summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2003-02-13 09:23:24 +0000
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2003-02-13 09:23:24 +0000
commit9a6a00a2d7bbfefdedc08a07bfb608647539cff1 (patch)
tree5a8ed86c63315f29268c451962cafb4fe554c8db
parent68767c89fcce6ec855691a54776c7cf2c5010045 (diff)
downloadgnutls-9a6a00a2d7bbfefdedc08a07bfb608647539cff1.tar.gz
Added option to allow an X.509 server not to send the trusted CA list to the peer.
-rw-r--r--README2
-rw-r--r--doc/TODO1
-rw-r--r--lib/auth_cert.c16
-rw-r--r--lib/gnutls_int.h7
-rw-r--r--lib/gnutls_state.c18
-rw-r--r--lib/gnutls_x509.c3
6 files changed, 36 insertions, 11 deletions
diff --git a/README b/README
index 9c530d07c2..4c5e1949b4 100644
--- a/README
+++ b/README
@@ -15,7 +15,7 @@ implementation for the GNU project.
ftp://ftp.gnutls.org/pub/gnutls/opencdk/
- Documentation:
- view the doc/ directory and the examples in the src/ directory.
+ view the doc/ directory and the examples in the doc/examples directory.
****************************
diff --git a/doc/TODO b/doc/TODO
index 5b2bf93aae..75e7d34649 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -4,7 +4,6 @@ in order to avoid having people working on the same thing.
Current list:
+ Add ability to read PKCS-12 structures (certificate and private key)
-* Allow sending any client certificate. Not only the ones requested.
* Convert documentation to texinfo format
* Audit the code
* Add GPGSM certificate manager support
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 92db8cc80f..e6fe3054cc 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos
+ * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos
*
- * This file is part of GNUTLS.
+ * This file is part of GNUTLS.
*
* The GNUTLS library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -326,7 +326,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
* of X509 certificates.
*/
if (gnutls_certificate_type_get(session) ==
- GNUTLS_CRT_X509) {
+ GNUTLS_CRT_X509 && issuers_dn_len > 0) {
data = _data;
data_size = _data_size;
@@ -354,7 +354,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
}
- } else { /* Other certificate types */
+ } else { /* Other certificate types */
issuers_dn_len = 0;
issuers_dn = NULL;
}
@@ -369,7 +369,7 @@ static int _gnutls_find_acceptable_client_cert(gnutls_session session,
/* put our certificate's issuer and dn into cdn, idn
* Note that the certificates we provide to the callback
* are not all the certificates we have. Only the certificates
- * that are requested by the server (CA matches - and sign
+ * that are requested by the server (certificate type - and sign
* algorithm matches), are provided.
*/
for (j = i = 0; i < cred->ncerts; i++) {
@@ -1181,7 +1181,8 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session session,
size = CERTTYPE_SIZE + 2; /* 2 for gnutls_certificate_type + 2 for size of rdn_seq
*/
- if (session->security_parameters.cert_type == GNUTLS_CRT_X509)
+ if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
+ session->internals.ignore_rdn_sequence == 0)
size += cred->x509_rdn_sequence.size;
(*data) = gnutls_malloc(size);
@@ -1198,7 +1199,8 @@ int _gnutls_gen_cert_server_cert_req(gnutls_session session,
pdata[2] = DSA_SIGN; /* only these for now */
pdata += CERTTYPE_SIZE;
- if (session->security_parameters.cert_type == GNUTLS_CRT_X509) {
+ if (session->security_parameters.cert_type == GNUTLS_CRT_X509 &&
+ session->internals.ignore_rdn_sequence == 0) {
_gnutls_write_datum16(pdata, cred->x509_rdn_sequence);
pdata += cred->x509_rdn_sequence.size + 2;
}
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index a5ac45c5cd..8f845c71a1 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -563,7 +563,7 @@ typedef struct {
*/
uint16 extensions_sent[MAX_EXT_TYPES];
uint16 extensions_sent_size;
-
+
/* is 0 if we are to send the whole PGP key, or non zero
* if the fingerprint is to be sent.
*/
@@ -593,6 +593,11 @@ typedef struct {
* openpgp key. (if the peer sends a fingerprint)
*/
gnutls_openpgp_recv_key_func openpgp_recv_key_func;
+
+ /* If non zero the server will not advertize the CA's he
+ * trusts (do not send an RDN sequence).
+ */
+ int ignore_rdn_sequence;
/* If you add anything here, check _gnutls_handshake_internal_state_clear().
*/
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index b5863869d8..e10da9b335 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -450,6 +450,24 @@ void gnutls_openpgp_send_key(gnutls_session session, gnutls_openpgp_key_status s
session->internals.pgp_fingerprint = status;
}
+/**
+ * gnutls_certificate_send_x509_rdn_sequence - This function will order gnutls to or not to send the x.509 rdn sequence
+ * @session: is a pointer to a &gnutls_session structure.
+ * @status: is 0 or 1
+ *
+ * If status is non zero, this function will order gnutls not to send the rdnSequence
+ * in the certificate request message. That is the server will not advertize
+ * it's trusted CAs to the peer. If status is zero then the default behaviour will
+ * take effect, which is to advertize the server's trusted CAs.
+ *
+ * This function has no effect in clients, and in authentication methods other than
+ * certificate with X.509 certificates.
+ *
+ **/
+void gnutls_certificate_send_x509_rdn_sequence(gnutls_session session, int status) {
+ session->internals.ignore_rdn_sequence = status;
+}
+
int _gnutls_openpgp_send_fingerprint(gnutls_session session) {
return session->internals.pgp_fingerprint;
}
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 6cb8aee7f5..e0294318ac 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -742,7 +742,8 @@ int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials res, con
return 0;
}
-static int generate_rdn_seq( gnutls_certificate_credentials res) {
+static int generate_rdn_seq( gnutls_certificate_credentials res)
+{
gnutls_const_datum tmp;
gnutls_datum _tmp;
int ret;