corrected some bugs that affected openpgp authentication.

14 files changed, 77 insertions, 51 deletions

diff --git a/NEWS b/NEWS
index 5e4b6ace8a..b188764b11 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ Version 0.9.99
   and gnutls_server_name_get() prototypes.
 - Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data() 
   and gnutls_x509_crt_verify_data().
+- Some fixes in the openpgp authentication.
 
 Version 0.9.98 (16/11/2003)
 - The openssl compatibility layer was moved to gnutls-openssl
diff --git a/doc/TODO b/doc/TODO
index d4ae7229e2..d92ff49150 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -8,6 +8,7 @@ Current list:
   of the certificate selection part.
 * Add gnutls_certificate_set_openpgp_key() and gnutls_certificate_set_openpgp_keyring()
   functions, similar to gnutls_certificate_set_x509_key().
+* Add gnutls_openpgp_key_get_key_usage().
 * Add support for generating and handling DSA keys
 * Convert documentation to texinfo format
 * Audit the code
diff --git a/doc/tex/Makefile.am b/doc/tex/Makefile.am
index 513d98a663..741d8944b0 100644
--- a/doc/tex/Makefile.am
+++ b/doc/tex/Makefile.am
@@ -18,7 +18,7 @@ TEX_OBJECTS = gnutls.tex ../../lib/gnutls-api.tex fdl.tex ../../lib/x509/x509-ap
 	memory.tex openpgp.tex x509.tex howto.tex openssl.tex \
 	appendix.tex x509cert.xml.tex pgpcert.xml.tex \
 	programs.tex library.tex certificate.tex record_weaknesses.tex \
-	tlsintro.tex compression.tex $(EXAMPLE_OBJECTS) \
+	tlsintro.tex compression.tex $(EXAMPLE_OBJECTS) preface.tex \
 	tls_extensions.tex srp.tex preparation.tex callbacks.tex
 
 gnutls.html: build_api_pgp build_api_lib build_api_x509 build_api_extra $(TEX_OBJECTS)
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 1508ec38b7..f289026e7d 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -292,6 +292,8 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
 
 		if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
 
+			/* Makes the issuers_dn stuff.
+			 */
 			do {
 				/* This works like DECR_LEN() 
 				 */
@@ -314,12 +316,14 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
 
 			} while (issuers_dn_len < MAX_ISSUERS);
 
-			my_certs =
-			    gnutls_alloca(cred->ncerts * sizeof(gnutls_datum));
-			if (my_certs == NULL) {
-				result = GNUTLS_E_MEMORY_ERROR;
-				gnutls_assert();
-				goto error;
+			if (cred->ncerts != 0) {
+				my_certs =
+				    gnutls_alloca(cred->ncerts * sizeof(gnutls_datum));
+				if (my_certs == NULL) {
+					result = GNUTLS_E_MEMORY_ERROR;
+					gnutls_assert();
+					goto error;
+				}
 			}
 
 			/* put the requested DNs to req_dn, only in case
@@ -362,12 +366,18 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
 			issuers_dn = NULL;
 		}
 
-		/* maps j -> i */
-		ij_map = gnutls_alloca(sizeof(int) * cred->ncerts);
-		if (ij_map == NULL) {
-			result = GNUTLS_E_MEMORY_ERROR;
-			gnutls_assert();
-			goto error;
+		/* If not certificates are present.
+		 */
+		/* maps j -> i 
+		 */
+
+		if (cred->ncerts != 0) {
+			ij_map = gnutls_alloca(sizeof(int) * cred->ncerts);
+			if (ij_map == NULL) {
+				result = GNUTLS_E_MEMORY_ERROR;
+				gnutls_assert();
+				goto error;
+			}
 		}
 
 		/* put our certificate's issuer and dn into cdn, idn
@@ -405,12 +415,14 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
 		 * This will make it relative to the certificates
 		 * we've got.
 		 */
-		if (indx != -1)
+		if (indx != -1 && cred->ncerts != 0)
 			indx = ij_map[indx];
+		else
+			indx = -1;
 
-		gnutls_afree(my_certs);
-		gnutls_afree(ij_map);
-		gnutls_afree(issuers_dn);
+		if (my_certs) gnutls_afree(my_certs);
+		if (ij_map) gnutls_afree(ij_map);
+		if (issuers_dn) gnutls_afree(issuers_dn);
 	}
 
 	*ind = indx;
diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c
index 66d4f25280..3ae0096690 100644
--- a/lib/auth_rsa_export.c
+++ b/lib/auth_rsa_export.c
@@ -99,6 +99,7 @@ static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data)
 	 * of 512 bits or less.
 	 */
 	if ( _gnutls_mpi_get_nbits( apr_pkey->params[0]) <= 512) {
+		gnutls_assert();
 		return GNUTLS_E_INT_RET_0;
 	}
 
@@ -108,7 +109,8 @@ static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data)
 		return GNUTLS_E_NO_TEMPORARY_RSA_PARAMS;
 	}
 
-	if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, sizeof( CERTIFICATE_AUTH_INFO_INT), 0)) < 0) {
+	if ( (ret=_gnutls_auth_info_set( session, GNUTLS_CRD_CERTIFICATE, 
+		sizeof( CERTIFICATE_AUTH_INFO_INT), 0)) < 0) {
 		gnutls_assert();
 		return ret;
 	}
@@ -167,7 +169,7 @@ static int gen_rsa_export_server_kx(gnutls_session session, opaque ** data)
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 
-	_gnutls_write_datum16(&(*data)[data_size], signature);
+	_gnutls_write_datum16(&((*data)[data_size]), signature);
 	data_size += signature.size + 2;
 
 	_gnutls_free_datum(&signature);
@@ -265,10 +267,6 @@ static int proc_rsa_export_server_kx(gnutls_session session, opaque * data,
 	DECR_LEN( data_size, n_m);
 	data_m = &data[i];
 	i += n_m;
-	if (i > data_size) {
-		gnutls_assert();
-		return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
-	}
 
 	DECR_LEN( data_size, 2);
 	n_e = _gnutls_read_uint16(&data[i]);
@@ -277,10 +275,6 @@ static int proc_rsa_export_server_kx(gnutls_session session, opaque * data,
 	DECR_LEN( data_size, n_e);
 	data_e = &data[i];
 	i += n_e;
-	if (i > data_size) {
-		gnutls_assert();
-		return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
-	}
 
 	_n_e = n_e;
 	_n_m = n_m;
@@ -297,7 +291,7 @@ static int proc_rsa_export_server_kx(gnutls_session session, opaque * data,
 
 	ret=_gnutls_rsa_export_set_modulus_bits( session, _gnutls_mpi_get_nbits(
 		session->key->rsa[0]));
-	if (ret<0) {
+	if (ret < 0) {
 		gnutls_assert();
 		return ret;
 	}
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index 5c53a61575..07b7ec4803 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -85,7 +85,7 @@ typedef enum gnutls_digest_algorithm { GNUTLS_DIG_NULL=1, GNUTLS_DIG_MD5,
 /* exported for other gnutls headers. This is the maximum number
  * of algorithms (ciphers, kx or macs). 
  */
-#define GNUTLS_MAX_ALGORITHM_NUM 10
+#define GNUTLS_MAX_ALGORITHM_NUM 16
 
 typedef enum gnutls_compression_method { GNUTLS_COMP_NULL=1, 
 	GNUTLS_COMP_ZLIB, 
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 872e3b854b..2296914feb 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -2317,8 +2317,9 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session,
 	 */
 
 	cert = NULL;
-	if (session->security_parameters.entity == GNUTLS_SERVER)
+	if (session->security_parameters.entity == GNUTLS_SERVER) {
 		cert = _gnutls_server_find_cert(session, requested_pk_algo);
+	}
 
 	if (cert == NULL) {
 		/* No certificate was found 
@@ -2371,7 +2372,6 @@ int _gnutls_remove_unwanted_ciphersuites(gnutls_session session,
 					 * is compatible with the certificate.
 					 */
 					for (j = 0; j < alg_size; j++) {
-
 						if (alg[j] == kx) {
 							keep = 0;
 							break;
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 0929dd6f11..8f7aa0dc5a 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -156,7 +156,7 @@ typedef struct {
 /* This is the maximum number of algorithms (ciphers or macs etc).
  * keep it synced with GNUTLS_MAX_ALGORITHM_NUM in gnutls.h
  */
-#define MAX_ALGOS 10
+#define MAX_ALGOS 16
 
 #define MAX_CIPHERSUITES 256
 
diff --git a/lib/gnutls_mem.h b/lib/gnutls_mem.h
index 2526ec8d58..959757a27f 100644
--- a/lib/gnutls_mem.h
+++ b/lib/gnutls_mem.h
@@ -11,15 +11,24 @@ typedef void svoid; /* for functions that allocate using gnutls_secure_malloc */
  * memory leaks may occur in systems which do not
  * support alloca.
  */
+#ifdef USE_EFENCE
+# define gnutls_alloca gnutls_malloc
+# define gnutls_afree gnutls_free
+#endif
+
 #ifdef HAVE_ALLOCA
 # ifdef HAVE_ALLOCA_H
 #  include <alloca.h>
 # endif
-# define gnutls_alloca alloca
-# define gnutls_afree(x)
+# ifndef gnutls_alloca
+#  define gnutls_alloca alloca
+#  define gnutls_afree(x)
+# endif
 #else
-# define gnutls_alloca gnutls_malloc
-# define gnutls_afree gnutls_free
+# ifndef gnutls_alloca
+#  define gnutls_alloca gnutls_malloc
+#  define gnutls_afree gnutls_free
+# endif
 #endif /* HAVE_ALLOCA */
 
 typedef void* (*gnutls_alloc_function)(size_t);
diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c
index c6149396f9..337f396c94 100644
--- a/lib/gnutls_mpi.c
+++ b/lib/gnutls_mpi.c
@@ -71,7 +71,7 @@ int ret;
 	return 0;
 }
 
-int _gnutls_mpi_print( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ) 
+int _gnutls_mpi_print( void *buffer, size_t *nbytes, const GNUTLS_MPI a ) 
 {
 int ret;
 
@@ -82,7 +82,7 @@ int ret;
 }
 
 /* Always has the first bit zero */
-int _gnutls_mpi_print_lz( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a ) 
+int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const GNUTLS_MPI a ) 
 {
 int ret;
 
diff --git a/lib/gnutls_mpi.h b/lib/gnutls_mpi.h
index 07333349d5..2ac9eae663 100644
--- a/lib/gnutls_mpi.h
+++ b/lib/gnutls_mpi.h
@@ -32,8 +32,8 @@ void _gnutls_mpi_release( GNUTLS_MPI* x);
 int _gnutls_mpi_scan( GNUTLS_MPI *ret_mpi, const opaque *buffer, size_t *nbytes );
 int _gnutls_mpi_scan_pgp( GNUTLS_MPI *ret_mpi, const opaque *buffer, size_t *nbytes );
 
-int _gnutls_mpi_print( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a );
-int _gnutls_mpi_print_lz( opaque *buffer, size_t *nbytes, const GNUTLS_MPI a );
+int _gnutls_mpi_print( void *buffer, size_t *nbytes, const GNUTLS_MPI a );
+int _gnutls_mpi_print_lz( void *buffer, size_t *nbytes, const GNUTLS_MPI a );
 
 
 #endif
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 1bfadf9f05..b09f4df2fa 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -1003,17 +1003,21 @@ int _gnutls_check_key_usage( const gnutls_cert* cert,
 				 * type algorithm, and key's usage does not permit
 				 * encipherment, then fail.
 				 */
-				if (!(keyUsage & KEY_KEY_ENCIPHERMENT))
+				if (!(keyUsage & KEY_KEY_ENCIPHERMENT)) {
+					gnutls_assert();
 					return
 					    GNUTLS_E_KEY_USAGE_VIOLATION;
+				}
 			}
 
 			if ( encipher_type == CIPHER_SIGN) { 
 				/* The same as above, but for sign only keys
 				 */
-				if (!(keyUsage & KEY_DIGITAL_SIGNATURE))
+				if (!(keyUsage & KEY_DIGITAL_SIGNATURE)) {
+					gnutls_assert();
 					return
 					    GNUTLS_E_KEY_USAGE_VIOLATION;
+				}
 			}
 		}
 	}
diff --git a/libextra/gnutls_openpgp.c b/libextra/gnutls_openpgp.c
index 075b8666e7..a8f5c86c57 100644
--- a/libextra/gnutls_openpgp.c
+++ b/libextra/gnutls_openpgp.c
@@ -261,10 +261,10 @@ openpgp_pk_to_gnutls_cert( gnutls_cert *cert, cdk_pkt_pubkey_t pk )
     if( is_DSA(pk->pubkey_algo) || pk->pubkey_algo == GCRY_PK_RSA_S )
         cert->keyUsage = KEY_DIGITAL_SIGNATURE;
     else if( pk->pubkey_algo == GCRY_PK_RSA_E )
-        cert->keyUsage = KEY_ENCIPHER_ONLY;
+        cert->keyUsage = KEY_KEY_ENCIPHERMENT;
     else if( pk->pubkey_algo == GCRY_PK_RSA )
         cert->keyUsage = KEY_DIGITAL_SIGNATURE
-            | KEY_ENCIPHER_ONLY;
+            | KEY_KEY_ENCIPHERMENT;
 
     cert->params_size = cdk_pk_get_npkey( pk->pubkey_algo );
     for( i = 0; i < cert->params_size; i++ ) {
diff --git a/src/serv.c b/src/serv.c
index 0125e19c26..a3af0a0fe5 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -105,9 +105,9 @@ char *x509_crlfile = NULL;
 #define RENEGOTIATE
 
 /* These are global */
-gnutls_srp_server_credentials srp_cred;
-gnutls_anon_server_credentials dh_cred;
-gnutls_certificate_credentials cert_cred;
+gnutls_srp_server_credentials srp_cred = NULL;
+gnutls_anon_server_credentials dh_cred = NULL;
+gnutls_certificate_credentials cert_cred = NULL;
 
 const int ssl_session_cache = 128;
 
@@ -295,8 +295,12 @@ gnutls_session initialize_session(void)
    gnutls_certificate_type_set_priority(session, cert_type_priority);
 
    gnutls_credentials_set(session, GNUTLS_CRD_ANON, dh_cred);
-   gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred);
-   gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred);
+
+   if (srp_cred != NULL)
+      gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred);
+
+   if (cert_cred != NULL)
+      gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cert_cred);
 
    gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST);
 
@@ -667,9 +671,9 @@ int main(int argc, char **argv)
     * Read README.crypt prior to using SRP.
     */
 #ifdef ENABLE_SRP
-   gnutls_srp_allocate_server_credentials(&srp_cred);
+   if (srp_passwd != NULL) {
+      gnutls_srp_allocate_server_credentials(&srp_cred);
 
-   if (srp_passwd != NULL)
       if ((ret =
 	   gnutls_srp_set_server_credentials_file(srp_cred, srp_passwd,
 						  srp_passwd_conf)) < 0) {
@@ -678,6 +682,7 @@ int main(int argc, char **argv)
 	 fprintf(stderr, "Error while setting SRP parameters\n");
 	 GERR(ret);
       }
+   }
 #endif
 
 #ifdef ENABLE_ANON