Added option to allow an X.509 server not to send the trusted CA list to the peer.

6 files changed, 36 insertions, 11 deletions

diff --git a/README b/README
index 9c530d07c2..4c5e1949b4 100644
--- a/README
+++ b/README
@@ -15,7 +15,7 @@ implementation for the GNU project.
  ftp://ftp.gnutls.org/pub/gnutls/opencdk/
 
 - Documentation:
- view the doc/ directory and the examples in the src/ directory.
+ view the doc/ directory and the examples in the doc/examples directory.
 
 
 ****************************
diff --git a/doc/TODO b/doc/TODO
index 5b2bf93aae..75e7d34649 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -4,7 +4,6 @@ in order to avoid having people working on the same thing.
 
 Current list:
 + Add ability to read PKCS-12 structures (certificate and private key)
-* Allow sending any client certificate. Not only the ones requested.
 * Convert documentation to texinfo format
 * Audit the code
 * Add GPGSM certificate manager support
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 92db8cc80f..e6fe3054cc 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos
+ *  Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos
  *
- * This file is part of GNUTLS.
+ *  This file is part of GNUTLS.
  *
  *  The GNUTLS library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public   
@@ -326,7 +326,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
 		 * of X509 certificates.
 		 */
 		if (gnutls_certificate_type_get(session) ==
-		    GNUTLS_CRT_X509) {
+		    GNUTLS_CRT_X509 && issuers_dn_len > 0) {
 			data = _data;
 			data_size = _data_size;
 
@@ -354,7 +354,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
 
 			}
 
-		} else {	/* Other certificate types */
+		} else { /* Other certificate types */
 			issuers_dn_len = 0;
 			issuers_dn = NULL;
 		}
@@ -369,7 +369,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
 		/* put our certificate's issuer and dn into cdn, idn
 		 * Note that the certificates we provide to the callback
 		 * are not all the certificates we have. Only the certificates
-		 * that are requested by the server (CA matches - and sign
+		 * that are requested by the server (certificate type - and sign
 		 * algorithm matches), are provided.
 		 */
 		for (j = i = 0; i < cred->ncerts; i++) {
@@ -1181,7 +1181,8 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session session,
 	size = CERTTYPE_SIZE + 2;	/* 2 for gnutls_certificate_type + 2 for size of rdn_seq 
 					 */
 
-	if (session->security_parameters.cert_type == GNUTLS_CRT_X509)
+	if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
+		session->internals.ignore_rdn_sequence == 0)
 		size += cred->x509_rdn_sequence.size;
 
 	(*data) = gnutls_malloc(size);
@@ -1198,7 +1199,8 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session session,
 	pdata[2] = DSA_SIGN;	/* only these for now */
 	pdata += CERTTYPE_SIZE;
 
-	if (session->security_parameters.cert_type == GNUTLS_CRT_X509) {
+	if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
+		session->internals.ignore_rdn_sequence == 0) {
 		_gnutls_write_datum16(pdata, cred->x509_rdn_sequence);
 		pdata += cred->x509_rdn_sequence.size + 2;
 	}
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index a5ac45c5cd..8f845c71a1 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -563,7 +563,7 @@ typedef struct {
 	 */
 	uint16			extensions_sent[MAX_EXT_TYPES];
 	uint16			extensions_sent_size;
-
+	
 	/* is 0 if we are to send the whole PGP key, or non zero
 	 * if the fingerprint is to be sent.
 	 */
@@ -593,6 +593,11 @@ typedef struct {
 	 * openpgp key. (if the peer sends a fingerprint)
 	 */
 	gnutls_openpgp_recv_key_func openpgp_recv_key_func;
+	
+	/* If non zero the server will not advertize the CA's he
+	 * trusts (do not send an RDN sequence).
+	 */
+	int			ignore_rdn_sequence;
 
 	/* If you add anything here, check _gnutls_handshake_internal_state_clear().
 	 */
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index b5863869d8..e10da9b335 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -450,6 +450,24 @@ void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status s
 	session->internals.pgp_fingerprint = status;
 }
 
+/**
+  * gnutls_certificate_send_x509_rdn_sequence - This function will order gnutls to or not to send the x.509 rdn sequence
+  * @session: is a pointer to a &gnutls_session structure.
+  * @status: is 0 or 1
+  *
+  * If status is non zero, this function will order gnutls not to send the rdnSequence 
+  * in the certificate request message. That is the server will not advertize
+  * it's trusted CAs to the peer. If status is zero then the default behaviour will
+  * take effect, which is to advertize the server's trusted CAs.
+  *
+  * This function has no effect in clients, and in authentication methods other than
+  * certificate with X.509 certificates.
+  *
+  **/
+void gnutls_certificate_send_x509_rdn_sequence(gnutls_session session, int status) {
+	session->internals.ignore_rdn_sequence = status;
+}
+
 int _gnutls_openpgp_send_fingerprint(gnutls_session session) {
 	return session->internals.pgp_fingerprint;
 }
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 6cb8aee7f5..e0294318ac 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -742,7 +742,8 @@ int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials res, con
 	return 0;
 }
 
-static int generate_rdn_seq( gnutls_certificate_credentials res) {
+static int generate_rdn_seq( gnutls_certificate_credentials res) 
+{
 gnutls_const_datum tmp;
 gnutls_datum _tmp;
 int ret;