_activation_time(const gnutls_datum * c asn1_delete_structure(c2); - return ret; + return ret; } /** @@ -1014,7 +1132,9 @@ time_t gnutls_x509pki_extract_certificate_activation_time(const gnutls_datum * c * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum* cert) +time_t gnutls_x509pki_extract_certificate_expiration_time(const + gnutls_datum * + cert) { node_asn *c2; int result; @@ -1042,7 +1162,7 @@ time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum* c asn1_delete_structure(c2); - return ret; + return ret; } /** @@ -1053,7 +1173,7 @@ time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum* c * Version field. Returns a negative value in case of an error. * **/ -int gnutls_x509pki_extract_certificate_version( const gnutls_datum* cert) +int gnutls_x509pki_extract_certificate_version(const gnutls_datum * cert) { node_asn *c2; int result; @@ -1099,7 +1219,7 @@ int gnutls_x509pki_get_peer_certificate_status(GNUTLS_STATE state) X509PKI_AUTH_INFO info; const X509PKI_CREDENTIALS cred; CertificateStatus verify; - gnutls_cert* peer_certificate_list; + gnutls_cert *peer_certificate_list; int peer_certificate_list_size, i, x, ret; CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); @@ -1114,34 +1234,44 @@ int gnutls_x509pki_get_peer_certificate_status(GNUTLS_STATE state) return GNUTLS_E_INSUFICIENT_CRED; } - if (info->raw_certificate_list==NULL || info->ncerts==0) + if (info->raw_certificate_list == NULL || info->ncerts == 0) return GNUTLS_CERT_NONE; /* generate a list of gnutls_certs based on the auth info * raw certs. */ peer_certificate_list_size = info->ncerts; - peer_certificate_list = gnutls_calloc( 1, peer_certificate_list_size*sizeof(gnutls_cert)); - if (peer_certificate_list==NULL) { + peer_certificate_list = + gnutls_calloc(1, + peer_certificate_list_size * + sizeof(gnutls_cert)); + if (peer_certificate_list == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - - for (i=0;i<peer_certificate_list_size;i++) { - if ( (ret=_gnutls_cert2gnutlsCert( &peer_certificate_list[i], info->raw_certificate_list[i])) < 0) { + + for (i = 0; i < peer_certificate_list_size; i++) { + if ((ret = + _gnutls_cert2gnutlsCert(&peer_certificate_list[i], + info-> + raw_certificate_list[i])) < + 0) { gnutls_assert(); CLEAR_CERTS; - gnutls_free( peer_certificate_list); + gnutls_free(peer_certificate_list); return ret; } } - + /* Verify certificate */ - verify = gnutls_verify_certificate( peer_certificate_list, peer_certificate_list_size, cred->ca_list, cred->ncas, NULL, 0); + verify = + gnutls_verify_certificate(peer_certificate_list, + peer_certificate_list_size, + cred->ca_list, cred->ncas, NULL, 0); CLEAR_CERTS; - gnutls_free( peer_certificate_list); + gnutls_free(peer_certificate_list); if (verify < 0) { gnutls_assert(); diff --git a/lib/auth_x509.h b/lib/auth_x509.h index 3083f2e7b0..3d85d4f34a 100644 --- a/lib/auth_x509.h +++ b/lib/auth_x509.h @@ -27,17 +27,12 @@ typedef struct { int ncas; /* number of CAs in the ca_list */ - /* this is a callback function to call if no appropriate - * client certificates were found. - */ - x509_cert_callback_func* client_cert_callback; - int dh_bits; - /* holds a sequence of the - * RDNs of the CAs above. - * This is better than - * generating it every time. - */ - gnutls_datum rdn_sequence; + /* holds a sequence of the + * RDNs of the CAs above. + * This is better than + * generating it every time. + */ + gnutls_datum rdn_sequence; } X509PKI_CREDENTIALS_INT; /* typedef X509PKI_CREDENTIALS_INT * X509PKI_CREDENTIALS; */ diff --git a/lib/gnutls.h.in b/lib/gnutls.h.in index f93d0f8045..5a666f5f47 100644 --- a/lib/gnutls.h.in +++ b/lib/gnutls.h.in @@ -185,36 +185,36 @@ typedef struct DSTRUCT* SRP_CLIENT_CREDENTIALS; typedef struct DSTRUCT* ANON_SERVER_CREDENTIALS; typedef struct DSTRUCT* ANON_CLIENT_CREDENTIALS; -void gnutls_free_srp_client_sc( SRP_CLIENT_CREDENTIALS sc); -int gnutls_allocate_srp_client_sc( SRP_CLIENT_CREDENTIALS *sc); -int gnutls_set_srp_client_cred( SRP_CLIENT_CREDENTIALS res, char *username, char* password); +void gnutls_srp_free_client_sc( SRP_CLIENT_CREDENTIALS sc); +int gnutls_srp_allocate_client_sc( SRP_CLIENT_CREDENTIALS *sc); +int gnutls_srp_set_client_cred( SRP_CLIENT_CREDENTIALS res, char *username, char* password); -void gnutls_free_srp_server_sc( SRP_SERVER_CREDENTIALS sc); -int gnutls_allocate_srp_server_sc( SRP_SERVER_CREDENTIALS *sc); -int gnutls_set_srp_server_cred( SRP_SERVER_CREDENTIALS res, char *password_file, char* password_conf_file); +void gnutls_srp_free_server_sc( SRP_SERVER_CREDENTIALS sc); +int gnutls_srp_allocate_server_sc( SRP_SERVER_CREDENTIALS *sc); +int gnutls_srp_set_server_cred( SRP_SERVER_CREDENTIALS res, char *password_file, char* password_conf_file); -void gnutls_free_anon_server_sc( ANON_SERVER_CREDENTIALS sc); -int gnutls_allocate_anon_server_sc( ANON_SERVER_CREDENTIALS *sc); -int gnutls_set_anon_server_cred( ANON_SERVER_CREDENTIALS res, int dh_bits); +void gnutls_anon_free_server_sc( ANON_SERVER_CREDENTIALS sc); +int gnutls_anon_allocate_server_sc( ANON_SERVER_CREDENTIALS *sc); +int gnutls_anon_set_server_cred( ANON_SERVER_CREDENTIALS res, int dh_bits); /* CERTFILE is an x509 certificate in PEM form. * KEYFILE is a pkcs-1 private key in PEM form (for RSA keys). */ -void gnutls_free_x509_sc( X509PKI_CREDENTIALS sc); -int gnutls_allocate_x509_sc( X509PKI_CREDENTIALS *sc, int ncerts); -int gnutls_set_x509_key( X509PKI_CREDENTIALS res, char *CERTFILE, char* KEYFILE); -int gnutls_set_x509_trust( X509PKI_CREDENTIALS res, char* CAFILE, char* CRLFILE); - -#define gnutls_free_x509_server_sc gnutls_free_x509_sc -#define gnutls_allocate_x509_server_sc gnutls_allocate_x509_sc -#define gnutls_set_x509_server_key gnutls_set_x509_key -#define gnutls_set_x509_server_trust gnutls_set_x509_trust - -#define gnutls_free_x509_client_sc gnutls_free_x509_sc -#define gnutls_allocate_x509_client_sc gnutls_allocate_x509_sc -#define gnutls_set_x509_client_key gnutls_set_x509_key -#define gnutls_set_x509_client_trust gnutls_set_x509_trust +void gnutls_x509pki_free_sc( X509PKI_CREDENTIALS sc); +int gnutls_x509pki_allocate_sc( X509PKI_CREDENTIALS *sc, int ncerts); +int gnutls_x509pki_set_key( X509PKI_CREDENTIALS res, char *CERTFILE, char* KEYFILE); +int gnutls_x509pki_set_trust( X509PKI_CREDENTIALS res, char* CAFILE, char* CRLFILE); + +#define gnutls_x509pki_free_server_sc gnutls_x509pki_free_sc +#define gnutls_x509pki_allocate_server_sc gnutls_x509pki_allocate_sc +#define gnutls_x509pki_set_server_key gnutls_x509pki_set_key +#define gnutls_x509pki_set_server_trust gnutls_x509pki_set_trust + +#define gnutls_x509pki_free_client_sc gnutls_x509pki_free_sc +#define gnutls_x509pki_allocate_client_sc gnutls_x509pki_allocate_sc +#define gnutls_x509pki_set_client_key gnutls_x509pki_set_key +#define gnutls_x509pki_set_client_trust gnutls_x509pki_set_trust /* global state functions diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index ebc42f2436..393fd2ccfa 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -34,7 +34,7 @@ * this helper function is provided in order to free (deallocate) * the structure. **/ -void gnutls_free_anon_server_sc( ANON_SERVER_CREDENTIALS sc) { +void gnutls_anon_free_server_sc( ANON_SERVER_CREDENTIALS sc) { gnutls_free(sc); } @@ -46,7 +46,7 @@ void gnutls_free_anon_server_sc( ANON_SERVER_CREDENTIALS sc) { * this helper function is provided in order to allocate * the structure. **/ -int gnutls_allocate_anon_server_sc( ANON_SERVER_CREDENTIALS *sc) { +int gnutls_anon_allocate_server_sc( ANON_SERVER_CREDENTIALS *sc) { *sc = gnutls_malloc(sizeof( ANON_SERVER_CREDENTIALS)); if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR; @@ -54,7 +54,7 @@ int gnutls_allocate_anon_server_sc( ANON_SERVER_CREDENTIALS *sc) { } /** - * gnutls_set_anon_server_cred - Used to set the number of bits to use in DH, in a ANON_SERVER_CREDENTIALS structure + * gnutls_anon_set_server_cred - Used to set the number of bits to use in DH, in a ANON_SERVER_CREDENTIALS structure * @res: is an &ANON_SERVER_CREDENTIALS structure. * @dh_bits: is the number of bits in DH key exchange * @@ -63,7 +63,7 @@ int gnutls_allocate_anon_server_sc( ANON_SERVER_CREDENTIALS *sc) { * **/ -int gnutls_set_anon_server_cred( ANON_SERVER_CREDENTIALS res, int dh_bits) { +int gnutls_anon_set_server_cred( ANON_SERVER_CREDENTIALS res, int dh_bits) { res->dh_bits = dh_bits; return 0; } diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index c91b5a6b15..1df1ce3ba4 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -33,6 +33,7 @@ #include <x509_extensions.h> #include <gnutls_algorithms.h> #include <gnutls_dh.h> +#include <gnutls_auth_int.h> #ifdef DEBUG # warning MAX ALGORITHM PARAMS == 2, ok for RSA @@ -96,14 +97,14 @@ void gnutls_free_cert(gnutls_cert cert) } /** - * gnutls_free_x509_sc - Used to free an allocated x509 SERVER CREDENTIALS structure + * gnutls_x509pki_free_sc - Used to free an allocated x509 SERVER CREDENTIALS structure * @sc: is an &X509PKI_CREDENTIALS structure. * * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) * the structure. **/ -void gnutls_free_x509_sc(X509PKI_CREDENTIALS sc) +void gnutls_x509pki_free_sc(X509PKI_CREDENTIALS sc) { int i, j; @@ -205,9 +206,9 @@ static int read_cert_file(X509PKI_CREDENTIALS res, char *certfile) res->cert_list_length[res->ncerts] = i - 1; - /* WE DO NOT CATCH OVERRUNS in gnutls_set_x509_key(). + /* WE DO NOT CATCH OVERRUNS in gnutls_x509pki_set_key(). * This function should be called as many times as specified - * in allocate_x509_sc(). + * in x509pki_allocate_sc(). */ res->ncerts++; @@ -331,7 +332,7 @@ static int read_key_file(X509PKI_CREDENTIALS res, char *keyfile) /** - * gnutls_allocate_x509_sc - Used to allocate an x509 SERVER CREDENTIALS structure + * gnutls_x509pki_allocate_sc - Used to allocate an x509 SERVER CREDENTIALS structure * @res: is a pointer to an &X509PKI_CREDENTIALS structure. * @ncerts: this is the number of certificate/private key pair you're going to use. * This should be 1 in common sites. @@ -340,7 +341,7 @@ static int read_key_file(X509PKI_CREDENTIALS res, char *keyfile) * this helper function is provided in order to allocate * the structure. **/ -int gnutls_allocate_x509_sc(X509PKI_CREDENTIALS * res, int ncerts) +int gnutls_x509pki_allocate_sc(X509PKI_CREDENTIALS * res, int ncerts) { *res = gnutls_calloc(1, sizeof(X509PKI_CREDENTIALS_INT)); @@ -348,8 +349,6 @@ int gnutls_allocate_x509_sc(X509PKI_CREDENTIALS * res, int ncerts) return GNUTLS_E_MEMORY_ERROR; - (*res)->dh_bits = DEFAULT_BITS; - (*res)->ncerts = 0; /* this is right - set_key() increments it */ if (ncerts > 0) { @@ -384,7 +383,7 @@ int gnutls_allocate_x509_sc(X509PKI_CREDENTIALS * res, int ncerts) } /** - * gnutls_set_x509_key - Used to set keys in a X509PKI_CREDENTIALS structure + * gnutls_x509pki_set_key - Used to set keys in a X509PKI_CREDENTIALS structure * @res: is an &X509PKI_CREDENTIALS structure. * @CERTFILE: is a PEM encoded file containing the certificate list (path) for * the specified private key @@ -399,8 +398,8 @@ int gnutls_allocate_x509_sc(X509PKI_CREDENTIALS * res, int ncerts) * this function. * **/ -int gnutls_set_x509_key(X509PKI_CREDENTIALS res, char *CERTFILE, - char *KEYFILE) +int gnutls_x509pki_set_key(X509PKI_CREDENTIALS res, char *CERTFILE, + char *KEYFILE) { int ret; @@ -416,7 +415,7 @@ int gnutls_set_x509_key(X509PKI_CREDENTIALS res, char *CERTFILE, } /** - * gnutls_set_x509_trust - Used to set trusted CAs in a X509PKI_CREDENTIALS structure + * gnutls_x509pki_set_trust - Used to set trusted CAs in a X509PKI_CREDENTIALS structure * @res: is an &X509PKI_CREDENTIALS structure. * @CAFILE: is a PEM encoded file containing trusted CAs * @CRLFILE: is a PEM encoded file containing CRLs (ignored for now) @@ -424,8 +423,8 @@ int gnutls_set_x509_key(X509PKI_CREDENTIALS res, char *CERTFILE, * This function sets the trusted CAs in order to verify client * certificates. **/ -int gnutls_set_x509_trust(X509PKI_CREDENTIALS res, char *CAFILE, - char *CRLFILE) +int gnutls_x509pki_set_trust(X509PKI_CREDENTIALS res, char *CAFILE, + char *CRLFILE) { int ret, size, i; opaque *pdata; @@ -438,7 +437,7 @@ int gnutls_set_x509_trust(X509PKI_CREDENTIALS res, char *CAFILE, * This will be sent to clients when a certificate * request message is sent. */ - + /* FIXME: in case of a client it is not needed * to do that. This would save time and memory. * However we don't have that information available @@ -447,16 +446,14 @@ int gnutls_set_x509_trust(X509PKI_CREDENTIALS res, char *CAFILE, size = 0; for (i = 0; i < res->ncas; i++) { - if ((ret = - _gnutls_find_dn(&tmp, - &res->ca_list[i])) < 0) { + if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { gnutls_assert(); return ret; } size += (2 + tmp.size); } - res->rdn_sequence.data = gnutls_malloc( size); + res->rdn_sequence.data = gnutls_malloc(size); if (res->rdn_sequence.data == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -466,16 +463,14 @@ int gnutls_set_x509_trust(X509PKI_CREDENTIALS res, char *CAFILE, pdata = res->rdn_sequence.data; for (i = 0; i < res->ncas; i++) { - if ((ret = - _gnutls_find_dn(&tmp, - &res->ca_list[i])) < 0) { + if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { gnutls_free(res->rdn_sequence.data); res->rdn_sequence.size = 0; res->rdn_sequence.data = NULL; gnutls_assert(); return ret; } - WRITEdatum16( pdata, tmp); + WRITEdatum16(pdata, tmp); pdata += (2 + tmp.size); } @@ -483,18 +478,17 @@ int gnutls_set_x509_trust(X509PKI_CREDENTIALS res, char *CAFILE, } /** - * gnutls_set_x509_dh_bits - Used to set the bits for a DHE_* ciphersuite - * @res: is an &X509PKI_CREDENTIALS structure. + * gnutls_x509pki_set_dh_bits - Used to set the bits for a DHE_* ciphersuite + * @state: is a &GNUTLS_STATE structure. * @bits: is the number of bits * * This function sets the number of bits, for use in a Diffie Hellman key exchange. - * This will only occur in a DHE ciphersuite. + * This value will only be used in case of DHE ciphersuite. * **/ -int gnutls_set_x509_dh_bits(X509PKI_CREDENTIALS res, int bits) +void gnutls_x509pki_set_dh_bits(GNUTLS_STATE state, int bits) { - res->dh_bits = bits; - return 0; + state->gnutls_internals.x509pki_dhe_bits = bits; } @@ -831,8 +825,8 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) opaque str[MAX_X509_CERT_SIZE]; int len = sizeof(str); - memset( gCert, 0, sizeof(gnutls_cert)); - + memset(gCert, 0, sizeof(gnutls_cert)); + gCert->valid = 1; if (asn1_create_structure @@ -913,7 +907,7 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) gCert->subject_pk_algorithm = GNUTLS_PK_UNKNOWN; } - + len = sizeof(gCert->signature); result = asn1_read_value @@ -961,7 +955,8 @@ int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert) /* Returns 0 if it's ok to use the KXAlgorithm with this cert * (using KeyUsage field). */ -int _gnutls_check_x509_key_usage(const gnutls_cert * cert, KXAlgorithm alg) +int _gnutls_check_x509pki_key_usage(const gnutls_cert * cert, + KXAlgorithm alg) { if (_gnutls_map_kx_get_cred(alg) == GNUTLS_X509PKI) { switch (alg) { @@ -1013,7 +1008,7 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg, for (kx = 0; kx < 255; kx++) { pk = _gnutls_map_pk_get_pk(kx); if (pk == cert->subject_pk_algorithm) { - if (_gnutls_check_x509_key_usage(cert, kx) == 0) { + if (_gnutls_check_x509pki_key_usage(cert, kx) == 0) { kxlist[i] = kx; i++; } @@ -1035,31 +1030,65 @@ int _gnutls_cert_supported_kx(const gnutls_cert * cert, KXAlgorithm ** alg, * The 'appropriate' is defined by the user. * FIXME: provide user callback. */ -const gnutls_cert *_gnutls_find_cert( GNUTLS_STATE state, gnutls_cert ** cert_list, - int cert_list_length) +const gnutls_cert *_gnutls_server_find_cert(GNUTLS_STATE state, + gnutls_cert ** cert_list, + int cert_list_length) { int i; - i = _gnutls_find_cert_list_index( state, cert_list, cert_list_length); - if (i<0) return NULL; - + i = _gnutls_server_find_cert_list_index(state, cert_list, + cert_list_length); + if (i < 0) + return NULL; + return &cert_list[i][0]; } /* finds the most appropriate certificate in the cert list. * The 'appropriate' is defined by the user. - * FIXME: provide user callback. */ -int _gnutls_find_cert_list_index( GNUTLS_STATE state, gnutls_cert ** cert_list, - int cert_list_length) +int _gnutls_server_find_cert_list_index(GNUTLS_STATE state, + gnutls_cert ** cert_list, + int cert_list_length) { - int index = 0; + int i, index = -1; + const X509PKI_CREDENTIALS cred; + + cred = _gnutls_get_cred(state->gnutls_key, GNUTLS_X509PKI, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFICIENT_CRED; + } + + if (cred->ncerts > 0) + index = 0; /* default is use the first certificate */ + + if (state->gnutls_internals.client_cert_callback != NULL && cred->ncerts > 0) { /* use the callback to get certificate */ + gnutls_datum *my_certs = NULL; + + my_certs = + gnutls_malloc(cred->ncerts * sizeof(gnutls_datum)); + if (my_certs == NULL) + goto clear; + + /* put our certificate's issuer and dn into cdn, idn + */ + for (i = 0; i < cred->ncerts; i++) { + my_certs[i] = cred->cert_list[i][0].raw; + } + index = + state->gnutls_internals.server_cert_callback(my_certs, + cred->ncerts); + + clear: + gnutls_free(my_certs); + } return index; } /** - * gnutls_x509pki_set_cert_request - Used to set whether to request a client certificate + * gnutls_x509pki_server_set_cert_request - Used to set whether to request a client certificate * @state: is an &GNUTLS_STATE structure. * @req: is one of GNUTLS_CERT_REQUEST, GNUTLS_CERT_REQUIRE * @@ -1070,16 +1099,15 @@ int _gnutls_find_cert_list_index( GNUTLS_STATE state, gnutls_cert ** cert_list, * call this function then the client will not be asked to * send a certificate. **/ -int gnutls_x509pki_set_cert_request(GNUTLS_STATE state, - CertificateRequest req) +void gnutls_x509pki_server_set_cert_request(GNUTLS_STATE state, + CertificateRequest req) { state->gnutls_internals.send_cert_req = req; - return 0; } /** - * gnutls_set_x509_cert_callback - Used to set a callback while selecting the proper (client) certificate - * @cred: is an &X509PKI_CLIENT_CREDENTIALS structure. + * gnutls_x509pki_set_client_cert_callback - Used to set a callback while selecting the proper (client) certificate + * @state: is a &GNUTLS_STATE structure. * @func: is the callback function * * The callback's function form is: @@ -1091,7 +1119,7 @@ int gnutls_x509pki_set_cert_request(GNUTLS_STATE state, * 'req_ca_cert' contains a list with the CA names that the server * considers trusted. Normaly we should send a certificate that is signed * by one of these CAs. These names are DER encoded. To get a more - * meaningful value use the function _gnutls_dn2gnutlsdn(). + * meaningful value use the function gnutls_x509pki_extract_dn(). * * This function specifies what we (in case of a client) are going * to do when we have to send a certificate. If this callback @@ -1116,9 +1144,40 @@ int gnutls_x509pki_set_cert_request(GNUTLS_STATE state, * * This function returns 0 on success. **/ -int gnutls_set_x509_cert_callback(X509PKI_CREDENTIALS cred, - x509_cert_callback_func * func) +void gnutls_x509pki_set_client_cert_callback(GNUTLS_STATE state, + x509pki_client_cert_callback_func + * func) { - cred->client_cert_callback = func; - return 0; + state->gnutls_internals.client_cert_callback = func; +} + +/** + * gnutls_x509pki_set_server_cert_callback - Used to set a callback while selecting the proper (server) certificate + * @state: is a &GNUTLS_STATE structure. + * @func: is the callback function + * + * The callback's function form is: + * int (*callback)(gnutls_datum *server_cert, int ncerts); + * + * 'server_cert' contains 'ncerts' gnutls_datum structures which hold + * the DER encoded X.509 certificates of the server. + * + * This function specifies what we (in case of a server) are going + * to do when we have to send a certificate. If this callback + * function is not provided then gnutls will automaticaly try to + * find an appropriate certificate to send. (actually send the first in the list) + * + * In case the callback returned a negative number then gnutls will + * not attempt to choose the appropriate certificate and the caller function + * will fail. + * + * The callback function should return the index of the certificate + * choosen by the server (or -1 in case of an error) + * + **/ +void gnutls_x509pki_set_server_cert_callback(GNUTLS_STATE state, + x509pki_server_cert_callback_func + * func) +{ + state->gnutls_internals.server_cert_callback = func; } diff --git a/lib/gnutls_cert.h b/lib/gnutls_cert.h index 587530347e..d15217122c 100644 --- a/lib/gnutls_cert.h +++ b/lib/gnutls_cert.h @@ -49,14 +49,14 @@ struct GNUTLS_STATE_INT; /* because GNUTLS_STATE is not defined when this file i int _gnutls_cert_supported_kx( const gnutls_cert* cert, KXAlgorithm **alg, int *alg_size); PKAlgorithm _gnutls_map_pk_get_pk(KXAlgorithm kx_algorithm); int _gnutls_cert2gnutlsCert(gnutls_cert * gCert, gnutls_datum derCert); -const gnutls_cert* _gnutls_find_cert( struct GNUTLS_STATE_INT*, gnutls_cert** cert_list, int cert_list_length); -int _gnutls_find_cert_list_index( struct GNUTLS_STATE_INT*, gnutls_cert ** cert_list, int cert_list_length); +const gnutls_cert* _gnutls_server_find_cert( struct GNUTLS_STATE_INT*, gnutls_cert** cert_list, int cert_list_length); +int _gnutls_server_find_cert_list_index( struct GNUTLS_STATE_INT*, gnutls_cert ** cert_list, int cert_list_length); #define MAX_INT_DIGITS 4 void _gnutls_int2str(int k, char* data); int _gnutls_get_name_type( node_asn *rasn, char *root, gnutls_DN * dn); void gnutls_free_cert(gnutls_cert cert); -int _gnutls_check_x509_key_usage( const gnutls_cert * cert, KXAlgorithm alg); +int _gnutls_check_x509pki_key_usage( const gnutls_cert * cert, KXAlgorithm alg); int _gnutls_get_version(node_asn * c2, char *root); time_t _gnutls_get_time(node_asn * c2, char *root, char *when); diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 3557b5dec0..07b6c2fcd4 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1875,6 +1875,9 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state, int alg_size; KXAlgorithm kx; + /* ONLY USED IN CASE OF A SERVER. + */ + if (state->security_parameters.entity == GNUTLS_CLIENT) return 0; @@ -1893,7 +1896,7 @@ int _gnutls_remove_unwanted_ciphersuites(GNUTLS_STATE state, cert = NULL; cert = - _gnutls_find_cert(state, x509_cred->cert_list, + _gnutls_server_find_cert(state, x509_cred->cert_list, x509_cred->ncerts); if (cert == NULL) { diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 35bade7b40..0878fe398e 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -42,6 +42,8 @@ #define GNUTLS_LIST ... +#define MIN_BITS 1023 + #define MAX32 4294967295 #define MAX24 16777215 #define MAX16 65535 @@ -338,7 +340,8 @@ typedef struct { #define CompressionMethod_Priority GNUTLS_Priority #define Protocol_Priority GNUTLS_Priority -typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); +typedef int x509pki_client_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); +typedef int x509pki_server_cert_callback_func(const gnutls_datum *, int); typedef struct { opaque header[HANDSHAKE_HEADER_SIZE]; @@ -451,7 +454,10 @@ typedef struct { /* this is a callback function to call if no appropriate * client certificates were found. */ - x509_cert_callback_func* x509_client_cert_callback; + x509pki_client_cert_callback_func* client_cert_callback; + x509pki_server_cert_callback_func* server_cert_callback; + int x509pki_dhe_bits; + int max_handshake_data_buffer_size; /* PUSH & PULL functions. diff --git a/lib/gnutls_srp.c b/lib/gnutls_srp.c index 4d1c122e49..91ca92d83f 100644 --- a/lib/gnutls_srp.c +++ b/lib/gnutls_srp.c @@ -309,26 +309,26 @@ MPI _gnutls_calc_srp_S2(MPI B, MPI g, MPI x, MPI a, MPI u, MPI n) } /** - * gnutls_free_srp_server_sc - Used to free an allocated SRP_CLIENT_CREDENTIALS structure + * gnutls_srp_free_server_sc - Used to free an allocated SRP_CLIENT_CREDENTIALS structure * @sc: is an &SRP_CLIENT_CREDENTIALS structure. * * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) * the structure. **/ -void gnutls_free_srp_client_sc( SRP_CLIENT_CREDENTIALS sc) { +void gnutls_srp_free_client_sc( SRP_CLIENT_CREDENTIALS sc) { gnutls_free(sc); } /** - * gnutls_allocate_srp_server_sc - Used to allocate an SRP_CLIENT_CREDENTIALS structure + * gnutls_srp_allocate_server_sc - Used to allocate an SRP_CLIENT_CREDENTIALS structure * @sc: is a pointer to an &SRP_CLIENT_CREDENTIALS structure. * * This structure is complex enough to manipulate directly thus * this helper function is provided in order to allocate * the structure. **/ -int gnutls_allocate_srp_client_sc( SRP_CLIENT_CREDENTIALS *sc) { +int gnutls_srp_allocate_client_sc( SRP_CLIENT_CREDENTIALS *sc) { *sc = gnutls_malloc( sizeof(SRP_CLIENT_CREDENTIALS_INT)); if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR; @@ -337,13 +337,13 @@ int gnutls_allocate_srp_client_sc( SRP_CLIENT_CREDENTIALS *sc) { } /** - * gnutls_set_srp_client_cred - Used to set the username/password, in a SRP_CLIENT_CREDENTIALS structure + * gnutls_srp_set_client_cred - Used to set the username/password, in a SRP_CLIENT_CREDENTIALS structure * @res: is an &SRP_CLIENT_CREDENTIALS structure. * @username: is the user's userid * @password: is the user's password * **/ -int gnutls_set_srp_client_cred( SRP_CLIENT_CREDENTIALS res, char *username, char * password) { +int gnutls_srp_set_client_cred( SRP_CLIENT_CREDENTIALS res, char *username, char * password) { res->username = gnutls_strdup( username); if (res->username == NULL) return GNUTLS_E_MEMORY_ERROR; @@ -358,19 +358,19 @@ int gnutls_set_srp_client_cred( SRP_CLIENT_CREDENTIALS res, char *username, char } /** - * gnutls_free_srp_server_sc - Used to free an allocated SRP_SERVER_CREDENTIALS structure + * gnutls_srp_free_server_sc - Used to free an allocated SRP_SERVER_CREDENTIALS structure * @sc: is an &SRP_SERVER_CREDENTIALS structure. * * This structure is complex enough to manipulate directly thus * this helper function is provided in order to free (deallocate) * the structure. **/ -void gnutls_free_srp_server_sc( SRP_SERVER_CREDENTIALS sc) { +void gnutls_srp_free_server_sc( SRP_SERVER_CREDENTIALS sc) { gnutls_free(sc); } /** - * gnutls_allocate_srp_server_sc - Used to allocate an SRP_SERVER_CREDENTIALS structure + * gnutls_srp_allocate_server_sc - Used to allocate an SRP_SERVER_CREDENTIALS structure * @sc: is a pointer to an &SRP_SERVER_CREDENTIALS structure. * * This structure is complex enough to manipulate directly thus @@ -378,7 +378,7 @@ void gnutls_free_srp_server_sc( SRP_SERVER_CREDENTIALS sc) { * the structure. **/ -int gnutls_allocate_srp_server_sc( SRP_SERVER_CREDENTIALS *sc) { +int gnutls_srp_allocate_server_sc( SRP_SERVER_CREDENTIALS *sc) { *sc = gnutls_malloc( sizeof(SRP_SERVER_CREDENTIALS_INT)); if (*sc==NULL) return GNUTLS_E_MEMORY_ERROR; @@ -387,13 +387,13 @@ int gnutls_allocate_srp_server_sc( SRP_SERVER_CREDENTIALS *sc) { } /** - * gnutls_set_srp_server_cred - Used to set the password files, in a SRP_SERVER_CREDENTIALS structure + * gnutls_srp_set_server_cred - Used to set the password files, in a SRP_SERVER_CREDENTIALS structure * @res: is an &SRP_SERVER_CREDENTIALS structure. * @password_file: is the SRP password file (tpasswd) * @password_conf_file: is the SRP password conf file (tpasswd.conf) * **/ -int gnutls_set_srp_server_cred( SRP_SERVER_CREDENTIALS res, char *password_file, char * password_conf_file) { +int gnutls_srp_set_server_cred( SRP_SERVER_CREDENTIALS res, char *password_file, char * password_conf_file) { res->password_file = gnutls_strdup( password_file); if (res->password_file==NULL) return GNUTLS_E_MEMORY_ERROR; diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 431833288c..b5df28be89 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -38,7 +38,8 @@ typedef struct { # ifdef LIBGNUTLS_VERSION /* These are defined only in gnutls.h */ -typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); +typedef int x509pki_client_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); +typedef int x509pki_server_cert_callback_func(const gnutls_datum *, int); /* Functions that allow AUTH_INFO structures handling */ @@ -56,12 +57,17 @@ int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state); /* X509PKI */ -int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func *); -int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest); +void gnutls_x509pki_set_client_cert_callback( X509PKI_CREDENTIALS, x509pki_client_cert_callback_func *); + +void gnutls_x509pki_set_server_cert_callback( X509PKI_CREDENTIALS, x509pki_server_cert_callback_func *); +void gnutls_x509pki_server_set_cert_request( GNUTLS_STATE, CertificateRequest); + +void gnutls_x509pki_set_dh_bits( GNUTLS_STATE state, int bits); /* X.509 certificate handling functions */ int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*); -int gnutls_x509pki_extract_issuer_dn( const gnutls_datum*, gnutls_DN *); +int gnutls_x509pki_extract_certificate_dn( const gnutls_datum*, gnutls_DN*); +int gnutls_x509pki_extract_certificate_issuer_dn( const gnutls_datum*, gnutls_DN *); int gnutls_x509pki_extract_certificate_version( const gnutls_datum*); time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*); time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*); @@ -76,23 +82,11 @@ int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); #define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits #define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits -#define gnutls_x509pki_server_extract_dn gnutls_x509pki_extract_dn -#define gnutls_x509pki_server_extract_issuer_dn gnutls_x509pki_extract_issuer_dn #define gnutls_x509pki_server_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status #define gnutls_x509pki_server_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list -#define gnutls_x509pki_server_extract_certificate_version gnutls_x509pki_extract_certificate_version -#define gnutls_x509pki_server_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time -#define gnutls_x509pki_server_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time -#define gnutls_x509pki_server_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name -#define gnutls_x509pki_client_extract_dn gnutls_x509pki_extract_dn -#define gnutls_x509pki_client_extract_issuer_dn gnutls_x509pki_extract_issuer_dn #define gnutls_x509pki_client_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status #define gnutls_x509pki_client_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list -#define gnutls_x509pki_client_extract_certificate_version gnutls_x509pki_extract_certificate_version -#define gnutls_x509pki_client_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time -#define gnutls_x509pki_client_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time -#define gnutls_x509pki_client_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name # endif /* LIBGNUTLS_VERSION */ @@ -94,12 +94,12 @@ int cert_list_size = 0; if (cert_list_size > 0) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_extract_certificate_version( &cert_list[0])); + printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0])); - gnutls_x509pki_client_extract_dn( &cert_list[0], &dn); + gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn); PRINT_DN( dn); - gnutls_x509pki_client_extract_issuer_dn( &cert_list[0], &dn); + gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn); printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } @@ -189,20 +189,20 @@ int main(int argc, char** argv) } /* X509 stuff */ - if (gnutls_allocate_x509_client_sc( &xcred, 1) < 0) { /* space for 1 certificate */ + if (gnutls_x509pki_allocate_client_sc( &xcred, 1) < 0) { /* space for 1 certificate */ fprintf(stderr, "memory error\n"); exit(1); } - gnutls_set_x509_client_trust( xcred, CAFILE, CRLFILE); - gnutls_set_x509_client_key( xcred, CLICERTFILE, CLIKEYFILE); - gnutls_set_x509_cert_callback( xcred, cert_callback); + gnutls_x509pki_set_client_trust( xcred, CAFILE, CRLFILE); + gnutls_x509pki_set_client_key( xcred, CLICERTFILE, CLIKEYFILE); + gnutls_x509pki_set_client_cert_callback( xcred, cert_callback); /* SRP stuff */ - if (gnutls_allocate_srp_client_sc( &cred)<0) { + if (gnutls_srp_allocate_client_sc( &cred)<0) { fprintf(stderr, "memory error\n"); exit(1); } - gnutls_set_srp_client_cred( cred, "test", "test"); + gnutls_srp_set_client_cred( cred, "test", "test"); sd = socket(AF_INET, SOCK_STREAM, 0); ERR(sd, "socket"); @@ -407,10 +407,11 @@ int main(int argc, char** argv) shutdown( sd, SHUT_RDWR); /* no more receptions */ close(sd); - gnutls_free_srp_client_sc( cred); - gnutls_free_x509_client_sc( xcred); gnutls_deinit( state); + gnutls_srp_free_client_sc( cred); + gnutls_x509pki_free_client_sc( xcred); + gnutls_global_deinit(); return 0; diff --git a/src/serv.c b/src/serv.c index 4f068738af..93d07069c6 100644 --- a/src/serv.c +++ b/src/serv.c @@ -95,7 +95,7 @@ GNUTLS_STATE initialize_state() gnutls_set_mac_priority(state, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0); - gnutls_x509pki_set_cert_request( state, GNUTLS_CERT_REQUEST); + gnutls_x509pki_server_set_cert_request( state, GNUTLS_CERT_REQUEST); return state; } @@ -169,13 +169,13 @@ void print_info(GNUTLS_STATE state) if (cert_list_size > 0) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_server_extract_certificate_version( &cert_list[0])); + printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0])); - if ( gnutls_x509pki_server_extract_dn( &cert_list[0], &dn) >= 0) { + if ( gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn) >= 0) { PRINT_DN( dn); } - if (gnutls_x509pki_server_extract_dn( &cert_list[0], &dn) >= 0) { + if (gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn) >= 0) { printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } @@ -357,17 +357,17 @@ int main(int argc, char **argv) exit(1); } - if (gnutls_allocate_x509_server_sc(&x509_cred, 1) < 0) { + if (gnutls_x509pki_allocate_server_sc(&x509_cred, 1) < 0) { fprintf(stderr, "memory error\n"); exit(1); } - if (gnutls_set_x509_server_trust( x509_cred, CAFILE, CRLFILE) < 0) { + if (gnutls_x509pki_set_server_trust( x509_cred, CAFILE, CRLFILE) < 0) { fprintf(stderr, "X509 PARSE ERROR\nDid you have ca.pem?\n"); exit(1); } - if (gnutls_set_x509_server_key( x509_cred, CERTFILE, KEYFILE) < 0) { + if (gnutls_x509pki_set_server_key( x509_cred, CERTFILE, KEYFILE) < 0) { fprintf(stderr, "X509 PARSE ERROR\nDid you have key.pem and cert.pem?\n"); exit(1); } @@ -375,11 +375,11 @@ int main(int argc, char **argv) /* this is a password file (created with the included srpcrypt utility) * Read README.crypt prior to using SRP. */ - gnutls_allocate_srp_server_sc( &srp_cred); - gnutls_set_srp_server_cred( srp_cred, SRP_PASSWD, SRP_PASSWD_CONF); + gnutls_srp_allocate_server_sc( &srp_cred); + gnutls_srp_set_server_cred( srp_cred, SRP_PASSWD, SRP_PASSWD_CONF); - gnutls_allocate_anon_server_sc( &dh_cred); - gnutls_set_anon_server_cred( dh_cred, 1024); + gnutls_anon_allocate_server_sc( &dh_cred); + gnutls_anon_set_server_cred( dh_cred, 1024); listen_sd = socket(AF_INET, SOCK_STREAM, 0); ERR(listen_sd, "socket"); @@ -504,9 +504,9 @@ int main(int argc, char **argv) } close(listen_sd); - gnutls_free_x509_server_sc(x509_cred); - gnutls_free_srp_server_sc(srp_cred); - gnutls_free_anon_server_sc(dh_cred); + gnutls_x509pki_free_server_sc(x509_cred); + gnutls_srp_free_server_sc(srp_cred); + gnutls_anon_free_server_sc(dh_cred); gnutls_global_deinit(); |