diff options
author | Simon Josefsson <simon@josefsson.org> | 2007-10-24 17:47:24 +0200 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2007-10-24 17:47:24 +0200 |
commit | 5f6dd95d2aedc731b78b5a0fe3e149e66a33326c (patch) | |
tree | 35d33fbff82f3ef31efabf4e29b351598c1beba6 | |
parent | 8b7b5258bd8de58bb2b8349c34279534cfb0a4ed (diff) | |
parent | 74200139866f14efc4cbabeec8c6698982327296 (diff) | |
download | gnutls-5f6dd95d2aedc731b78b5a0fe3e149e66a33326c.tar.gz |
Merge branch 'master' of ssh://git.sv.gnu.org/srv/git/gnutls
44 files changed, 1373 insertions, 575 deletions
@@ -5,7 +5,36 @@ See the end for copying conditions. * Version 2.1.4 (unreleased) +** Added the --v1 option to certtool, to allow generating X.509 +version 1 certificates. + +** certtool: Add option --disable-quick-random to enable the old behaviour +of using /dev/random to generate keys. + +** Added priority functions that accept strings. + +** Added gnutls_set_default_priority2() which accepts a flag to indicate +priorities preferences. + +** Added gnutls_record_disable_padding() to allow servers talking to +buggy clients that complain if the TLS 1.0 record protocol padding is +used. + +** Introduced gnutls_session_enable_compatibility_mode() to allow enabling +all supported compatibility options (like disabling padding). + ** API and ABI modifications: +gnutls_set_default_priority: DEPRECATED +gnutls_set_default_priority_export: DEPRECATED +gnutls_set_default_priority2: ADDED +gnutls_session_enable_compatibility_mode: ADDED +gnutls_record_disable_padding: ADDED +gnutls_mac_convert_priority: ADDED +gnutls_compression_convert_priority: ADDED +gnutls_protocol_convert_priority: ADDED +gnutls_kx_convert_priority: ADDED +gnutls_cipher_convert_priority: ADDED +gnutls_certificate_type_convert_priority: ADDED gnutls_openpgp_key_t: RENAMED to gnutls_openpgp_crt_t gnutls_openpgp_key_status_t: RENAMEDS gnutls_openpgp_crt_status_t gnutls_openpgp_send_key: RENAMED to gnutls_openpgp_send_cert diff --git a/build-aux/config.rpath b/build-aux/config.rpath index c547c68825..c492a93b66 100755 --- a/build-aux/config.rpath +++ b/build-aux/config.rpath @@ -2,7 +2,7 @@ # Output a system dependent set of variables, describing how to set the # run time search path of shared libraries in an executable. # -# Copyright 1996-2007 Free Software Foundation, Inc. +# Copyright 1996-2006 Free Software Foundation, Inc. # Taken from GNU libtool, 2001 # Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996 # @@ -64,7 +64,7 @@ else ;; esac ;; - mingw* | cygwin* | pw32* | os2*) + mingw* | pw32* | os2*) ;; hpux9* | hpux10* | hpux11*) wl='-Wl,' @@ -74,7 +74,7 @@ else ;; newsos6) ;; - linux* | k*bsd*-gnu) + linux*) case $cc_basename in icc* | ecc*) wl='-Wl,' @@ -100,7 +100,7 @@ else osf3* | osf4* | osf5*) wl='-Wl,' ;; - rdos*) + sco3.2v5*) ;; solaris*) wl='-Wl,' @@ -108,14 +108,11 @@ else sunos4*) wl='-Qoption ld ' ;; - sysv4 | sysv4.2uw2* | sysv4.3*) + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) wl='-Wl,' ;; sysv4*MP*) ;; - sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) - wl='-Wl,' - ;; unicos*) wl='-Wl,' ;; @@ -192,11 +189,11 @@ if test "$with_gnu_ld" = yes; then ld_shlibs=no fi ;; - interix[3-9]*) + interix3*) hardcode_direct=no hardcode_libdir_flag_spec='${wl}-rpath,$libdir' ;; - gnu* | linux* | k*bsd*-gnu) + linux*) if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then : else @@ -283,7 +280,7 @@ else strings "$collect2name" | grep resolve_lib_name >/dev/null then # We have reworked collect2 - : + hardcode_direct=yes else # We have old collect2 hardcode_direct=unsupported @@ -362,7 +359,7 @@ else hardcode_direct=yes hardcode_minus_L=yes ;; - freebsd* | dragonfly*) + freebsd* | kfreebsd*-gnu | dragonfly*) hardcode_libdir_flag_spec='-R$libdir' hardcode_direct=yes ;; @@ -415,22 +412,18 @@ else hardcode_libdir_separator=: ;; openbsd*) - if test -f /usr/libexec/ld.so; then - hardcode_direct=yes - if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - else - case "$host_os" in - openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) - hardcode_libdir_flag_spec='-R$libdir' - ;; - *) - hardcode_libdir_flag_spec='${wl}-rpath,$libdir' - ;; - esac - fi + hardcode_direct=yes + if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' else - ld_shlibs=no + case "$host_os" in + openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) + hardcode_libdir_flag_spec='-R$libdir' + ;; + *) + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' + ;; + esac fi ;; os2*) @@ -478,7 +471,7 @@ else ld_shlibs=yes fi ;; - sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*) ;; sysv5* | sco3.2v5* | sco5v6*) hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`' @@ -495,51 +488,33 @@ fi # Check dynamic linker characteristics # Code taken from libtool.m4's AC_LIBTOOL_SYS_DYNAMIC_LINKER. -# Unlike libtool.m4, here we don't care about _all_ names of the library, but -# only about the one the linker finds when passed -lNAME. This is the last -# element of library_names_spec in libtool.m4, or possibly two of them if the -# linker has special search rules. -library_names_spec= # the last element of library_names_spec in libtool.m4 libname_spec='lib$name' case "$host_os" in aix3*) - library_names_spec='$libname.a' ;; aix4* | aix5*) - library_names_spec='$libname$shrext' ;; amigaos*) - library_names_spec='$libname.a' ;; beos*) - library_names_spec='$libname$shrext' ;; bsdi[45]*) - library_names_spec='$libname$shrext' ;; cygwin* | mingw* | pw32*) shrext=.dll - library_names_spec='$libname.dll.a $libname.lib' ;; darwin* | rhapsody*) shrext=.dylib - library_names_spec='$libname$shrext' ;; dgux*) - library_names_spec='$libname$shrext' ;; freebsd1*) ;; + kfreebsd*-gnu) + ;; freebsd* | dragonfly*) - case "$host_os" in - freebsd[123]*) - library_names_spec='$libname$shrext$versuffix' ;; - *) - library_names_spec='$libname$shrext' ;; - esac ;; gnu*) - library_names_spec='$libname$shrext' ;; hpux9* | hpux10* | hpux11*) case $host_cpu in @@ -553,13 +528,10 @@ case "$host_os" in shrext=.sl ;; esac - library_names_spec='$libname$shrext' ;; - interix[3-9]*) - library_names_spec='$libname$shrext' + interix3*) ;; irix5* | irix6* | nonstopux*) - library_names_spec='$libname$shrext' case "$host_os" in irix5* | nonstopux*) libsuff= shlibsuff= @@ -576,59 +548,41 @@ case "$host_os" in ;; linux*oldld* | linux*aout* | linux*coff*) ;; - linux* | k*bsd*-gnu) - library_names_spec='$libname$shrext' + linux*) ;; knetbsd*-gnu) - library_names_spec='$libname$shrext' ;; netbsd*) - library_names_spec='$libname$shrext' ;; newsos6) - library_names_spec='$libname$shrext' ;; nto-qnx*) - library_names_spec='$libname$shrext' ;; openbsd*) - library_names_spec='$libname$shrext$versuffix' ;; os2*) libname_spec='$name' shrext=.dll - library_names_spec='$libname.a' ;; osf3* | osf4* | osf5*) - library_names_spec='$libname$shrext' - ;; - rdos*) ;; solaris*) - library_names_spec='$libname$shrext' ;; sunos4*) - library_names_spec='$libname$shrext$versuffix' ;; sysv4 | sysv4.3*) - library_names_spec='$libname$shrext' ;; sysv4*MP*) - library_names_spec='$libname$shrext' ;; sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) - library_names_spec='$libname$shrext' ;; uts4*) - library_names_spec='$libname$shrext' ;; esac sed_quote_subst='s/\(["`$\\]\)/\\\1/g' escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"` shlibext=`echo "$shrext" | sed -e 's,^\.,,'` -escaped_libname_spec=`echo "X$libname_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` -escaped_library_names_spec=`echo "X$library_names_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <<EOF @@ -642,12 +596,6 @@ libext="$libext" # Shared library suffix (normally "so"). shlibext="$shlibext" -# Format of library name prefix. -libname_spec="$escaped_libname_spec" - -# Library names that the linker finds when passed -lNAME. -library_names_spec="$escaped_library_names_spec" - # Flag to hardcode \$libdir into a binary during linking. # This must work even if \$libdir does not exist. hardcode_libdir_flag_spec="$escaped_hardcode_libdir_flag_spec" diff --git a/configure.in b/configure.in index 07aa680832..08079e6ecc 100644 --- a/configure.in +++ b/configure.in @@ -35,7 +35,7 @@ AB_INIT # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 -AC_SUBST(LT_CURRENT, 24) +AC_SUBST(LT_CURRENT, 14) AC_SUBST(LT_REVISION, 0) AC_SUBST(LT_AGE, 0) ac_full=1 diff --git a/doc/examples/ex-alert.c b/doc/examples/ex-alert.c index 23c6c3ab79..5869dcaae2 100644 --- a/doc/examples/ex-alert.c +++ b/doc/examples/ex-alert.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/ex-cert-select.c b/doc/examples/ex-cert-select.c index 038adc13c0..287fab6e5d 100644 --- a/doc/examples/ex-cert-select.c +++ b/doc/examples/ex-cert-select.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/ex-client-resume.c b/doc/examples/ex-client-resume.c index aed2d9d2c8..0e73901912 100644 --- a/doc/examples/ex-client-resume.c +++ b/doc/examples/ex-client-resume.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -47,7 +54,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c index c26364ad8d..ea09c2f82e 100644 --- a/doc/examples/ex-client-srp.c +++ b/doc/examples/ex-client-srp.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -21,6 +28,8 @@ extern void tcp_close (int sd); #define SA struct sockaddr #define MSG "GET / HTTP/1.0\r\n\r\n" +#define MAX_PRIORITIES 3 + int main (void) { @@ -30,6 +39,7 @@ main (void) char buffer[MAX_BUF + 1]; gnutls_srp_client_credentials_t srp_cred; gnutls_certificate_credentials_t cert_cred; + int kx_priorities[MAX_PRIORITIES]; gnutls_global_init (); @@ -38,6 +48,9 @@ main (void) */ gnutls_global_init_extra (); + gnutls_kx_convert_priority( kx_priorities, MAX_PRIORITIES, + "SRP, SRP-RSA, SRP-DSS", ','); + gnutls_srp_allocate_client_credentials (&srp_cred); gnutls_certificate_allocate_credentials (&cert_cred); @@ -56,8 +69,8 @@ main (void) /* Set the priorities. */ - gnutls_set_default_priority (session); - + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); + gnutls_kx_set_priority( session, kx_priorities); /* put the SRP credentials to the current session */ diff --git a/doc/examples/ex-client-tlsia.c b/doc/examples/ex-client-tlsia.c index 1cfe8743c8..40a5670ad6 100644 --- a/doc/examples/ex-client-tlsia.c +++ b/doc/examples/ex-client-tlsia.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -72,7 +79,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous and TLS/IA credentials to the current session diff --git a/doc/examples/ex-client1.c b/doc/examples/ex-client1.c index 5ae8d4fee2..6aeceec83b 100644 --- a/doc/examples/ex-client1.c +++ b/doc/examples/ex-client1.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -40,7 +47,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); gnutls_kx_set_priority (session, kx_prio); /* put the anonymous credentials to the current session diff --git a/doc/examples/ex-client2.c b/doc/examples/ex-client2.c index 2e44132a58..37b074489b 100644 --- a/doc/examples/ex-client2.c +++ b/doc/examples/ex-client2.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -43,7 +50,7 @@ main (void) gnutls_init (&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); /* put the x509 credentials to the current session */ diff --git a/doc/examples/ex-crq.c b/doc/examples/ex-crq.c index 8c645552ca..d2fc9250eb 100644 --- a/doc/examples/ex-crq.c +++ b/doc/examples/ex-crq.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/ex-pkcs12.c b/doc/examples/ex-pkcs12.c index 185a47008f..7c094bf651 100644 --- a/doc/examples/ex-pkcs12.c +++ b/doc/examples/ex-pkcs12.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/ex-rfc2818.c b/doc/examples/ex-rfc2818.c index 2147d1f249..dcb03ac320 100644 --- a/doc/examples/ex-rfc2818.c +++ b/doc/examples/ex-rfc2818.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c index d5fd28e54e..22ca9d2933 100644 --- a/doc/examples/ex-serv-anon.c +++ b/doc/examples/ex-serv-anon.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -37,7 +44,7 @@ initialize_tls_session (void) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_kx_set_priority (session, kx_prio); gnutls_credentials_set (session, GNUTLS_CRD_ANON, anoncred); diff --git a/doc/examples/ex-serv-export.c b/doc/examples/ex-serv-export.c index 12b7fc3aa9..e457ecff5d 100644 --- a/doc/examples/ex-serv-export.c +++ b/doc/examples/ex-serv-export.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -12,6 +19,7 @@ #include <string.h> #include <unistd.h> #include <gnutls/gnutls.h> +#include <gcrypt.h> /* for gcry_control */ #define KEYFILE "key.pem" #define CERTFILE "cert.pem" @@ -48,7 +56,7 @@ initialize_tls_session (void) /* Use the default priorities, plus, export cipher suites. */ - gnutls_set_default_export_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_EXPORT); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cert_cred); @@ -75,16 +83,25 @@ gnutls_dh_params_t dh_params; */ gnutls_rsa_params_t rsa_params; +static char srp_dh_group2048[] = + "-----BEGIN DH PARAMETERS-----\n" + "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" + "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" + "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" + "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" + "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" + "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" + "-----END DH PARAMETERS-----\n"; + int generate_dh_params (void) { - /* Generate Diffie Hellman parameters - for use with DHE - * kx algorithms. These should be discarded and regenerated - * once a day, once a week or once a month. Depends on the - * security requirements. +gnutls_datum dparams = { srp_dh_group2048, sizeof( srp_dh_group2048) }; + /* Here instead of generating Diffie Hellman parameters (for use with DHE + * kx algorithms) we import them. */ gnutls_dh_params_init (&dh_params); - gnutls_dh_params_generate2 (dh_params, DH_BITS); + gnutls_dh_params_import_pkcs3 (dh_params, &dparams, GNUTLS_X509_FMT_PEM); return 0; } @@ -95,9 +112,9 @@ generate_rsa_params (void) gnutls_rsa_params_init (&rsa_params); /* Generate RSA parameters - for use with RSA-export - * cipher suites. These should be discarded and regenerated - * once a day, once every 500 transactions etc. Depends on the - * security requirements. + * cipher suites. This is an RSA private key and should be + * discarded and regenerated once a day, once every 500 + * transactions etc. Depends on the security requirements. */ gnutls_rsa_params_generate2 (rsa_params, 512); @@ -121,10 +138,15 @@ main (void) strcpy (name, "Echo Server"); + /* to disallow usage of the blocking /dev/random + */ + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + /* this must be called once in the program */ gnutls_global_init (); + gnutls_certificate_allocate_credentials (&cert_cred); gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE, diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c index 04505895e7..be79e3e980 100644 --- a/doc/examples/ex-serv-pgp.c +++ b/doc/examples/ex-serv-pgp.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -61,7 +68,7 @@ initialize_tls_session (void) */ gnutls_set_default_priority (session); - gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, cred); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); /* request client certificate if any. */ diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c index 3a25143136..b49b965293 100644 --- a/doc/examples/ex-serv-srp.c +++ b/doc/examples/ex-serv-srp.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -43,7 +50,7 @@ initialize_tls_session (void) gnutls_init (&session, GNUTLS_SERVER); - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_kx_set_priority (session, kx_priority); gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred); diff --git a/doc/examples/ex-serv1.c b/doc/examples/ex-serv1.c index f2c3a51fb9..b1ed81cd06 100644 --- a/doc/examples/ex-serv1.c +++ b/doc/examples/ex-serv1.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif @@ -12,6 +19,7 @@ #include <string.h> #include <unistd.h> #include <gnutls/gnutls.h> +#include <gcrypt.h> /* for gcry_control */ #define KEYFILE "key.pem" #define CERTFILE "cert.pem" @@ -39,17 +47,21 @@ initialize_tls_session (void) gnutls_init (&session, GNUTLS_SERVER); /* avoid calling all the priority functions, since the defaults - * are adequate. + * are adequate. Depending on the needs it could also be + * GNUTLS_PRIORITIES_PERFORMANCE. */ - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_SECURITY); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); - - gnutls_dh_set_prime_bits (session, DH_BITS); + + /* Set maximum compatibility mode. This is only suggested on public webservers + * that need to trade security for compatibility + */ + gnutls_session_enable_compatibility_mode( session); return session; } @@ -61,9 +73,11 @@ generate_dh_params (void) { /* Generate Diffie Hellman parameters - for use with DHE - * kx algorithms. These should be discarded and regenerated - * once a day, once a week or once a month. Depending on the - * security requirements. + * kx algorithms. When short bit length is used, it might + * be wise to regenerate parameters. + * + * Check the ex-serv-export.c example for using static + * parameters. */ gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); @@ -84,6 +98,10 @@ main (void) char buffer[MAX_BUF + 1]; int optval = 1; + /* to disallow usage of the blocking /dev/random + */ + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + /* this must be called once in the program */ gnutls_global_init (); diff --git a/doc/examples/ex-session-info.c b/doc/examples/ex-session-info.c index a7b56fca9e..dded275152 100644 --- a/doc/examples/ex-session-info.c +++ b/doc/examples/ex-session-info.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/ex-verify.c b/doc/examples/ex-verify.c index 5429c6778c..c581458757 100644 --- a/doc/examples/ex-verify.c +++ b/doc/examples/ex-verify.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/ex-x509-info.c b/doc/examples/ex-x509-info.c index 9c8ab87e28..911d315d44 100644 --- a/doc/examples/ex-x509-info.c +++ b/doc/examples/ex-x509-info.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/examples/tcp.c b/doc/examples/tcp.c index 5e9f2b74b3..1a46d9de9a 100644 --- a/doc/examples/tcp.c +++ b/doc/examples/tcp.c @@ -1,3 +1,10 @@ +/* Copyright 2007 Free Software Foundation + * + * Copying and distribution of this file, with or without modification, + * are permitted in any medium without royalty provided the copyright + * notice and this notice are preserved. + */ + #if HAVE_CONFIG_H # include <config.h> #endif diff --git a/doc/gnutls.texi b/doc/gnutls.texi index 406b9d4ae8..4127eee67a 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -869,6 +869,10 @@ To set whether client certificate is required or not. To initiate the handshake. @end table +Other functions include the @ref{gnutls_protocol_convert_priority}, +@ref{gnutls_cipher_convert_priority}, etc., that allow converting +priorities given in text format to the internal integer format. + @subsection TLS Cipher Suites The Handshake Protocol of @acronym{TLS} negotiates cipher suites of @@ -2289,6 +2293,7 @@ The following client is a very simple @acronym{SRP} @acronym{TLS} client which connects to a server and authenticates using a @emph{username} and a @emph{password}. The server may authenticate itself using a certificate, and in that case it has to be verified. +In this example we also show the usage of @ref{gnutls_kx_convert_priority}. @verbatiminclude examples/ex-client-srp.c diff --git a/doc/manpages/certtool.1 b/doc/manpages/certtool.1 index 169b461559..3183f24504 100644 --- a/doc/manpages/certtool.1 +++ b/doc/manpages/certtool.1 @@ -81,6 +81,10 @@ Some previous versions of certtool generated wrongly the optional parameters in a private key. This may affect programs that used them. To fix an old private key use \-\-key\-info in combination with this parameter. +.IP "\-\-v1" +When generating a certificate use the X.509 version 1 format. +This does not add any extensions (such as indication for a CA) +but some programs do need these. .SH EXAMPLES To create a private key, run: diff --git a/includes/gnutls/gnutls.h.in b/includes/gnutls/gnutls.h.in index b93f20f562..30dda5a331 100644 --- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -69,6 +69,7 @@ extern "C" typedef enum gnutls_cipher_algorithm { + GNUTLS_CIPHER_UNKNOWN = 0, GNUTLS_CIPHER_NULL = 1, GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_3DES_CBC, @@ -83,6 +84,7 @@ extern "C" typedef enum { + GNUTLS_KX_UNKNOWN = 0, GNUTLS_KX_RSA = 1, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, @@ -149,6 +151,7 @@ extern "C" #define GNUTLS_COMP_ZLIB GNUTLS_COMP_DEFLATE typedef enum { + GNUTLS_COMP_UNKNOWN = 0, GNUTLS_COMP_NULL = 1, GNUTLS_COMP_DEFLATE, GNUTLS_COMP_LZO /* only available if gnutls-extra has @@ -162,6 +165,13 @@ extern "C" GNUTLS_CLIENT } gnutls_connection_end_t; + typedef enum + { + GNUTLS_PRIORITIES_PERFORMANCE=1, + GNUTLS_PRIORITIES_SECURITY=2, + GNUTLS_PRIORITIES_EXPORT=4 + } gnutls_priority_flag_t; + typedef enum { GNUTLS_AL_WARNING = 1, @@ -268,6 +278,7 @@ extern "C" typedef enum { + GNUTLS_CRT_UNKNOWN = 0, GNUTLS_CRT_X509 = 1, GNUTLS_CRT_OPENPGP } gnutls_certificate_type_t; @@ -380,6 +391,14 @@ extern "C" const char *gnutls_certificate_type_get_name (gnutls_certificate_type_t type); + gnutls_mac_algorithm_t gnutls_mac_get_id (const char* name); + gnutls_compression_method_t gnutls_compression_get_id (const char* name); + gnutls_cipher_algorithm_t gnutls_cipher_get_id (const char* name); + gnutls_kx_algorithm_t gnutls_kx_get_id (const char* name); + gnutls_protocol_t gnutls_protocol_get_id (const char* name); + gnutls_certificate_type_t gnutls_certificate_type_get_id (const char* name); + + /* list supported algorithms */ const gnutls_cipher_algorithm_t *gnutls_cipher_list (void); const gnutls_mac_algorithm_t *gnutls_mac_list (void); @@ -419,6 +438,10 @@ extern "C" #define gnutls_read gnutls_record_recv #define gnutls_write gnutls_record_send + void gnutls_session_enable_compatibility_mode (gnutls_session_t session); + + void gnutls_record_disable_padding (gnutls_session_t session); + int gnutls_record_get_direction (gnutls_session_t session); size_t gnutls_record_get_max_size (gnutls_session_t session); @@ -493,10 +516,33 @@ extern "C" int gnutls_certificate_type_set_priority (gnutls_session_t session, const int *list); + int gnutls_mac_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); + int gnutls_compression_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); + int gnutls_protocol_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); + int gnutls_kx_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); + int gnutls_cipher_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); + int gnutls_certificate_type_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep); + +#ifdef __GNUC__ + +#define _GNUTLS_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) + +#if _GNUTLS_GCC_VERSION >= 30100 +#define _GNUTLS_GCC_ATTR_DEPRECATED __attribute__ ((__deprecated__)) +#endif + +#endif /* __GNUC__ */ + +#ifndef _GNUTLS_GCC_ATTR_DEPRECATED +#define _GNUTLS_GCC_ATTR_DEPRECATED +#endif + + /* if you just want some defaults, use the following. */ - int gnutls_set_default_priority (gnutls_session_t session); - int gnutls_set_default_export_priority (gnutls_session_t session); + void gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t flag); + #define gnutls_set_default_priority(x) gnutls_set_default_priority2( x, GNUTLS_PRIORITIES_SECURITY) + #define gnutls_set_default_export_priority(x) gnutls_set_default_priority2( x, GNUTLS_PRIORITIES_EXPORT) /* Returns the name of a cipher suite */ const char *gnutls_cipher_suite_get_name (gnutls_kx_algorithm_t @@ -1224,7 +1270,7 @@ extern "C" #define GNUTLS_E_X509_UNKNOWN_SAN -62 #define GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED -94 #define GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE -95 -#define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96 +#define GNUTLS_E_UNKNOWN_ALGORITHM -96 #define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97 #define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98 #define GNUTLS_E_INVALID_PASSWORD -99 diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index 6bca42be67..28fffe21d4 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -28,6 +28,8 @@ #include "gnutls_cert.h" #include <x509/common.h> + + /* Cred type mappings to KX algorithms * FIXME: The mappings are not 1-1. Some KX such as SRP_RSA require * more than one credentials type. @@ -114,10 +116,10 @@ typedef struct } gnutls_version_entry; static const gnutls_version_entry sup_versions[] = { - {"SSL 3.0", GNUTLS_SSL3, 3, 0, 1}, - {"TLS 1.0", GNUTLS_TLS1, 3, 1, 1}, - {"TLS 1.1", GNUTLS_TLS1_1, 3, 2, 1}, - {"TLS 1.2", GNUTLS_TLS1_2, 3, 3, 1}, + {"SSL3.0", GNUTLS_SSL3, 3, 0, 1}, + {"TLS1.0", GNUTLS_TLS1, 3, 1, 1}, + {"TLS1.1", GNUTLS_TLS1_1, 3, 2, 1}, + {"TLS1.2", GNUTLS_TLS1_2, 3, 3, 1}, {0, 0, 0, 0, 0} }; @@ -156,17 +158,17 @@ typedef struct gnutls_cipher_entry gnutls_cipher_entry; * protecting communications" by Hugo Krawczyk - CRYPTO 2001 */ static const gnutls_cipher_entry algorithms[] = { - {"AES 256 CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0}, - {"AES 128 CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0}, - {"3DES 168 CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0}, - {"DES CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0}, - {"ARCFOUR 128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0}, - {"ARCFOUR 40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1}, - {"RC2 40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1}, + {"AES-256-CBC", GNUTLS_CIPHER_AES_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0}, + {"AES-128-CBC", GNUTLS_CIPHER_AES_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0}, + {"3DES-CBC", GNUTLS_CIPHER_3DES_CBC, 8, 24, CIPHER_BLOCK, 8, 0}, + {"DES-CBC", GNUTLS_CIPHER_DES_CBC, 8, 8, CIPHER_BLOCK, 8, 0}, + {"ARCFOUR-128", GNUTLS_CIPHER_ARCFOUR_128, 1, 16, CIPHER_STREAM, 0, 0}, + {"ARCFOUR-40", GNUTLS_CIPHER_ARCFOUR_40, 1, 5, CIPHER_STREAM, 0, 1}, + {"RC2-40", GNUTLS_CIPHER_RC2_40_CBC, 8, 5, CIPHER_BLOCK, 8, 1}, #ifdef ENABLE_CAMELLIA - {"CAMELLIA 256 CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC, 16, 32, CIPHER_BLOCK, + {"CAMELLIA-256-CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC, 16, 32, CIPHER_BLOCK, 16, 0}, - {"CAMELLIA 128 CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC, 16, 16, CIPHER_BLOCK, + {"CAMELLIA-128-CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC, 16, 16, CIPHER_BLOCK, 16, 0}, #endif {"NULL", GNUTLS_CIPHER_NULL, 1, 0, CIPHER_STREAM, 0, 0}, @@ -208,7 +210,7 @@ struct gnutls_hash_entry typedef struct gnutls_hash_entry gnutls_hash_entry; static const gnutls_hash_entry hash_algorithms[] = { - {"SHA", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20}, + {"SHA1", HASH_OID_SHA1, GNUTLS_MAC_SHA1, 20}, {"MD5", HASH_OID_MD5, GNUTLS_MAC_MD5, 16}, {"SHA256", HASH_OID_SHA256, GNUTLS_MAC_SHA256, 32}, {"SHA384", HASH_OID_SHA384, GNUTLS_MAC_SHA384, 48}, @@ -305,22 +307,22 @@ typedef struct gnutls_kx_algo_entry gnutls_kx_algo_entry; static const gnutls_kx_algo_entry _gnutls_kx_algorithms[] = { #ifdef ENABLE_ANON - {"Anon DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0}, + {"ANON-DH", GNUTLS_KX_ANON_DH, &anon_auth_struct, 1, 0}, #endif {"RSA", GNUTLS_KX_RSA, &rsa_auth_struct, 0, 0}, - {"RSA EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, + {"RSA-EXPORT", GNUTLS_KX_RSA_EXPORT, &rsa_export_auth_struct, 0, 1 /* needs RSA params */ }, - {"DHE RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0}, - {"DHE DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0}, + {"DHE-RSA", GNUTLS_KX_DHE_RSA, &dhe_rsa_auth_struct, 1, 0}, + {"DHE-DSS", GNUTLS_KX_DHE_DSS, &dhe_dss_auth_struct, 1, 0}, #ifdef ENABLE_SRP - {"SRP DSS", GNUTLS_KX_SRP_DSS, &srp_dss_auth_struct, 0, 0}, - {"SRP RSA", GNUTLS_KX_SRP_RSA, &srp_rsa_auth_struct, 0, 0}, + {"SRP-DSS", GNUTLS_KX_SRP_DSS, &srp_dss_auth_struct, 0, 0}, + {"SRP-RSA", GNUTLS_KX_SRP_RSA, &srp_rsa_auth_struct, 0, 0}, {"SRP", GNUTLS_KX_SRP, &srp_auth_struct, 0, 0}, #endif #ifdef ENABLE_PSK {"PSK", GNUTLS_KX_PSK, &psk_auth_struct, 0, 0}, - {"DHE PSK", GNUTLS_KX_DHE_PSK, &dhe_psk_auth_struct, + {"DHE-PSK", GNUTLS_KX_DHE_PSK, &dhe_psk_auth_struct, 1 /* needs DHE params */ , 0}, #endif {0, 0, 0, 0, 0} @@ -652,7 +654,7 @@ static const gnutls_cipher_suite_entry cs_algorithms[] = { /* Generic Functions */ -inline int +int _gnutls_mac_priority (gnutls_session_t session, gnutls_mac_algorithm_t algorithm) { /* actually returns the priority */ @@ -684,6 +686,26 @@ gnutls_mac_get_name (gnutls_mac_algorithm_t algorithm) } /** + * gnutls_mac_get_id - Returns the gnutls id of the specified in string algorithm + * @algorithm: is a MAC algorithm name + * + * Returns an id of the specified in a string MAC algorithm. The names are + * compared in a case insensitive way. + * + * Returns GNUTLS_MAC_UNKNOWN on error. + * + **/ +gnutls_mac_algorithm_t +gnutls_mac_get_id (const char* name) +{ + gnutls_mac_algorithm_t ret = GNUTLS_MAC_UNKNOWN; + + GNUTLS_HASH_LOOP( if (strcasecmp( p->name, name)==0) ret = p->id); + + return ret; +} + +/** * gnutls_mac_get_key_size - Returns the length of the MAC's key size * @algorithm: is an encryption algorithm * @@ -760,7 +782,7 @@ _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm) } /* Compression Functions */ -inline int +int _gnutls_compression_priority (gnutls_session_t session, gnutls_compression_method_t algorithm) { /* actually returns the priority */ @@ -794,6 +816,26 @@ gnutls_compression_get_name (gnutls_compression_method_t algorithm) } /** + * gnutls_compression_get_id - Returns the gnutls id of the specified in string algorithm + * @algorithm: is a compression method name + * + * Returns an id of the specified in a string compression method. The names are + * compared in a case insensitive way. + * + * Returns GNUTLS_COMP_UNKNOWN on error. + * + **/ +gnutls_compression_method_t +gnutls_compression_get_id (const char* name) +{ + gnutls_compression_method_t ret = GNUTLS_COMP_UNKNOWN; + + GNUTLS_COMPRESSION_LOOP( if (strcasecmp( p->name+sizeof("GNUTLS_COMP_")-1, name)==0) ret = p->id); + + return ret; +} + +/** * gnutls_compression_list: * * Get a list of compression methods. Note that to be able to use LZO @@ -888,7 +930,7 @@ _gnutls_cipher_get_block_size (gnutls_cipher_algorithm_t algorithm) } /* returns the priority */ -inline int +int _gnutls_cipher_priority (gnutls_session_t session, gnutls_cipher_algorithm_t algorithm) { @@ -968,6 +1010,26 @@ gnutls_cipher_get_name (gnutls_cipher_algorithm_t algorithm) } /** + * gnutls_cipher_get_id - Returns the gnutls id of the specified in string algorithm + * @algorithm: is a MAC algorithm name + * + * Returns an id of the specified cipher. The names are + * compared in a case insensitive way. + * + * Returns GNUTLS_CIPHER_UNKNOWN on error. + * + **/ +gnutls_cipher_algorithm_t +gnutls_cipher_get_id (const char* name) +{ + gnutls_cipher_algorithm_t ret = GNUTLS_CIPHER_UNKNOWN; + + GNUTLS_LOOP( if (strcasecmp( p->name, name)==0) ret = p->id); + + return ret; +} + +/** * gnutls_cipher_list: * * Get a list of supported cipher algorithms. Note that not @@ -1009,7 +1071,7 @@ _gnutls_kx_auth_struct (gnutls_kx_algorithm_t algorithm) } -inline int +int _gnutls_kx_priority (gnutls_session_t session, gnutls_kx_algorithm_t algorithm) { @@ -1041,6 +1103,26 @@ gnutls_kx_get_name (gnutls_kx_algorithm_t algorithm) } /** + * gnutls_kx_get_id - Returns the gnutls id of the specified in string algorithm + * @algorithm: is a KX name + * + * Returns an id of the specified KX algorithm. The names are + * compared in a case insensitive way. + * + * Returns GNUTLS_KX_UNKNOWN on error. + * + **/ +gnutls_kx_algorithm_t +gnutls_kx_get_id (const char* name) +{ + gnutls_cipher_algorithm_t ret = GNUTLS_KX_UNKNOWN; + + GNUTLS_KX_LOOP( if (strcasecmp( p->name, name)==0) ret = p->algorithm); + + return ret; +} + +/** * gnutls_kx_list: * * Get a list of supported key exchange algorithms. @@ -1167,6 +1249,26 @@ gnutls_protocol_get_name (gnutls_protocol_t version) } /** + * gnutls_protocol_get_id - Returns the gnutls id of the specified in string protocol + * @algorithm: is a protocol name + * + * Returns an id of the specified protocol. The names are + * compared in a case insensitive way. + * + * Returns GNUTLS_VERSION_UNKNOWN on error. + * + **/ +gnutls_protocol_t +gnutls_protocol_get_id (const char* name) +{ + gnutls_protocol_t ret = GNUTLS_VERSION_UNKNOWN; + + GNUTLS_VERSION_LOOP( if (strcasecmp( p->name, name)==0) ret = p->id); + + return ret; +} + +/** * gnutls_protocol_list: * * Get a list of supported protocols, e.g. SSL 3.0, TLS 1.0 etc. @@ -1385,7 +1487,7 @@ gnutls_cipher_suite_info (size_t idx, } -inline static int +static inline int _gnutls_cipher_suite_is_ok (cipher_suite_st * suite) { size_t ret; @@ -1405,7 +1507,7 @@ _gnutls_cipher_suite_is_ok (cipher_suite_st * suite) memcpy(y,tmp,size); #define MAX_ELEM_SIZE 4 -inline static int +static inline int _gnutls_partition (gnutls_session_t session, void *_base, size_t nmemb, size_t size, int (*compar) (gnutls_session_t, @@ -1746,6 +1848,29 @@ gnutls_certificate_type_get_name (gnutls_certificate_type_t type) return ret; } +/** + * gnutls_certificate_type_get_id - Returns the gnutls id of the specified in string type + * @name: is a certificate type name + * + * Returns an id of the specified in a string certificate type. The names are + * compared in a case insensitive way. + * + * Returns GNUTLS_CRT_UNKNOWN on error. + * + **/ +gnutls_certificate_type_t +gnutls_certificate_type_get_id (const char* name) +{ + gnutls_certificate_type_t ret = GNUTLS_CRT_UNKNOWN; + + if (strcasecmp( name, "X.509")==0 || strcasecmp( name, "X509")==0) + return GNUTLS_CRT_X509; + if (strcasecmp( name, "OPENPGP")==0) + return GNUTLS_CRT_OPENPGP; + + return ret; +} + static const gnutls_certificate_type_t supported_certificate_types[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index 979b195014..63e864578f 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -40,8 +40,6 @@ gnutls_protocol_t _gnutls_version_get (int major, int minor); /* Functions for MACs. */ int _gnutls_mac_is_ok (gnutls_mac_algorithm_t algorithm); -int _gnutls_mac_priority (gnutls_session_t session, - gnutls_mac_algorithm_t algorithm); gnutls_mac_algorithm_t _gnutls_x509_oid2mac_algorithm (const char *oid); const char *_gnutls_x509_mac_to_oid (gnutls_mac_algorithm_t mac); @@ -67,8 +65,6 @@ cipher_suite_st _gnutls_cipher_suite_get_suite_name (cipher_suite_st * algorithm); /* Functions for ciphers. */ -int _gnutls_cipher_priority (gnutls_session_t session, - gnutls_cipher_algorithm_t algorithm); int _gnutls_cipher_get_block_size (gnutls_cipher_algorithm_t algorithm); int _gnutls_cipher_is_block (gnutls_cipher_algorithm_t algorithm); int _gnutls_cipher_is_ok (gnutls_cipher_algorithm_t algorithm); @@ -76,16 +72,12 @@ int _gnutls_cipher_get_iv_size (gnutls_cipher_algorithm_t algorithm); int _gnutls_cipher_get_export_flag (gnutls_cipher_algorithm_t algorithm); /* Functions for key exchange. */ -int _gnutls_kx_priority (gnutls_session_t session, - gnutls_kx_algorithm_t algorithm); int _gnutls_kx_needs_dh_params (gnutls_kx_algorithm_t algorithm); int _gnutls_kx_needs_rsa_params (gnutls_kx_algorithm_t algorithm); mod_auth_st *_gnutls_kx_auth_struct (gnutls_kx_algorithm_t algorithm); int _gnutls_kx_is_ok (gnutls_kx_algorithm_t algorithm); /* Functions for compression. */ -int _gnutls_compression_priority (gnutls_session_t session, - gnutls_compression_method_t algorithm); int _gnutls_compression_is_ok (gnutls_compression_method_t algorithm); int _gnutls_compression_get_num (gnutls_compression_method_t algorithm); gnutls_compression_method_t _gnutls_compression_get_id (int num); @@ -131,4 +123,13 @@ gnutls_sign_algorithm_t _gnutls_x509_pk_to_sign (gnutls_pk_algorithm_t pk, const char *_gnutls_x509_sign_to_oid (gnutls_pk_algorithm_t, gnutls_mac_algorithm_t mac); +int _gnutls_mac_priority (gnutls_session_t session, + gnutls_mac_algorithm_t algorithm); +int _gnutls_cipher_priority (gnutls_session_t session, + gnutls_cipher_algorithm_t algorithm); +int _gnutls_kx_priority (gnutls_session_t session, + gnutls_kx_algorithm_t algorithm); +int _gnutls_compression_priority (gnutls_session_t session, + gnutls_compression_method_t algorithm); + #endif diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 7d434caba1..2b84575405 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -882,42 +882,6 @@ _gnutls_io_write_buffered (gnutls_session_t session, } -/* This is exactly like write_buffered, but will use two buffers to read - * from. - */ -ssize_t -_gnutls_io_write_buffered2 (gnutls_session_t session, - const void *iptr, size_t n, - const void *iptr2, size_t n2) -{ - - if (n == 0) - { - return _gnutls_io_write_buffered (session, iptr2, n2); - } - else - { - opaque *sptr; - ssize_t ret; - - sptr = gnutls_alloca (n + n2); - if (sptr == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy (sptr, iptr, n); - memcpy (&sptr[n], iptr2, n2); - - ret = _gnutls_io_write_buffered (session, sptr, n + n2); - gnutls_afree (sptr); - - return ret; - } -} - - /* This function writes the data that are left in the * TLS write buffer (ie. because the previous write was * interrupted. diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 62203b3100..d01d6a0fdc 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -216,8 +216,8 @@ static const gnutls_error_entry error_algorithms[] = { GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE, 1), ERROR_ENTRY (N_("The OID is not supported."), GNUTLS_E_X509_UNSUPPORTED_OID, 1), - ERROR_ENTRY (N_("The hash algorithm is unknown."), - GNUTLS_E_UNKNOWN_HASH_ALGORITHM, 1), + ERROR_ENTRY (N_("The specified algorithm or protocol is unknown."), + GNUTLS_E_UNKNOWN_ALGORITHM, 1), ERROR_ENTRY (N_("The PKCS structure's content type is unknown."), GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE, 1), ERROR_ENTRY (N_("The PKCS structure's bag type is unknown."), diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index e0edd162b8..fa401403fc 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -458,6 +458,9 @@ typedef struct /* sockets internals */ int lowat; + + /* to disable record padding */ + int no_padding; /* These buffers are used in the handshake * protocol only. freed using _gnutls_handshake_io_buffer_clear(); diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index ab76cca865..7193f10e13 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -36,7 +36,7 @@ * @list: is a 0 terminated list of gnutls_cipher_algorithm_t elements. * * Sets the priority on the ciphers supported by gnutls. - * Priority is higher for ciphers specified before others. + * Priority is higher for elements specified before others. * After specifying the ciphers you want, you must append a 0. * Note that the priority is set on the client. The server does * not use the algorithm's priority except for disabling @@ -70,7 +70,7 @@ gnutls_cipher_set_priority (gnutls_session_t session, const int *list) * @list: is a 0 terminated list of gnutls_kx_algorithm_t elements. * * Sets the priority on the key exchange algorithms supported by gnutls. - * Priority is higher for algorithms specified before others. + * Priority is higher for elements specified before others. * After specifying the algorithms you want, you must append a 0. * Note that the priority is set on the client. The server does * not use the algorithm's priority except for disabling @@ -104,7 +104,7 @@ gnutls_kx_set_priority (gnutls_session_t session, const int *list) * @list: is a 0 terminated list of gnutls_mac_algorithm_t elements. * * Sets the priority on the mac algorithms supported by gnutls. - * Priority is higher for algorithms specified before others. + * Priority is higher for elements specified before others. * After specifying the algorithms you want, you must append a 0. * Note that the priority is set on the client. The server does * not use the algorithm's priority except for disabling @@ -138,7 +138,7 @@ gnutls_mac_set_priority (gnutls_session_t session, const int *list) * @list: is a 0 terminated list of gnutls_compression_method_t elements. * * Sets the priority on the compression algorithms supported by gnutls. - * Priority is higher for algorithms specified before others. + * Priority is higher for elements specified before others. * After specifying the algorithms you want, you must append a 0. * Note that the priority is set on the client. The server does * not use the algorithm's priority except for disabling @@ -212,7 +212,7 @@ gnutls_protocol_set_priority (gnutls_session_t session, const int *list) * @list: is a 0 terminated list of gnutls_certificate_type_t elements. * * Sets the priority on the certificate types supported by gnutls. - * Priority is higher for types specified before others. + * Priority is higher for elements specified before others. * After specifying the types you want, you must append a 0. * Note that the certificate type priority is set on the client. * The server does not use the cert type priority except for disabling @@ -249,8 +249,127 @@ gnutls_certificate_type_set_priority (gnutls_session_t session, #endif } +static const int protocol_priority[] = { + /* GNUTLS_TLS1_2, -- not finalized yet! */ + GNUTLS_TLS1_1, + GNUTLS_TLS1_0, + GNUTLS_SSL3, + 0 +}; + +static const int kx_priority_performance[] = { + GNUTLS_KX_RSA, + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, + GNUTLS_KX_PSK, + GNUTLS_KX_DHE_PSK, + GNUTLS_KX_SRP_RSA, + GNUTLS_KX_SRP_DSS, + GNUTLS_KX_SRP, + /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! + * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add! + */ + 0 +}; + +static const int kx_priority_export[] = { + GNUTLS_KX_RSA, + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, + GNUTLS_KX_PSK, + GNUTLS_KX_DHE_PSK, + GNUTLS_KX_SRP_RSA, + GNUTLS_KX_SRP_DSS, + GNUTLS_KX_SRP, + GNUTLS_KX_RSA_EXPORT, + 0 +}; + +static const int kx_priority_security[] = { + /* The ciphersuites that offer forward secrecy take + * precendance + */ + GNUTLS_KX_DHE_RSA, + GNUTLS_KX_DHE_DSS, + GNUTLS_KX_DHE_PSK, + GNUTLS_KX_SRP_RSA, + GNUTLS_KX_SRP_DSS, + GNUTLS_KX_RSA, + GNUTLS_KX_PSK, + GNUTLS_KX_SRP, + /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! + * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add! + */ + 0 +}; + +static const int cipher_priority_performance[] = { + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_AES_128_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_3DES_CBC, + /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + 0 +}; + + +static const int cipher_priority_security[] = { + GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_AES_128_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_128, + /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ + 0 +}; + +static const int cipher_priority_export[] = { + GNUTLS_CIPHER_ARCFOUR_128, + GNUTLS_CIPHER_AES_128_CBC, +#ifdef ENABLE_CAMELLIA + GNUTLS_CIPHER_CAMELLIA_128_CBC, +#endif + GNUTLS_CIPHER_AES_256_CBC, + GNUTLS_CIPHER_3DES_CBC, + GNUTLS_CIPHER_ARCFOUR_40, + 0 +}; + +static const int comp_priority[] = { + /* compression should be explicitely requested to be enabled */ + GNUTLS_COMP_NULL, + 0 +}; + + +static const int mac_priority_performance[] = { + GNUTLS_MAC_MD5, + GNUTLS_MAC_SHA1, + 0 +}; + +static const int mac_priority_security[] = { + GNUTLS_MAC_SHA1, + GNUTLS_MAC_MD5, + 0 +}; + +#define mac_priority_export mac_priority_security + +static int cert_type_priority[] = { + GNUTLS_CRT_X509, + GNUTLS_CRT_OPENPGP, + 0 +}; + + /** - * gnutls_set_default_priority - Sets some default priority on the cipher suites supported by gnutls. + * gnutls_set_default_priority2 - Sets some default priority on the cipher suites supported by gnutls. * @session: is a #gnutls_session_t structure. * * Sets some default priority on the ciphers, key exchange methods, @@ -260,125 +379,410 @@ gnutls_certificate_type_set_priority (gnutls_session_t session, * appropriate functions. * * The default order is: - * Protocols: TLS 1.2, TLS 1.1, TLS 1.0, and SSL3. - * Key exchange algorithm: DHE-PSK, PSK, SRP-RSA, SRP-DSS, SRP, - * DHE-RSA, DHE-DSS, RSA. - * Cipher: AES_256_CBC, AES_128_CBC, 3DES_CBC, CAMELLIA_128_CBC, - * and ARCFOUR_128. - * MAC algorithm: SHA, and MD5. + * Protocols: TLS 1.1, TLS 1.0, and SSL3. + * Compression: NULL. * Certificate types: X.509, OpenPGP - * Compression: DEFLATE, NULL. + * + * When performance is requested the fastest ciphers and key exchange + * methods are used, whilst in security, the most conservative options + * are set. * * Returns 0 on success. * **/ -int -gnutls_set_default_priority (gnutls_session_t session) +void +gnutls_set_default_priority2 (gnutls_session_t session, gnutls_priority_flag_t flag) { - static const int protocol_priority[] = { - /* GNUTLS_TLS1_2, -- not finalized yet! */ - GNUTLS_TLS1_1, - GNUTLS_TLS1_0, - GNUTLS_SSL3, - 0 - }; - static const int kx_priority[] = { - GNUTLS_KX_DHE_PSK, - GNUTLS_KX_PSK, - GNUTLS_KX_SRP_RSA, - GNUTLS_KX_SRP_DSS, - GNUTLS_KX_SRP, - GNUTLS_KX_DHE_RSA, - GNUTLS_KX_DHE_DSS, - GNUTLS_KX_RSA, - /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! - * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add! - */ - 0 - }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, -#ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, -#endif - GNUTLS_CIPHER_ARCFOUR_128, - /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ - 0 - }; - static const int comp_priority[] = { - /* GNUTLS_COMP_LZO: Not standardized, don't add! */ - GNUTLS_COMP_DEFLATE, - GNUTLS_COMP_NULL, - 0 - }; - static const int mac_priority[] = { - GNUTLS_MAC_SHA1, - GNUTLS_MAC_MD5, - 0 - }; - static int cert_type_priority[] = { - GNUTLS_CRT_X509, - GNUTLS_CRT_OPENPGP, - 0 - }; - - gnutls_cipher_set_priority (session, cipher_priority); - gnutls_compression_set_priority (session, comp_priority); - gnutls_kx_set_priority (session, kx_priority); + + if (flag == GNUTLS_PRIORITIES_PERFORMANCE) { + gnutls_cipher_set_priority (session, cipher_priority_performance); + gnutls_kx_set_priority (session, kx_priority_performance); + gnutls_mac_set_priority (session, mac_priority_performance); + } else if (flag == GNUTLS_PRIORITIES_SECURITY) { + gnutls_cipher_set_priority (session, cipher_priority_security); + gnutls_kx_set_priority (session, kx_priority_security); + gnutls_mac_set_priority (session, mac_priority_security); + } else if (flag == GNUTLS_PRIORITIES_EXPORT) { + gnutls_cipher_set_priority (session, cipher_priority_export); + gnutls_kx_set_priority (session, kx_priority_export); + gnutls_mac_set_priority (session, mac_priority_export); + } + gnutls_protocol_set_priority (session, protocol_priority); - gnutls_mac_set_priority (session, mac_priority); + gnutls_compression_set_priority (session, comp_priority); gnutls_certificate_type_set_priority (session, cert_type_priority); - return 0; + return; +} + +/* New priority API with strings + */ + +/* Breaks a list of "xxx", "yyy", to a character array, of + * MAX_COMMA_SEP_ELEMENTS size; Note that the given string is modified. + */ +static void break_comma_list(char *etag, + char **broken_etag, int* elements, int max_elements, + char sep) +{ + char *p = etag; + if (sep == 0) sep = ','; + + *elements = 0; + + do { + broken_etag[*elements] = p; + + (*elements)++; + + p = strchr(p, sep); + if (p) { + *p = 0; + p++; /* move to next entry and skip white + * space. + */ + while (*p == ' ') + p++; + } + } while (p != NULL && *elements < max_elements); } +#if defined(__STDC_VERSION__) && __STD_VERSION__ > 199901L +#define _GNUTLS_MAX_PRIO (out_priority_len-1) +#define _GNUTLS_MAX_PRIO_CHECK(x) +#else +#define _GNUTLS_MAX_PRIO 256 +#define _GNUTLS_MAX_PRIO_CHECK(x) if (x>255) return GNUTLS_E_INVALID_REQUEST +#endif + /** - * gnutls_set_default_export_priority - Sets some default priority on the cipher suites supported by gnutls. - * @session: is a #gnutls_session_t structure. + * gnutls_mac_convert_priority - Converts the priority on the MAC algorithms supported by gnutls. + * @out_priority: is a list of integers to copy priorities to + * @out_priority_len: is the maximum number of integers the previous list can hold + * @prio: is a separated list of algorithms + * @sep: is the separator of the previous list, if zero comma is assumed + * + * Converts the priority on the MAC algorithms supported by gnutls to + * internal integer format + * Priority is higher for elements specified before others. + * Note that the priority is set on the client. The server does + * not use the algorithm's priority except for disabling + * algorithms that were not specified. * - * Sets some default priority on the ciphers, key exchange methods, macs - * and compression methods. This is to avoid using the gnutls_*_priority() functions, if - * these defaults are ok. This function also includes weak algorithms. - * The order is TLS1, SSL3 for protocols, RSA, DHE_DSS, - * DHE_RSA, RSA_EXPORT for key exchange algorithms. - * SHA, MD5, RIPEMD160 for MAC algorithms, - * AES_256_CBC, AES_128_CBC, 3DES_CBC, CAMELLIA_128_CBC, - * ARCFOUR_128, ARCFOUR_40 for ciphers. + * The supported algorithms are: MD5, SHA1 * * Returns 0 on success. * **/ int -gnutls_set_default_export_priority (gnutls_session_t session) +gnutls_mac_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) { - static const int protocol_priority[] = { - GNUTLS_TLS1, GNUTLS_SSL3, 0 - }; - static const int kx_priority[] = { - GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA, - GNUTLS_KX_RSA_EXPORT, 0 - }; - static const int cipher_priority[] = { - GNUTLS_CIPHER_AES_256_CBC, - GNUTLS_CIPHER_AES_128_CBC, - GNUTLS_CIPHER_3DES_CBC, -#ifdef ENABLE_CAMELLIA - GNUTLS_CIPHER_CAMELLIA_128_CBC, -#endif - GNUTLS_CIPHER_ARCFOUR_128, - GNUTLS_CIPHER_ARCFOUR_40, 0 - }; - static const int comp_priority[] = { GNUTLS_COMP_NULL, 0 }; - static const int mac_priority[] = - { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; - - gnutls_cipher_set_priority (session, cipher_priority); - gnutls_compression_set_priority (session, comp_priority); - gnutls_kx_set_priority (session, kx_priority); - gnutls_protocol_set_priority (session, protocol_priority); - gnutls_mac_set_priority (session, mac_priority); + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char* darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK(out_priority_len); + + darg = gnutls_strdup( prio); + if (darg == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - return 0; + break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + + j = 0; + for (i=0;i<broken_list_size;i++) { + ret = gnutls_mac_get_id( broken_list[i]); + if (ret != GNUTLS_MAC_UNKNOWN) { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log( "MAC algorithm %s is not known\n", broken_list[i]); + + gnutls_free(darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; + } + out_priority[j] = 0; + + gnutls_free(darg); + return 0; +} + +/** + * gnutls_certificate_type_convert_priority - Converts the priority on the certificate types supported by gnutls. + * @out_priority: is a list of integers to copy priorities to + * @out_priority_len: is the maximum number of integers the previous list can hold + * @prio: is a separated list of algorithms + * @sep: is the separator of the previous list, if zero comma is assumed + * + * Converts the priority on the Certificate types supported by gnutls to + * internal integer format + * Priority is higher for elements specified before others. + * Note that the priority is set on the client. The server does + * not use the algorithm's priority except for disabling + * algorithms that were not specified. + * + * The supported types are: X.509, OPENPGP + * + * Returns 0 on success. + * + **/ +int +gnutls_certificate_type_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +{ + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j, ret; + char* darg; + + _GNUTLS_MAX_PRIO_CHECK(out_priority_len); + + darg = gnutls_strdup( prio); + if (darg == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + + j = 0; + for (i=0;i<broken_list_size;i++) { + ret = gnutls_certificate_type_get_id( broken_list[i]); + if (ret != GNUTLS_CRT_UNKNOWN) { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log("Certificate type %s is not known\n", broken_list[i]); + gnutls_free(darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; + } + out_priority[j] = 0; + + gnutls_free(darg); + return 0; +} + +/** + * gnutls_compression_convert_priority - Converts the priority on the compression methods supported by gnutls. + * @out_priority: is a list of integers to copy priorities to + * @out_priority_len: is the maximum number of integers the previous list can hold + * @prio: is a separated list of algorithms + * @sep: is the separator of the previous list, if zero comma is assumed + * + * Converts the priority on the ciphers supported by gnutls to + * internal integer format + * Priority is higher for elements specified before others. + * Note that the priority is set on the client. The server does + * not use the algorithm's priority except for disabling + * algorithms that were not specified. + * + * The supported methods are: NULL, DEFLATE, LZO + * + * Returns 0 on success. + * + **/ +int +gnutls_compression_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +{ + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char* darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK(out_priority_len); + + darg = gnutls_strdup( prio); + if (darg == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + + j = 0; + for (i=0;i<broken_list_size;i++) { + ret = gnutls_compression_get_id( broken_list[i]); + if (ret != GNUTLS_COMP_UNKNOWN) { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log( "Compression algorithm %s is not known\n", broken_list[i]); + gnutls_free(darg); + return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM; + } + out_priority[j] = 0; + + gnutls_free(darg); + return 0; +} + +/** + * gnutls_protocol_convert_priority - Converts the priority on the protocols supported by gnutls. + * @out_priority: is a list of integers to copy priorities to + * @out_priority_len: is the maximum number of integers the previous list can hold + * @prio: is a separated list of algorithms + * @sep: is the separator of the previous list, if zero comma is assumed + * + * Converts the priority on the protocols supported by gnutls to + * internal integer format + * Priority is higher for elements specified before others. + * Note that the priority is set on the client. The server does + * not use the algorithm's priority except for disabling + * algorithms that were not specified. + * + * The supported protocols are: TLS1.0, TLS1.1, TLS1.2, SSL3.0 + * + * Returns 0 on success. + * + **/ +int +gnutls_protocol_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +{ + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char* darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK(out_priority_len); + + darg = gnutls_strdup( prio); + if (darg == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + + j = 0; + for (i=0;i<broken_list_size;i++) { + ret = gnutls_compression_get_id( broken_list[i]); + if (ret != GNUTLS_VERSION_UNKNOWN) { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log( "Protocol %s is not known\n", broken_list[i]); + gnutls_free(darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; + } + out_priority[j] = 0; + + gnutls_free(darg); + return 0; +} + +/** + * gnutls_kx_convert_priority - Converts the priority on the key exchange algorithms supported by gnutls. + * @out_priority: is a list of integers to copy priorities to + * @out_priority_len: is the maximum number of integers the previous list can hold + * @prio: is a separated list of algorithms + * @sep: is the separator of the previous list, if zero comma is assumed + * + * Converts the priority on the key exchange algorithms supported by gnutls to + * internal integer format + * Priority is higher for elements specified before others. + * Note that the priority is set on the client. The server does + * not use the algorithm's priority except for disabling + * algorithms that were not specified. + * + * The supported algorithms are: RSA, DHE-DSS, DHE-RSA, ANON-DH, RSA-EXPORT, + * SRP, SRP-DSS, SRP-RSA, PSK, DHE-PSK + * + * Returns 0 on success. + * + **/ +int +gnutls_kx_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +{ + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char* darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK(out_priority_len); + + darg = gnutls_strdup( prio); + if (darg == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + + j = 0; + for (i=0;i<broken_list_size;i++) { + ret = gnutls_kx_get_id( broken_list[i]); + if (ret != GNUTLS_KX_UNKNOWN) { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log( "Key exchange algorithm %s is not known\n", broken_list[i]); + gnutls_free(darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; + } + out_priority[j] = 0; + + gnutls_free(darg); + return 0; +} + +/** + * gnutls_cipher_convert_priority - Converts the priority on the ciphers supported by gnutls. + * @out_priority: is a list of integers to copy priorities to + * @out_priority_len: is the maximum number of integers the previous list can hold + * @prio: is a separated list of algorithms + * @sep: is the separator of the previous list, if zero comma is assumed + * + * Converts the priority on the ciphers supported by gnutls to + * internal integer format. + * Priority is higher for ciphers specified before others. + * Note that the priority is set on the client. The server does + * not use the algorithm's priority except for disabling + * algorithms that were not specified. + * + * The supported algorithms are: NULL, ARCFOUR-128, ARCFOUR-40, 3DES-CBC, + * AES-128-CBC, AES-256-CBC, CAMELIA-128-CBC, CAMELIA-256-CBC + * + * Returns 0 on success. + * + **/ +int +gnutls_cipher_convert_priority (int* out_priority, int out_priority_len, const char *prio, char sep) +{ + char *broken_list[_GNUTLS_MAX_PRIO]; + int broken_list_size, i, j; + char* darg; + int ret; + + _GNUTLS_MAX_PRIO_CHECK(out_priority_len); + + darg = gnutls_strdup( prio); + if (darg == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + break_comma_list(darg, broken_list, &broken_list_size, out_priority_len-1, sep); + + j = 0; + for (i=0;i<broken_list_size;i++) { + ret = gnutls_cipher_get_id( broken_list[i]); + if (ret != GNUTLS_CIPHER_UNKNOWN) { + out_priority[j++] = ret; + continue; + } + + _gnutls_debug_log( "Cipher %s is not known\n", broken_list[i]); + gnutls_free(darg); + return GNUTLS_E_UNKNOWN_ALGORITHM; + } + out_priority[j] = 0; + + gnutls_free(darg); + return 0; } diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 0db66a9163..4c1cbb10cf 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -84,6 +84,25 @@ gnutls_transport_set_lowat (gnutls_session_t session, int num) } /** + * gnutls_record_disable_padding - Used to disabled padding in TLS 1.0 and above + * @session: is a #gnutls_session_t structure. + * + * Used to disabled padding in TLS 1.0 and above. Normally you do not need + * to use this function, but there are buggy clients that complain if a + * server pads the encrypted data. This of course will disable protection + * against statistical attacks on the data. + * + * Normally only servers that require maximum compatibility with everything + * out there, need to call this function. + * + **/ +void +gnutls_record_disable_padding (gnutls_session_t session) +{ + session->internals.no_padding = 1; +} + +/** * gnutls_transport_set_ptr - Used to set first argument of the transport functions * @session: is a #gnutls_session_t structure. * @ptr: is the value. @@ -321,8 +340,6 @@ _gnutls_send_int (gnutls_session_t session, content_type_t type, int data2send_size; uint8_t headers[5]; const uint8_t *data = _data; - int erecord_size = 0; - opaque *erecord = NULL; /* Do not allow null pointer if the send buffer is empty. * If the previous send was interrupted then a null pointer is @@ -342,8 +359,6 @@ _gnutls_send_int (gnutls_session_t session, content_type_t type, return GNUTLS_E_INVALID_SESSION; } - - headers[0] = type; /* Use the default record version, if it is @@ -393,13 +408,12 @@ _gnutls_send_int (gnutls_session_t session, content_type_t type, cipher_size = _gnutls_encrypt (session, headers, RECORD_HEADER_SIZE, data, - data2send_size, cipher, cipher_size, type, 1); + data2send_size, cipher, cipher_size, type, (session->internals.no_padding==0)?1:0); if (cipher_size <= 0) { gnutls_assert (); if (cipher_size == 0) cipher_size = GNUTLS_E_ENCRYPTION_FAILED; - gnutls_afree (erecord); gnutls_free (cipher); return cipher_size; /* error */ } @@ -414,19 +428,16 @@ _gnutls_send_int (gnutls_session_t session, content_type_t type, { session_invalidate (session); gnutls_assert (); - gnutls_afree (erecord); gnutls_free (cipher); return GNUTLS_E_RECORD_LIMIT_REACHED; } ret = - _gnutls_io_write_buffered2 (session, erecord, erecord_size, - cipher, cipher_size); - gnutls_afree (erecord); + _gnutls_io_write_buffered (session, cipher, cipher_size); gnutls_free (cipher); } - if (ret != cipher_size + erecord_size) + if (ret != cipher_size) { if (ret < 0 && gnutls_error_is_fatal (ret) == 0) { diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 0b3c9e2c49..70d1e1c115 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -1230,3 +1230,22 @@ void gnutls_handshake_set_post_client_hello_function( gnutls_session_t session, { session->internals.user_hello_func = func; } + +/** + * gnutls_session_enable_compatibility_mode - Used to disable certain features in TLS in order to honour compatibility + * @session: is a #gnutls_session_t structure. + * + * This function can be used to disable certain (security) features in TLS + * in order to maintain maximum compatibility with buggy clients. It is + * equivalent to calling: + * gnutls_record_disable_padding() + + * Normally only servers that require maximum compatibility with everything + * out there, need to call this function. + * + **/ +void +gnutls_session_enable_compatibility_mode (gnutls_session_t session) +{ + gnutls_record_disable_padding( session); +} diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c index 26fcec7091..23c54eccbf 100644 --- a/lib/gnutls_v2_compat.c +++ b/lib/gnutls_v2_compat.c @@ -170,6 +170,18 @@ _gnutls_read_client_hello_v2 (gnutls_session_t session, opaque * data, return GNUTLS_E_UNSUPPORTED_VERSION_PACKET; } + /* call the user hello callback + */ + if (session->internals.user_hello_func != NULL) + { + ret = session->internals.user_hello_func( session); + if (ret < 0) + { + gnutls_assert(); + return ret; + } + } + /* find an appropriate cipher suite */ DECR_LEN (len, sizeOfSuites); diff --git a/lib/libgnutls.vers b/lib/libgnutls.vers index 05d789a029..f793617ba6 100644 --- a/lib/libgnutls.vers +++ b/lib/libgnutls.vers @@ -20,7 +20,7 @@ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, # MA 02110-1301, USA -GNUTLS_1_3 +GNUTLS_1_4 { global: _gnutls*; gnutls*; local: *; diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 0ff02f8fb7..f57a3e9ba9 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -502,7 +502,7 @@ decode_ber_digest_info (const gnutls_datum_t * info, gnutls_assert (); asn1_delete_structure (&dinfo); - return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; + return GNUTLS_E_UNKNOWN_ALGORITHM; } len = sizeof (str) - 1; diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c index 3c9e75bbdf..bcec8806c3 100644 --- a/src/certtool-gaa.c +++ b/src/certtool-gaa.c @@ -153,6 +153,7 @@ void gaa_help(void) __gaa_helpsingle(0, "smime-to-p7", "", "Convert S/MIME to PKCS #7 structure."); __gaa_helpsingle('k', "key-info", "", "Print information on a private key."); __gaa_helpsingle(0, "fix-key", "", "Regenerate the parameters in a private key."); + __gaa_helpsingle(0, "v1", "", "Generate an X.509 version 1 certificate (no extensions)."); __gaa_helpsingle(0, "to-p12", "", "Generate a PKCS #12 structure."); __gaa_helpsingle('8', "pkcs8", "", "Use PKCS #8 format for private keys."); __gaa_helpsingle(0, "dsa", "", "Use DSA keys."); @@ -162,6 +163,7 @@ void gaa_help(void) __gaa_helpsingle(0, "outder", "", "Use DER format for output certificates and private keys."); __gaa_helpsingle(0, "bits", "BITS ", "specify the number of bits for key generation."); __gaa_helpsingle(0, "quick-random", "", "Use /dev/urandom for all operation, reducing the quality of randomness used."); + __gaa_helpsingle(0, "disable-quick-random", "", "Use /dev/random for key generationg, thus increasing the quality of randomness used."); __gaa_helpsingle(0, "outfile", "FILE ", "Output file."); __gaa_helpsingle(0, "infile", "FILE ", "Input file."); __gaa_helpsingle(0, "template", "FILE ", "Template file to use for non interactive operation."); @@ -182,30 +184,32 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 107 "certtool.gaa" +#line 111 "certtool.gaa" int debug; -#line 103 "certtool.gaa" +#line 107 "certtool.gaa" char *template; -#line 100 "certtool.gaa" +#line 104 "certtool.gaa" char *infile; -#line 97 "certtool.gaa" +#line 101 "certtool.gaa" char *outfile; -#line 94 "certtool.gaa" +#line 97 "certtool.gaa" int quick_random; -#line 91 "certtool.gaa" +#line 94 "certtool.gaa" int bits; -#line 88 "certtool.gaa" +#line 91 "certtool.gaa" int outcert_format; -#line 85 "certtool.gaa" +#line 88 "certtool.gaa" int incert_format; -#line 82 "certtool.gaa" +#line 85 "certtool.gaa" int export; -#line 79 "certtool.gaa" +#line 82 "certtool.gaa" char *hash; -#line 76 "certtool.gaa" +#line 79 "certtool.gaa" int dsa; -#line 73 "certtool.gaa" +#line 76 "certtool.gaa" int pkcs8; +#line 71 "certtool.gaa" + int v1_cert; #line 68 "certtool.gaa" int fix_key; #line 53 "certtool.gaa" @@ -276,46 +280,48 @@ static int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 39 +#define GAA_NB_OPTION 41 #define GAAOPTID_version 1 #define GAAOPTID_help 2 #define GAAOPTID_debug 3 #define GAAOPTID_template 4 #define GAAOPTID_infile 5 #define GAAOPTID_outfile 6 -#define GAAOPTID_quick_random 7 -#define GAAOPTID_bits 8 -#define GAAOPTID_outder 9 -#define GAAOPTID_inder 10 -#define GAAOPTID_export_ciphers 11 -#define GAAOPTID_hash 12 -#define GAAOPTID_dsa 13 -#define GAAOPTID_pkcs8 14 -#define GAAOPTID_to_p12 15 -#define GAAOPTID_fix_key 16 -#define GAAOPTID_key_info 17 -#define GAAOPTID_smime_to_p7 18 -#define GAAOPTID_p7_info 19 -#define GAAOPTID_p12_info 20 -#define GAAOPTID_crl_info 21 -#define GAAOPTID_certificate_info 22 -#define GAAOPTID_password 23 -#define GAAOPTID_load_ca_certificate 24 -#define GAAOPTID_load_ca_privkey 25 -#define GAAOPTID_load_certificate 26 -#define GAAOPTID_load_request 27 -#define GAAOPTID_load_privkey 28 -#define GAAOPTID_get_dh_params 29 -#define GAAOPTID_generate_dh_params 30 -#define GAAOPTID_verify_crl 31 -#define GAAOPTID_verify_chain 32 -#define GAAOPTID_generate_request 33 -#define GAAOPTID_generate_privkey 34 -#define GAAOPTID_update_certificate 35 -#define GAAOPTID_generate_crl 36 -#define GAAOPTID_generate_proxy 37 -#define GAAOPTID_generate_certificate 38 -#define GAAOPTID_generate_self_signed 39 +#define GAAOPTID_disable_quick_random 7 +#define GAAOPTID_quick_random 8 +#define GAAOPTID_bits 9 +#define GAAOPTID_outder 10 +#define GAAOPTID_inder 11 +#define GAAOPTID_export_ciphers 12 +#define GAAOPTID_hash 13 +#define GAAOPTID_dsa 14 +#define GAAOPTID_pkcs8 15 +#define GAAOPTID_to_p12 16 +#define GAAOPTID_v1 17 +#define GAAOPTID_fix_key 18 +#define GAAOPTID_key_info 19 +#define GAAOPTID_smime_to_p7 20 +#define GAAOPTID_p7_info 21 +#define GAAOPTID_p12_info 22 +#define GAAOPTID_crl_info 23 +#define GAAOPTID_certificate_info 24 +#define GAAOPTID_password 25 +#define GAAOPTID_load_ca_certificate 26 +#define GAAOPTID_load_ca_privkey 27 +#define GAAOPTID_load_certificate 28 +#define GAAOPTID_load_request 29 +#define GAAOPTID_load_privkey 30 +#define GAAOPTID_get_dh_params 31 +#define GAAOPTID_generate_dh_params 32 +#define GAAOPTID_verify_crl 33 +#define GAAOPTID_verify_chain 34 +#define GAAOPTID_generate_request 35 +#define GAAOPTID_generate_privkey 36 +#define GAAOPTID_update_certificate 37 +#define GAAOPTID_generate_crl 38 +#define GAAOPTID_generate_proxy 39 +#define GAAOPTID_generate_certificate 40 +#define GAAOPTID_generate_self_signed 41 #line 168 "gaa.skel" @@ -619,6 +625,7 @@ static int gaa_get_option_num(char *str, int status) #line 375 "gaa.skel" GAA_CHECK1STR("v", GAAOPTID_version); GAA_CHECK1STR("h", GAAOPTID_help); + GAA_CHECK1STR("", GAAOPTID_disable_quick_random); GAA_CHECK1STR("", GAAOPTID_quick_random); GAA_CHECK1STR("", GAAOPTID_outder); GAA_CHECK1STR("", GAAOPTID_inder); @@ -626,6 +633,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_dsa); GAA_CHECK1STR("8", GAAOPTID_pkcs8); GAA_CHECK1STR("", GAAOPTID_to_p12); + GAA_CHECK1STR("", GAAOPTID_v1); GAA_CHECK1STR("", GAAOPTID_fix_key); GAA_CHECK1STR("k", GAAOPTID_key_info); GAA_CHECK1STR("", GAAOPTID_smime_to_p7); @@ -654,6 +662,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("template", GAAOPTID_template); GAA_CHECKSTR("infile", GAAOPTID_infile); GAA_CHECKSTR("outfile", GAAOPTID_outfile); + GAA_CHECKSTR("disable-quick-random", GAAOPTID_disable_quick_random); GAA_CHECKSTR("quick-random", GAAOPTID_quick_random); GAA_CHECKSTR("bits", GAAOPTID_bits); GAA_CHECKSTR("outder", GAAOPTID_outder); @@ -663,6 +672,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("dsa", GAAOPTID_dsa); GAA_CHECKSTR("pkcs8", GAAOPTID_pkcs8); GAA_CHECKSTR("to-p12", GAAOPTID_to_p12); + GAA_CHECKSTR("v1", GAAOPTID_v1); GAA_CHECKSTR("fix-key", GAAOPTID_fix_key); GAA_CHECKSTR("key-info", GAAOPTID_key_info); GAA_CHECKSTR("smime-to-p7", GAAOPTID_smime_to_p7); @@ -733,14 +743,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_version: OK = 0; -#line 112 "certtool.gaa" +#line 116 "certtool.gaa" { certtool_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 110 "certtool.gaa" +#line 114 "certtool.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; @@ -750,7 +760,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); gaa_index++; -#line 108 "certtool.gaa" +#line 112 "certtool.gaa" { gaaval->debug = GAATMP_debug.arg1 ;}; return GAA_OK; @@ -760,7 +770,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_template.arg1, gaa_getstr, GAATMP_template.size1); gaa_index++; -#line 104 "certtool.gaa" +#line 108 "certtool.gaa" { gaaval->template = GAATMP_template.arg1 ;}; return GAA_OK; @@ -770,7 +780,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1); gaa_index++; -#line 101 "certtool.gaa" +#line 105 "certtool.gaa" { gaaval->infile = GAATMP_infile.arg1 ;}; return GAA_OK; @@ -780,14 +790,21 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); gaa_index++; -#line 98 "certtool.gaa" +#line 102 "certtool.gaa" { gaaval->outfile = GAATMP_outfile.arg1 ;}; return GAA_OK; break; + case GAAOPTID_disable_quick_random: + OK = 0; +#line 99 "certtool.gaa" +{ gaaval->quick_random = 0; ;}; + + return GAA_OK; + break; case GAAOPTID_quick_random: OK = 0; -#line 95 "certtool.gaa" +#line 98 "certtool.gaa" { gaaval->quick_random = 1; ;}; return GAA_OK; @@ -797,28 +814,28 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1); gaa_index++; -#line 92 "certtool.gaa" +#line 95 "certtool.gaa" { gaaval->bits = GAATMP_bits.arg1 ;}; return GAA_OK; break; case GAAOPTID_outder: OK = 0; -#line 89 "certtool.gaa" +#line 92 "certtool.gaa" { gaaval->outcert_format=1 ;}; return GAA_OK; break; case GAAOPTID_inder: OK = 0; -#line 86 "certtool.gaa" +#line 89 "certtool.gaa" { gaaval->incert_format=1 ;}; return GAA_OK; break; case GAAOPTID_export_ciphers: OK = 0; -#line 83 "certtool.gaa" +#line 86 "certtool.gaa" { gaaval->export=1 ;}; return GAA_OK; @@ -828,32 +845,39 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_hash.arg1, gaa_getstr, GAATMP_hash.size1); gaa_index++; -#line 80 "certtool.gaa" +#line 83 "certtool.gaa" { gaaval->hash = GAATMP_hash.arg1 ;}; return GAA_OK; break; case GAAOPTID_dsa: OK = 0; -#line 77 "certtool.gaa" +#line 80 "certtool.gaa" { gaaval->dsa=1 ;}; return GAA_OK; break; case GAAOPTID_pkcs8: OK = 0; -#line 74 "certtool.gaa" +#line 77 "certtool.gaa" { gaaval->pkcs8=1 ;}; return GAA_OK; break; case GAAOPTID_to_p12: OK = 0; -#line 71 "certtool.gaa" +#line 74 "certtool.gaa" { gaaval->action = 8; ;}; return GAA_OK; break; + case GAAOPTID_v1: + OK = 0; +#line 72 "certtool.gaa" +{ gaaval->v1_cert = 1; ;}; + + return GAA_OK; + break; case GAAOPTID_fix_key: OK = 0; #line 69 "certtool.gaa" @@ -1064,11 +1088,11 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 114 "certtool.gaa" +#line 118 "certtool.gaa" { gaaval->bits = 2048; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; - gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; - gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL; gaaval->fix_key = 0; gaaval->quick_random=0; ;}; + gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; gaaval->v1_cert = 0; + gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL; gaaval->fix_key = 0; gaaval->quick_random=1; ;}; } inited = 1; diff --git a/src/certtool-gaa.h b/src/certtool-gaa.h index 891360ef98..88a9b35b96 100644 --- a/src/certtool-gaa.h +++ b/src/certtool-gaa.h @@ -8,30 +8,32 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 107 "certtool.gaa" +#line 111 "certtool.gaa" int debug; -#line 103 "certtool.gaa" +#line 107 "certtool.gaa" char *template; -#line 100 "certtool.gaa" +#line 104 "certtool.gaa" char *infile; -#line 97 "certtool.gaa" +#line 101 "certtool.gaa" char *outfile; -#line 94 "certtool.gaa" +#line 97 "certtool.gaa" int quick_random; -#line 91 "certtool.gaa" +#line 94 "certtool.gaa" int bits; -#line 88 "certtool.gaa" +#line 91 "certtool.gaa" int outcert_format; -#line 85 "certtool.gaa" +#line 88 "certtool.gaa" int incert_format; -#line 82 "certtool.gaa" +#line 85 "certtool.gaa" int export; -#line 79 "certtool.gaa" +#line 82 "certtool.gaa" char *hash; -#line 76 "certtool.gaa" +#line 79 "certtool.gaa" int dsa; -#line 73 "certtool.gaa" +#line 76 "certtool.gaa" int pkcs8; +#line 71 "certtool.gaa" + int v1_cert; #line 68 "certtool.gaa" int fix_key; #line 53 "certtool.gaa" diff --git a/src/certtool.c b/src/certtool.c index 16553899c3..b653ef05a1 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -41,7 +41,7 @@ #include <progname.h> #include <version-etc.h> -static void print_crl_info (gnutls_x509_crl_t crl, FILE *out); +static void print_crl_info (gnutls_x509_crl_t crl, FILE * out); int generate_prime (int bits, int how); void pkcs7_info (void); void smime_to_pkcs7 (void); @@ -57,7 +57,7 @@ gnutls_x509_crt_t load_cert (int mand); void certificate_info (void); void crl_info (void); void privkey_info (void); -static void print_certificate_info (gnutls_x509_crt_t crt, FILE *out, +static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int); static void gaa_parser (int argc, char **argv); void generate_self_signed (void); @@ -134,8 +134,9 @@ generate_private_key_int (void) gnutls_pk_algorithm_get_name (key_type)); if (info.quick_random == 0) - fprintf (stderr, "This might take several minutes depending on availability of randomness" - " in /dev/random. You can consider using --quick-random option but this reduces the quality of randomness used.\n"); + fprintf (stderr, + "This might take several minutes depending on availability of randomness" + " in /dev/random. You can consider using --quick-random option but this reduces the quality of randomness used.\n"); ret = gnutls_x509_privkey_generate (key, key_type, info.bits, 0); if (ret < 0) @@ -201,8 +202,7 @@ generate_private_key (void) gnutls_x509_crt_t generate_certificate (gnutls_x509_privkey_t * ret_key, - gnutls_x509_crt_t ca_crt, - int proxy) + gnutls_x509_crt_t ca_crt, int proxy) { gnutls_x509_crt_t crt; gnutls_x509_privkey_t key = NULL; @@ -211,10 +211,9 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, int serial, client; int days, result, ca_status = 0, path_len; const char *str; - int vers = 3; /* the default version in the certificate - */ + int vers; unsigned int usage = 0, server; - gnutls_x509_crq_t crq; /* request */ + gnutls_x509_crq_t crq; /* request */ ret = gnutls_x509_crt_init (&crt); if (ret < 0) @@ -238,8 +237,8 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, { result = gnutls_x509_crt_set_proxy_dn (crt, ca_crt, 0, NULL, 0); if (result < 0) - error (EXIT_FAILURE, 0, "set_proxy_dn: %s", - gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "set_proxy_dn: %s", + gnutls_strerror (result)); get_cn_crt_set (crt); } @@ -300,207 +299,227 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, if (!batch) fprintf (stderr, "\n\nExtensions.\n"); - if (proxy) + /* do not allow extensions on a v1 certificate */ + if (info.v1_cert == 0) { - const char *policylanguage; - char *policy; - size_t policylen; - int proxypathlen = get_path_len (); - if (!batch) + if (proxy) { - printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n"); - printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n"); - } + const char *policylanguage; + char *policy; + size_t policylen; + int proxypathlen = get_path_len (); - policylanguage = get_proxy_policy (&policy, &policylen); + if (!batch) + { + printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n"); + printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n"); + } - result = gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage, - policy, policylen); - if (result < 0) - error (EXIT_FAILURE, 0, "set_proxy: %s", gnutls_strerror (result)); - } + policylanguage = get_proxy_policy (&policy, &policylen); - if (!proxy) - ca_status = get_ca_status (); - if (ca_status) - path_len = get_path_len (); - else - path_len = -1; + result = + gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage, + policy, policylen); + if (result < 0) + error (EXIT_FAILURE, 0, "set_proxy: %s", + gnutls_strerror (result)); + } - result = gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len); - if (result < 0) - error (EXIT_FAILURE, 0, "basic_constraints: %s", gnutls_strerror (result)); + if (!proxy) + ca_status = get_ca_status (); + if (ca_status) + path_len = get_path_len (); + else + path_len = -1; - client = get_tls_client_status (); - if (client != 0) - { - result = gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_TLS_WWW_CLIENT, - 0); + result = + gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); - } + error (EXIT_FAILURE, 0, "basic_constraints: %s", + gnutls_strerror (result)); - server = get_tls_server_status (); - if (server != 0) - { - result = 0; + client = get_tls_client_status (); + if (client != 0) + { + result = gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_TLS_WWW_CLIENT, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + } - if (!proxy) + server = get_tls_server_status (); + if (server != 0) { - str = get_dns_name (); - if (str != NULL) - { - result = gnutls_x509_crt_set_subject_alternative_name - (crt, GNUTLS_SAN_DNSNAME, str); - } - else + result = 0; + + if (!proxy) { - str = get_ip_addr (); + str = get_dns_name (); if (str != NULL) { result = gnutls_x509_crt_set_subject_alternative_name - (crt, GNUTLS_SAN_IPADDRESS, str); + (crt, GNUTLS_SAN_DNSNAME, str); + } + else + { + str = get_ip_addr (); + if (str != NULL) + { + result = gnutls_x509_crt_set_subject_alternative_name + (crt, GNUTLS_SAN_IPADDRESS, str); + } } + + if (result < 0) + error (EXIT_FAILURE, 0, "subject_alt_name: %s", + gnutls_strerror (result)); } + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_TLS_WWW_SERVER, 0); if (result < 0) - error (EXIT_FAILURE, 0, "subject_alt_name: %s", - gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); } + else if (!proxy) + { + str = get_email (); - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_TLS_WWW_SERVER, 0); - if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); - } - else if (!proxy) - { - str = get_email (); + if (str != NULL) + { + result = gnutls_x509_crt_set_subject_alternative_name + (crt, GNUTLS_SAN_RFC822NAME, str); + if (result < 0) + error (EXIT_FAILURE, 0, "subject_alt_name: %s", + gnutls_strerror (result)); + } + } - if (str != NULL) + if (!ca_status || server) { - result = gnutls_x509_crt_set_subject_alternative_name - (crt, GNUTLS_SAN_RFC822NAME, str); - if (result < 0) - error (EXIT_FAILURE, 0, "subject_alt_name: %s", - gnutls_strerror (result)); - } - } + int pk; - if (!ca_status || server) - { - int pk; + pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL); + if (pk != GNUTLS_PK_DSA) + { /* DSA keys can only sign. + */ + result = get_sign_status (server); + if (result) + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL); + result = get_encrypt_status (server); + if (result) + usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; + } + else + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + } - if (pk != GNUTLS_PK_DSA) - { /* DSA keys can only sign. - */ - result = get_sign_status (server); + + if (ca_status) + { + result = get_cert_sign_status (); if (result) - usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + usage |= GNUTLS_KEY_KEY_CERT_SIGN; - result = get_encrypt_status (server); + result = get_crl_sign_status (); if (result) - usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; - } - else - usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - } + usage |= GNUTLS_KEY_CRL_SIGN; + result = get_code_sign_status (); + if (result) + { + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_CODE_SIGNING, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", + gnutls_strerror (result)); + } - if (ca_status) - { - result = get_cert_sign_status (); - if (result) - usage |= GNUTLS_KEY_KEY_CERT_SIGN; + result = get_ocsp_sign_status (); + if (result) + { + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_OCSP_SIGNING, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", + gnutls_strerror (result)); + } - result = get_crl_sign_status (); - if (result) - usage |= GNUTLS_KEY_CRL_SIGN; + result = get_time_stamp_status (); + if (result) + { + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_TIME_STAMPING, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", + gnutls_strerror (result)); + } + } - result = get_code_sign_status (); - if (result) + if (usage != 0) { - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_CODE_SIGNING, 0); + result = gnutls_x509_crt_set_key_usage (crt, usage); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "key_usage: %s", + gnutls_strerror (result)); } - result = get_ocsp_sign_status (); - if (result) + /* Subject Key ID. + */ + size = sizeof (buffer); + result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size); + if (result >= 0) { - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_OCSP_SIGNING, 0); + result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "set_subject_key_id: %s", + gnutls_strerror (result)); } - result = get_time_stamp_status (); - if (result) + /* Authority Key ID. + */ + if (ca_crt != NULL) { - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_TIME_STAMPING, 0); + size = sizeof (buffer); + result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer, + &size, NULL); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + { + size = sizeof (buffer); + result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size); + } + if (result >= 0) + { + result = + gnutls_x509_crt_set_authority_key_id (crt, buffer, size); + if (result < 0) + error (EXIT_FAILURE, 0, "set_authority_key_id: %s", + gnutls_strerror (result)); + } } } - if (usage != 0) - { - result = gnutls_x509_crt_set_key_usage (crt, usage); - if (result < 0) - error (EXIT_FAILURE, 0, "key_usage: %s", gnutls_strerror (result)); - } - /* Version. */ + if (info.v1_cert != 0) + vers = 1; + else + vers = 3; result = gnutls_x509_crt_set_version (crt, vers); if (result < 0) error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result)); - /* Subject Key ID. - */ - size = sizeof (buffer); - result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size); - if (result >= 0) - { - result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size); - if (result < 0) - error (EXIT_FAILURE, 0, "set_subject_key_id: %s", - gnutls_strerror (result)); - } - - /* Authority Key ID. - */ - if (ca_crt != NULL) - { - size = sizeof (buffer); - result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer, - &size, NULL); - if (result < 0) - { - size = sizeof (buffer); - result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size); - } - if (result >= 0) - { - result = gnutls_x509_crt_set_authority_key_id (crt, buffer, size); - if (result < 0) - error (EXIT_FAILURE, 0, "set_authority_key_id: %s", - gnutls_strerror (result)); - } - } - *ret_key = key; return crt; @@ -715,7 +734,8 @@ update_signed_certificate (void) days = get_days (); - result = gnutls_x509_crt_set_expiration_time (crt, tim + days * 24 * 60 * 60); + result = + gnutls_x509_crt_set_expiration_time (crt, tim + days * 24 * 60 * 60); if (result < 0) error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result)); @@ -805,7 +825,7 @@ gaa_parser (int argc, char **argv) } if (info.quick_random != 0) - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (info.debug); @@ -909,7 +929,8 @@ certificate_info (void) if (count > 1 && info.outcert_format == GNUTLS_X509_FMT_DER) { - error(0, 0, "Cannot output multiple certificates in DER format, using PEM instead."); + error (0, 0, + "Cannot output multiple certificates in DER format, using PEM instead."); info.outcert_format = GNUTLS_X509_FMT_PEM; } @@ -921,13 +942,12 @@ certificate_info (void) if (info.outcert_format == GNUTLS_X509_FMT_PEM) print_certificate_info (crt[i], outfile, 1); - size = sizeof (buffer); - ret = gnutls_x509_crt_export (crt[i], info.outcert_format, buffer, - &size); - if (ret < 0) - error (EXIT_FAILURE, 0, "Export error: %s", - gnutls_strerror (ret)); - fwrite (buffer, 1, size, outfile); + size = sizeof (buffer); + ret = gnutls_x509_crt_export (crt[i], info.outcert_format, buffer, + &size); + if (ret < 0) + error (EXIT_FAILURE, 0, "Export error: %s", gnutls_strerror (ret)); + fwrite (buffer, 1, size, outfile); } } @@ -948,7 +968,7 @@ print_hex_datum (gnutls_datum_t * dat) static void -print_certificate_info (gnutls_x509_crt_t crt, FILE *out, unsigned int all) +print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all) { gnutls_datum_t info; int ret; @@ -971,7 +991,7 @@ print_certificate_info (gnutls_x509_crt_t crt, FILE *out, unsigned int all) } static void -print_crl_info (gnutls_x509_crl_t crl, FILE *out) +print_crl_info (gnutls_x509_crl_t crl, FILE * out) { gnutls_datum_t info; int ret; @@ -1169,8 +1189,7 @@ load_private_key (int mand) dat.size = size; if (!dat.data) - error (EXIT_FAILURE, errno, "reading --load-privkey: %s", - info.privkey); + error (EXIT_FAILURE, errno, "reading --load-privkey: %s", info.privkey); if (info.pkcs8) { @@ -1209,8 +1228,7 @@ load_request (void) dat.size = size; if (!dat.data) - error (EXIT_FAILURE, errno, "reading --load-request: %s", - info.request); + error (EXIT_FAILURE, errno, "reading --load-request: %s", info.request); ret = gnutls_x509_crq_import (crq, &dat, info.incert_format); free (dat.data); @@ -1282,8 +1300,7 @@ load_ca_cert (void) dat.size = size; if (!dat.data) - error (EXIT_FAILURE, errno, "reading --load-ca-certificate: %s", - info.ca); + error (EXIT_FAILURE, errno, "reading --load-ca-certificate: %s", info.ca); ret = gnutls_x509_crt_import (crt, &dat, info.incert_format); free (dat.data); @@ -1487,7 +1504,7 @@ _verify_x509_mem (const void *cert, int cert_size) { x509_crl_list = (gnutls_x509_crl_t *) realloc (x509_crl_list, - i * sizeof (gnutls_x509_crl_t)); + i * sizeof (gnutls_x509_crl_t)); if (x509_crl_list == NULL) error (EXIT_FAILURE, 0, "memory error"); @@ -1528,7 +1545,7 @@ _verify_x509_mem (const void *cert, int cert_size) { x509_cert_list = (gnutls_x509_crt_t *) realloc (x509_cert_list, - i * sizeof (gnutls_x509_crt_t)); + i * sizeof (gnutls_x509_crt_t)); if (x509_cert_list == NULL) error (EXIT_FAILURE, 0, "memory error"); @@ -1569,7 +1586,8 @@ _verify_x509_mem (const void *cert, int cert_size) gnutls_x509_crt_get_issuer_dn (x509_cert_list[i - 2], issuer_name, &issuer_name_size); if (ret < 0) - error (EXIT_FAILURE, 0, "get_issuer_dn: %s", gnutls_strerror (ret)); + error (EXIT_FAILURE, 0, "get_issuer_dn: %s", + gnutls_strerror (ret)); fprintf (outfile, "\tIssued by: %s\n", issuer_name); @@ -1634,7 +1652,8 @@ _verify_x509_mem (const void *cert, int cert_size) fprintf (outfile, "\tIssued by: %s\n", name); if (strcmp (issuer_name, name) != 0) - error (EXIT_FAILURE, 0, "Error: The last certificate is not self signed."); + error (EXIT_FAILURE, 0, + "Error: The last certificate is not self signed."); fprintf (outfile, "\tVerification output: "); print_verification_res (x509_cert_list[x509_ncerts - 1], @@ -1653,7 +1672,8 @@ _verify_x509_mem (const void *cert, int cert_size) free (x509_crl_list); if (ret < 0) - error (EXIT_FAILURE, 0, "Error in verification: %s", gnutls_strerror (ret)); + error (EXIT_FAILURE, 0, "Error in verification: %s", + gnutls_strerror (ret)); return 0; } @@ -1883,7 +1903,8 @@ generate_pkcs12 (void) result = gnutls_pkcs12_bag_set_crt (bag, crts[i]); if (result < 0) - error (EXIT_FAILURE, 0, "set_crt[%d]: %s", i, gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "set_crt[%d]: %s", i, + gnutls_strerror (result)); index = result; @@ -1895,14 +1916,16 @@ generate_pkcs12 (void) size = sizeof (_key_id); result = gnutls_x509_crt_get_key_id (crts[i], 0, _key_id, &size); if (result < 0) - error (EXIT_FAILURE, 0, "key_id[%d]: %s", i, gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "key_id[%d]: %s", i, + gnutls_strerror (result)); key_id.data = _key_id; key_id.size = size; result = gnutls_pkcs12_bag_set_key_id (bag, index, &key_id); if (result < 0) - error (EXIT_FAILURE, 0, "bag_set_key_id: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "bag_set_key_id: %s", + gnutls_strerror (result)); if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; @@ -1963,7 +1986,8 @@ generate_pkcs12 (void) result = gnutls_pkcs12_bag_set_key_id (kbag, index, &key_id); if (result < 0) - error (EXIT_FAILURE, 0, "bag_set_key_id: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "bag_set_key_id: %s", + gnutls_strerror (result)); result = gnutls_pkcs12_set_bag (pkcs12, kbag); if (result < 0) @@ -2112,7 +2136,7 @@ pkcs12_info (void) index = 0; - for (index = 0; ; index++) + for (index = 0;; index++) { result = gnutls_pkcs12_bag_init (&bag); if (result < 0) @@ -2194,7 +2218,7 @@ pkcs7_info (void) size = sizeof (buffer); result = gnutls_pkcs7_get_crt_raw (pkcs7, index, buffer, &size); if (result < 0) - break; + break; data.data = buffer; data.size = size; @@ -2225,7 +2249,7 @@ pkcs7_info (void) size = sizeof (buffer); result = gnutls_pkcs7_get_crl_raw (pkcs7, index, buffer, &size); if (result < 0) - break; + break; data.data = buffer; data.size = size; @@ -2287,5 +2311,5 @@ certtool_version (void) { version_etc (stdout, program_name, PACKAGE_STRING, gnutls_check_version (NULL), "Nikos Mavroyanopoulos", - "Simon Josefsson", (char*) NULL); + "Simon Josefsson", (char *) NULL); } diff --git a/src/certtool.gaa b/src/certtool.gaa index a854e1072a..ae114be09c 100644 --- a/src/certtool.gaa +++ b/src/certtool.gaa @@ -68,6 +68,9 @@ option (k, key-info) { $action = 6; } "Print information on a private key." #int fix_key; option (fix-key) { $fix_key = 1; } "Regenerate the parameters in a private key." +#int v1_cert; +option (v1) { $v1_cert = 1; } "Generate an X.509 version 1 certificate (no extensions)." + option (to-p12) { $action = 8; } "Generate a PKCS #12 structure." #int pkcs8; @@ -93,6 +96,7 @@ option (bits) INT "BITS" { $bits = $1 } "specify the number of bits for key gene #int quick_random; option (quick-random) { $quick_random = 1; } "Use /dev/urandom for all operation, reducing the quality of randomness used." +option (disable-quick-random) { $quick_random = 0; } "Use /dev/random for key generationg, thus increasing the quality of randomness used." #char *outfile; option (outfile) STR "FILE" { $outfile = $1 } "Output file." @@ -113,6 +117,6 @@ option (v, version) { certtool_version(); exit(0); } "shows the program's versio init { $bits = 2048; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL; $debug=1; $request = NULL; $infile = NULL; $outfile = NULL; $cert = NULL; - $incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; - $export = 0; $template = NULL; $hash=NULL; $fix_key = 0; $quick_random=0; } + $incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; $v1_cert = 0; + $export = 0; $template = NULL; $hash=NULL; $fix_key = 0; $quick_random=1; } @@ -35,6 +35,7 @@ #include <gnutls/extra.h> #include <gnutls/x509.h> #include <gnutls/openpgp.h> +#include <gcrypt.h> #include "error.h" #include "read-file.h" @@ -377,7 +378,7 @@ init_tls_session (const char *hostname) gnutls_init (&session, GNUTLS_CLIENT); - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); /* allow the use of private ciphersuites. */ @@ -518,6 +519,8 @@ main (int argc, char **argv) int user_term = 0; socket_st hd; + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + if ((ret = gnutls_global_init ()) < 0) { fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret)); diff --git a/src/serv.c b/src/serv.c index e5c54f75f3..9ab93d4755 100644 --- a/src/serv.c +++ b/src/serv.c @@ -32,6 +32,7 @@ #include <sys/types.h> #include <string.h> #include <gnutls/gnutls.h> +#include <gcrypt.h> #include <gnutls/extra.h> #include <sys/time.h> #include <fcntl.h> @@ -379,7 +380,7 @@ initialize_session (void) gnutls_db_set_ptr (session, NULL); } - gnutls_set_default_priority (session); + gnutls_set_default_priority2 (session, GNUTLS_PRIORITIES_PERFORMANCE); if (cipher_priority[0]) gnutls_cipher_set_priority (session, cipher_priority); @@ -414,6 +415,11 @@ initialize_session (void) gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); } + /* Set maximum compatibility mode. This is only suggested on public webservers + * that need to trade security for compatibility + */ + gnutls_session_enable_compatibility_mode( session); + #ifdef ENABLE_OPRFI if (info.opaque_prf_input) gnutls_oprfi_enable_server (session, oprfi_callback, NULL); @@ -817,6 +823,8 @@ main (int argc, char **argv) strcpy (name, "Echo Server"); } + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + if ((ret = gnutls_global_init ()) < 0) { fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret)); diff --git a/src/tests.c b/src/tests.c index bc9bc11be9..0818acb55c 100644 --- a/src/tests.c +++ b/src/tests.c @@ -50,7 +50,7 @@ int tls1_1_ok = 0; /* keep session info */ static char *session_data = NULL; static char session_id[32]; -static int session_data_size = 0, session_id_size = 0; +static size_t session_data_size = 0, session_id_size = 0; static int sfree = 0; static int handshake_output = 0; @@ -217,13 +217,10 @@ ADD_PROTOCOL3 (gnutls_session_t session, int p1, int p2, int p3) static int srp_detected; int -_test_srp_username_callback (gnutls_session_t session, unsigned int times, - char **username, char **password) +_test_srp_username_callback (gnutls_session_t session, + char **username, char **password) { - if (times == 1) - { - srp_detected = 1; - } + srp_detected = 1; return -1; } diff --git a/src/tests.h b/src/tests.h index bfb357f927..2f27f85037 100644 --- a/src/tests.h +++ b/src/tests.h @@ -38,5 +38,5 @@ test_code_t test_rsa_pms_version_check (gnutls_session_t session); test_code_t test_version_oob (gnutls_session_t session); test_code_t test_zlib (gnutls_session_t session); test_code_t test_lzo (gnutls_session_t session); -int _test_srp_username_callback (gnutls_session_t session, unsigned int times, +int _test_srp_username_callback (gnutls_session_t session, char **username, char **password); |