diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-02-24 10:47:54 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-02-24 10:47:54 +0000 |
commit | 84d92bc431f9224ef9c76a3a773109b98f59338c (patch) | |
tree | a44ca893abf33560877a1f950f22d8bbc8cdcdd3 | |
parent | 76c998dee4af3900b88084204d7d8e87ee80b151 (diff) | |
download | gnutls-84d92bc431f9224ef9c76a3a773109b98f59338c.tar.gz |
removed GNUTLS_CERT_NONE (replaced by GNUTLS_E_NO_CERTIFICATE_FOUND).
removed GNUTLS_CERT_VALID (it's valid if it's not invalid)
-rw-r--r-- | lib/gnutls.h.in.in | 8 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 10 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 1 | ||||
-rw-r--r-- | lib/gnutls_int.h | 9 | ||||
-rw-r--r-- | lib/gnutls_openpgp.c | 22 | ||||
-rw-r--r-- | lib/gnutls_record.c | 2 | ||||
-rw-r--r-- | lib/gnutls_x509.c | 6 | ||||
-rw-r--r-- | lib/x509_sig_check.c | 5 | ||||
-rw-r--r-- | lib/x509_verify.c | 29 |
9 files changed, 44 insertions, 48 deletions
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 483d7dbab6..14e450a16e 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -57,11 +57,11 @@ typedef enum GNUTLS_AlertDescription { GNUTLS_A_CLOSE_NOTIFY, GNUTLS_A_UNEXPECTE } GNUTLS_AlertDescription; typedef enum GNUTLS_CertificateStatus { - GNUTLS_CERT_NONE = 0, GNUTLS_CERT_TRUSTED=1, + GNUTLS_CERT_TRUSTED=1, GNUTLS_CERT_NOT_TRUSTED=2, - GNUTLS_CERT_VALID=4, GNUTLS_CERT_INVALID=8, /* for openpgp use */ - GNUTLS_CERT_EXPIRED=16, GNUTLS_CERT_CORRUPTED=32, - GNUTLS_CERT_REVOKED=64 + GNUTLS_CERT_INVALID=4, + GNUTLS_CERT_EXPIRED=8, GNUTLS_CERT_CORRUPTED=16, + GNUTLS_CERT_REVOKED=32 } GNUTLS_CertificateStatus; typedef enum GNUTLS_CertificateRequest { GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST=1, GNUTLS_CERT_REQUIRE } GNUTLS_CertificateRequest; diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 1c80811c0b..bd5da3d4c3 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -304,7 +304,7 @@ void gnutls_certificate_server_set_select_func(GNUTLS_STATE state, * This function will try to verify the peer's certificate and return it's status (TRUSTED, EXPIRED etc.). * The return value (status) should be one of the CertificateStatus enumerated elements. * However you must also check the peer's name in order to check if the verified certificate belongs to the - * actual peer. Returns a negative error code in case of an error, or GNUTLS_CERT_NONE if no certificate was sent. + * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. * -*/ int _gnutls_openpgp_cert_verify_peers(GNUTLS_STATE state) @@ -328,7 +328,7 @@ int _gnutls_openpgp_cert_verify_peers(GNUTLS_STATE state) if (info->raw_certificate_list == NULL || info->ncerts == 0) { gnutls_assert(); - return GNUTLS_CERT_NONE; + return GNUTLS_E_NO_CERTIFICATE_FOUND; } /* generate a list of gnutls_certs based on the auth info @@ -367,10 +367,8 @@ int _gnutls_openpgp_cert_verify_peers(GNUTLS_STATE state) * The return value (status) should be one or more of the CertificateStatus * enumerated elements bitwise or'd. * - * GNUTLS_CERT_NONE: No certificate was sent by the peer. * GNUTLS_CERT_TRUSTED: the peer's certificate is trusted. * GNUTLS_CERT_NOT_TRUSTED: the peer's certificate is not trusted. - * GNUTLS_CERT_VALID: the certificate chain is ok. * GNUTLS_CERT_INVALID: the certificate chain is broken. * GNUTLS_CERT_REVOKED: the certificate has been revoked * (not implemented yet). @@ -378,6 +376,8 @@ int _gnutls_openpgp_cert_verify_peers(GNUTLS_STATE state) * GNUTLS_CERT_CORRUPTED: the certificate is corrupted. * * A negative error code is returned in case of an error. + * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that + * no certificate was sent by the peer. * * **/ @@ -394,7 +394,7 @@ int gnutls_certificate_verify_peers(GNUTLS_STATE state) } if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_CERT_NONE; + return GNUTLS_E_NO_CERTIFICATE_FOUND; switch( gnutls_cert_type_get( state)) { case GNUTLS_CRT_X509: diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index a320c5cbe5..138aa4c342 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -272,7 +272,6 @@ int _gnutls_read_client_hello(GNUTLS_STATE state, opaque * data, } _gnutls_set_current_version(state, ver); - /* Read client random value. */ DECR_LEN(len, TLS_RANDOM_SIZE); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 98a9fc1b3b..a30b8ca51a 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -35,7 +35,6 @@ #define RECORD_DEBUG*/ #define DEBUG - /* It might be a good idea to replace int with void* * here. */ @@ -104,11 +103,11 @@ typedef enum crypt_algo { SRPSHA1_CRYPT, BLOWFISH_CRYPT=2 } crypt_algo; typedef enum ChangeCipherSpecType { GNUTLS_TYPE_CHANGE_CIPHER_SPEC=1 } ChangeCipherSpecType; typedef enum CertificateStatus { - GNUTLS_CERT_NONE = 0, GNUTLS_CERT_TRUSTED=1, + GNUTLS_CERT_TRUSTED=1, GNUTLS_CERT_NOT_TRUSTED=2, - GNUTLS_CERT_VALID=4, GNUTLS_CERT_INVALID=8, /* for openpgp use */ - GNUTLS_CERT_EXPIRED=16, GNUTLS_CERT_CORRUPTED=32, - GNUTLS_CERT_REVOKED=64 + GNUTLS_CERT_INVALID=4, + GNUTLS_CERT_EXPIRED=8, GNUTLS_CERT_CORRUPTED=16, + GNUTLS_CERT_REVOKED=32 } CertificateStatus; #define GNUTLS_CertificateStatus CertificateStatus diff --git a/lib/gnutls_openpgp.c b/lib/gnutls_openpgp.c index 3184ac7181..527017db6d 100644 --- a/lib/gnutls_openpgp.c +++ b/lib/gnutls_openpgp.c @@ -298,7 +298,7 @@ datum_to_openpgp_pkt( const gnutls_datum *raw, PKT *r_pkt ) rc = cdk_pkt_parse(buf, &pkt); if ( rc != CDKERR_EOF ) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + rc = GNUTLS_E_NO_CERTIFICATE_FOUND_FOUND; goto leave; } else @@ -517,7 +517,7 @@ _gnutls_openpgp_key2gnutls_key(gnutls_private_key *pkey, } if (sk == NULL) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + rc = GNUTLS_E_NO_CERTIFICATE_FOUND_FOUND; goto leave; } @@ -601,7 +601,7 @@ _gnutls_openpgp_cert2gnutls_cert(gnutls_cert *cert, gnutls_datum raw) } if (pk == NULL) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + rc = GNUTLS_E_NO_CERTIFICATE_FOUND_FOUND; goto leave; } @@ -667,13 +667,13 @@ gnutls_openpgp_get_key(gnutls_datum *key, const gnutls_datum *keyring, rc = cdk_keydb_search_key(khd, &pk, &ks); if (rc) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + rc = GNUTLS_E_NO_CERTIFICATE_FOUND_FOUND; goto leave; } if ( !pkt_find_type(pk, PKT_PUBKEY) ) { - rc = GNUTLS_E_NO_CERTIFICATE_FOUND; + rc = GNUTLS_E_NO_CERTIFICATE_FOUND_FOUND; goto leave; } @@ -1061,28 +1061,28 @@ _gnutls_openpgp_get_key_trust(const char *trustdb, IOBUF buf; if (!trustdb || !key || !r_success) - return GNUTLS_CERT_NONE; + return GNUTLS_E_NO_CERTIFICATE_FOUND; *r_success = 0; rc = datum_to_openpgp_pkt(key, &pkt); if (rc) - return GNUTLS_CERT_NONE; + return GNUTLS_E_NO_CERTIFICATE_FOUND; pk = openpgp_pkt_to_pk(pkt, 0); if (!pk) - return GNUTLS_CERT_NONE; + return GNUTLS_E_NO_CERTIFICATE_FOUND; rc = cdk_iobuf_open( &buf, trustdb, IOBUF_MODE_RD ); if (rc == -1) { - trustval = GNUTLS_CERT_NONE; + trustval = GNUTLS_E_NO_CERTIFICATE_FOUND; goto leave; } rc = cdk_trustdb_find_ownertrust(buf, pk, &ot, &flags); cdk_iobuf_close(buf); if (rc) { - rc = GNUTLS_CERT_NONE; + rc = GNUTLS_E_NO_CERTIFICATE_FOUND; goto leave; } @@ -1645,7 +1645,7 @@ gnutls_openpgp_extract_key_expiration_time( const gnutls_datum *cert ) } int -gnutls_openpgp_verify_key(char* ign, const gnutls_datum* keyring, +gnutls_openpgp_verify_key(const char* ign, const gnutls_datum* keyring, const gnutls_datum* cert_list, int cert_list_length) { diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index e29accfbf9..bfc5e7b2f6 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -571,7 +571,7 @@ static int _gnutls_record_check_type( GNUTLS_STATE state, ContentType recv_type, switch (recv_type) { case GNUTLS_ALERT: - _gnutls_record_log( "REC: Alert[%d|%d] - %s - was received\n", data[0], data[1], _gnutls_alert_get_name((int)data[1])); + _gnutls_record_log( "REC: Alert[%d|%d] - %s - was received\n", data[0], data[1], gnutls_alert_get_name((int)data[1])); state->gnutls_internals.last_alert = data[1]; diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 5591a7d5e1..5d97fcc822 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -698,7 +698,7 @@ int gnutls_x509_extract_certificate_version(const gnutls_datum * cert) * This function will try to verify the peer's certificate and return it's status (TRUSTED, EXPIRED etc.). * The return value (status) should be one of the CertificateStatus enumerated elements. * However you must also check the peer's name in order to check if the verified certificate belongs to the - * actual peer. Returns a negative error code in case of an error, or GNUTLS_CERT_NONE if no certificate was sent. + * actual peer. Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. * -*/ int _gnutls_x509_cert_verify_peers(GNUTLS_STATE state) @@ -722,7 +722,7 @@ int _gnutls_x509_cert_verify_peers(GNUTLS_STATE state) } if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_CERT_NONE; + return GNUTLS_E_NO_CERTIFICATE_FOUND; /* generate a list of gnutls_certs based on the auth info * raw certs. @@ -798,7 +798,7 @@ int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list int peer_certificate_list_size, i, x, ret, ca_certificate_list_size; if (cert_list == NULL || cert_list_length == 0) - return GNUTLS_CERT_NONE; + return GNUTLS_E_NO_CERTIFICATE_FOUND; /* generate a list of gnutls_certs based on the auth info * raw certs. diff --git a/lib/x509_sig_check.c b/lib/x509_sig_check.c index fc518f4c65..7a418c4e71 100644 --- a/lib/x509_sig_check.c +++ b/lib/x509_sig_check.c @@ -184,6 +184,7 @@ _pkcs1_rsa_verify_sig( const gnutls_datum* signature, gnutls_datum* text, MPI *p } /* verifies if the certificate is properly signed. + * returns 0 on success. */ CertificateStatus gnutls_x509_verify_signature(gnutls_cert* cert, gnutls_cert* issuer) { gnutls_datum signature; @@ -211,7 +212,7 @@ gnutls_datum tbs; } gnutls_free_datum(&tbs); - return GNUTLS_CERT_VALID; + return 0; break; case GNUTLS_PK_DSA: @@ -222,7 +223,7 @@ gnutls_datum tbs; } gnutls_free_datum(&tbs); - return GNUTLS_CERT_VALID; + return 0; break; } diff --git a/lib/x509_verify.c b/lib/x509_verify.c index 40f9db16f4..819aef21cd 100644 --- a/lib/x509_verify.c +++ b/lib/x509_verify.c @@ -141,7 +141,7 @@ time_t _gnutls_generalTime2gtime(char *ttime) return ret; } -/* Returns VALID or EXPIRED. +/* Returns 0 or EXPIRED. */ static int check_if_expired(gnutls_cert * cert) { @@ -151,12 +151,12 @@ static int check_if_expired(gnutls_cert * cert) */ if (time(NULL) < cert->expiration_time) - ret = GNUTLS_CERT_VALID; + ret = 0; return ret; } -/* Return GNUTLS_CERT_VALID or INVALID, if the issuer is a CA, +/* Return 0 or INVALID, if the issuer is a CA, * or not. */ static int check_if_ca(const gnutls_cert * cert, const gnutls_cert* issuer) @@ -169,12 +169,12 @@ static int check_if_ca(const gnutls_cert * cert, const gnutls_cert* issuer) */ if (cert->raw.size == issuer->raw.size) { if ( memcmp( cert->raw.data, issuer->raw.data, cert->raw.size)==0) { - return GNUTLS_CERT_VALID; + return 0; } } if (issuer->CA==1) { - ret = GNUTLS_CERT_VALID; + ret = 0; } else gnutls_assert(); @@ -322,19 +322,19 @@ int gnutls_verify_certificate2(gnutls_cert * cert, gnutls_cert * trusted_cas, in } ret = check_if_ca( cert, issuer); - if (ret != GNUTLS_CERT_VALID) { + if (ret != 0) { gnutls_assert(); return ret_else; } ret = check_if_expired( issuer); - if (ret != GNUTLS_CERT_VALID) { + if (ret != 0) { gnutls_assert(); return ret_else; } ret = gnutls_x509_verify_signature(cert, issuer); - if (ret != GNUTLS_CERT_VALID) { + if (ret != 0) { gnutls_assert(); return ret_else; } @@ -364,14 +364,14 @@ int _gnutls_x509_verify_certificate( gnutls_cert * certificate_list, int crls_size) { int i = 0, ret; - CertificateStatus status=GNUTLS_CERT_NONE; - + CertificateStatus status=0; + if (tcas_size == 0 || clist_size == 0) { - return status; + return GNUTLS_E_NO_CERTIFICATE_FOUND; } ret = check_if_expired( &certificate_list[0]); - if (ret != GNUTLS_CERT_VALID) { + if (ret != 0) { gnutls_assert(); status |= GNUTLS_CERT_EXPIRED; } @@ -382,7 +382,7 @@ int _gnutls_x509_verify_certificate( gnutls_cert * certificate_list, break; if ((ret = gnutls_verify_certificate2(&certificate_list[i], &certificate_list[i + 1], - 1, NULL, 0, GNUTLS_CERT_VALID, GNUTLS_CERT_INVALID)) != GNUTLS_CERT_VALID) { + 1, NULL, 0, 0, GNUTLS_CERT_INVALID)) != 0) { /* * We only accept the first certificate to be * expired, revoked etc. If any of the certificates in the @@ -399,9 +399,6 @@ int _gnutls_x509_verify_certificate( gnutls_cert * certificate_list, } } - if ( !(status & GNUTLS_CERT_INVALID)) - status |= GNUTLS_CERT_VALID; - /* Now verify the last certificate in the certificate path * against the trusted CA certificate list. */ |